GET VPN

Answered Question
Sep 11th, 2007
User Badges:

Hi ,


We are trying to deploy GET(Group Encrypted Tunnel) VPN in our LAB and in the process of that, we were able to setup a key server and 2 group members. In addition to that, we would like to know, whether its possible to configure the key server as also a group memeber router.


Kindly let us know, if you have any answers related to it.


Thanking You


Regards

Anantha Subramanian Natarajan

Correct Answer by swainner about 9 years 7 months ago

The Key Server and Group Member functionality cannot be co-resident on the same platform.

Correct Answer by swainner about 9 years 8 months ago

Indeed, we (Cisco) intentionally wanted to separate the KS from the GM functionality. One of the primary reasons is to avoid the data plane (ESP) from affecting the control plane (IKE/GDOI). By moving the control plane off of the data plane path, we're able to scale to larger networks. There's nothing to preclude you from running the KS on a very small platform in the lab (say an 1800).


Scott Wainner

Correct Answer by gjstem about 9 years 8 months ago


I thought I heard it is in the roadmap.

I believe the limitation at some level helps to protect the architecture by requiring the usage of a dedicated router in this first release. In a production environment you would want to avoid any uneccessary additional load/features running on the key server that may negatively impact the critical key server functions.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (5 ratings)
Loading.
anasubra_2 Wed, 09/12/2007 - 11:38
User Badges:

Hi Lars,


Thank you very much and is there any roadmap for the same in the upcomming IOS. Kindly let me know,if you are aware about that.


Thanks


Regards

Anantha Subramanian Natarajan

Correct Answer
gjstem Sun, 09/23/2007 - 20:22
User Badges:


I thought I heard it is in the roadmap.

I believe the limitation at some level helps to protect the architecture by requiring the usage of a dedicated router in this first release. In a production environment you would want to avoid any uneccessary additional load/features running on the key server that may negatively impact the critical key server functions.

anasubra_2 Sun, 09/23/2007 - 20:46
User Badges:

Hi Gistem,


Thank you very much for the answer


Regards

Anantha Subramanian Natarajan

Correct Answer
swainner Mon, 09/24/2007 - 08:13
User Badges:
  • Cisco Employee,

Indeed, we (Cisco) intentionally wanted to separate the KS from the GM functionality. One of the primary reasons is to avoid the data plane (ESP) from affecting the control plane (IKE/GDOI). By moving the control plane off of the data plane path, we're able to scale to larger networks. There's nothing to preclude you from running the KS on a very small platform in the lab (say an 1800).


Scott Wainner

anasubra_2 Mon, 09/24/2007 - 12:45
User Badges:

Hi Scott,


Thanks .....Great.


Regards

Anantha Subramanian Natarajan

guruprasadr Wed, 10/10/2007 - 04:53
User Badges:
  • Gold, 750 points or more
anasubra_2 Wed, 10/10/2007 - 18:05
User Badges:

Hi Guru Prasad R,


I have send the configs and a topology diagram for your reference. Let me know, If you need any help on this which I would be able to help


Regards

Anantha Subramanian Natarajan

guruprasadr Wed, 10/10/2007 - 23:18
User Badges:
  • Gold, 750 points or more

HI Anantha Subramanian Natarajan,


Have Rated your POST.


I received your Config and Topology Digs and it was very helpful.


If i have any clarifications on the same, i will come back to you.


Thanks again for your help


Best Regards,


Guru Prasad R

anasubra_2 Thu, 10/11/2007 - 02:35
User Badges:

Hi Guru Prasad,


Thanks and no probs


Regards

Anantha Subramanian Natarajan

Correct Answer
swainner Wed, 10/10/2007 - 05:46
User Badges:
  • Cisco Employee,

The Key Server and Group Member functionality cannot be co-resident on the same platform.

Actions

This Discussion