09-26-2019 11:30 AM
Hello,
I just took over GETVPN topology:
We use KS as CA server. The GM5 is the CE in the HQ and established BGP peering with every branch through VPLS network.
I have a few concepts need to clarify:
1.If KS have an issue with a certificate from CA. All branch cannot access HQ or they can still access HQ without data encrypt?
2. If GM5 have an issue with a certificate from CA. Can branch still establish BGP peering with HQ and access HQ?
3. We have KS2 in our DR site but we only enable CA server on KS1 in the HQ. If CA+KS crash, can all GM register with KS2 and access HQ before the certificate expired?
Thanks!
Solved! Go to Solution.
09-29-2019 06:02 AM
1.If KS have an issue with a certificate from CA. All branch cannot access HQ or they can still access HQ without data encrypt?
All branch offices will be able to access HQ until the next rekey is performed. If the problem still exists on the KS then rekey will fail.
2. If GM5 have an issue with a certificate from CA. Can branch still establish BGP peering with HQ and access HQ?
Again, until there is a rekey BGP will remain established. Once there is a rekey and the certificate problem still exists on GM5 all branch offices will not be able to reach HQ.
3. We have KS2 in our DR site but we only enable CA server on KS1 in the HQ. If CA+KS crash, can all GM register with KS2 and access HQ before the certificate expired?
As long as there is a valid certificate chain issued to KS2 and installed, and the coop configuration is up and running, the branch offices should be able to register with KS2.
10-09-2019 02:29 PM - edited 10-09-2019 02:31 PM
Lets say you are able to allocate a /16 subnet for the GMs for the IPs of the GMs facing the VPLS network. For this discussion lets say 10.255.0.0/16. then you could have a standing exclusion for the GMs to enroll with the CA. If you plan on doing this on a per site basis when a new site is introduced then you would need to wait for a rekey to happen so the GMs download the new ACL, or force a rekey and this will cause a short outage.
But, yes, you will need to exclude traffic from the GMs to the CA for certificate enrollment.
Another option would be to stage the configuration at you location where you can install the certificate yourself over a closed network and then send the router to the site.
09-29-2019 06:02 AM
1.If KS have an issue with a certificate from CA. All branch cannot access HQ or they can still access HQ without data encrypt?
All branch offices will be able to access HQ until the next rekey is performed. If the problem still exists on the KS then rekey will fail.
2. If GM5 have an issue with a certificate from CA. Can branch still establish BGP peering with HQ and access HQ?
Again, until there is a rekey BGP will remain established. Once there is a rekey and the certificate problem still exists on GM5 all branch offices will not be able to reach HQ.
3. We have KS2 in our DR site but we only enable CA server on KS1 in the HQ. If CA+KS crash, can all GM register with KS2 and access HQ before the certificate expired?
As long as there is a valid certificate chain issued to KS2 and installed, and the coop configuration is up and running, the branch offices should be able to register with KS2.
09-30-2019 07:45 AM
10-09-2019 11:41 AM
Hi @Marius Gunnerud ,
How do you think about this topology?
The CE of the VPLS in the HQ is as GM as well.
That meant we will have a GETVPN in front of the GETVPN right?
When we want to open a new branch, the VPLS CE of the new branch cannot establish a tunnel because it doesn't have a certificate from CA. But the CE of the VPLS in the HQ is GM, so it has GETVPN to encrypt data between each VPLS CE. So we need to use ACL to exclude the traffic from new CE in order to let the new branch to get the certificate first. Is that correct?
Many Thanks,
Yiwei
10-09-2019 02:29 PM - edited 10-09-2019 02:31 PM
Lets say you are able to allocate a /16 subnet for the GMs for the IPs of the GMs facing the VPLS network. For this discussion lets say 10.255.0.0/16. then you could have a standing exclusion for the GMs to enroll with the CA. If you plan on doing this on a per site basis when a new site is introduced then you would need to wait for a rekey to happen so the GMs download the new ACL, or force a rekey and this will cause a short outage.
But, yes, you will need to exclude traffic from the GMs to the CA for certificate enrollment.
Another option would be to stage the configuration at you location where you can install the certificate yourself over a closed network and then send the router to the site.
10-11-2019 08:44 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide