01-03-2017 05:33 AM
I was wondering if anyone had any tips for replacing a GET VPN key server. It is setup in a high availability environment with two key servers at different locations. The secondary key server is running IOS version 12.4 and the new primary will be running 15.3. just one of the key servers will be replaced at this time as there are some IP addressing issues when we will be replacing the secondary.
Is it just replace the key server and let the rekey happen? If this is the case I would have to assume that alle the GMs rekey at around the same time or the will be a communication problem. Or I would need to jump in on all the GMs to clear the VPN tunnel (which is what I am trying to avoid). Last time I replaced a key server this is what I had to do. I have exported the old RSA key and imported it to the new KS. Again last time I did this the whole network went down due to mismatch SAs when rekey happened and I had to manually go and clear the VPN on all the GMs (about 30). it is just a pain having to do that and
Any suggestions on how to do this with zero, or minimal down time, and not too much administrative interference would be great.
Thanks.
01-03-2017 06:54 AM
A few questions to understand your environment better:
1) Are you replacing the primary or secondary KS?
2) Are all your GM's registered to the primary or are they split up based on location? Do they all have access to the both GM's?
The reason I ask the above is that in a GETVPN environment, the primary KS always sends the rekey even though a GM registers to the secondary. So if the primary loses communication to secondary but still has access to the GM's, this could cause both (since secondary now assumes primary role) to send rekey causing outages.
If you are removing primary, then I would recommend you take it off the network completely immediately after a rekey (usually happens every 2 hours). Add the new KS to the network - with same RSA key and lower priority. This will ensure that the new KS will first take over as new secondary. Once this is done and everything is stable, remove old secondary from network and let the new router send one rekey if possible. If verified, then add the old secondary back as secondary with lower priority than new KS. During all this, connectivity between all KS and GM's are required for complete functionality.
If it is secondary you are removing, the process should be the same, just no requirement to change priorities when adding the new secondary KS (only same RSA key). Again connectivity is essential for this to function.
Hope this helps.
01-04-2017 12:22 AM
1) I am replacing the primary KS
2) all GMs are registered with the primary KS
Doing what you suggest is not a an option to remove the secondary from the network at this point in time, which is why the secondary is not going to be replaced for the near future.
Is there anyway to force or manually trigger a rekey on the KS?
01-06-2017 06:03 AM
You do not have to remove the secondary, just the primary. But when adding the new primary, add it with lower priority so that it becomes the secondary. The old secondary will now take over functionality of sending rekeys and all the GM's will only receive rekeys from it.
01-06-2017 02:12 AM
But how does GET VPN rekey work. Does the KS send rekey at the same time to all GMs or do the GMs get the rekey at different intervals?
01-06-2017 06:18 AM
GETVPN TEK rekeys are usually send sometime before the SA lifetime expiry. If you have TBAR enabled, the time period for TEK rekey is every 2 hours. There is also another rekey to refresh the keys used to protect rekeys (KEK) that happens usually every 24 hours in a default config.
The primary KS rekeys it the same time to all GM's. If a GM does not respond with acknowledgement, it re-sends the rekey to that GM.
A good explanation of how rekeys work is given here:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_getvpn/configuration/xe-3s/sec-get-vpn-xe-3s-book/sec-get-vpn.html#GUID-F3AA52B7-2B0D-4367-93B3-EAA0EAD0E983
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide