GET VPN

Answered Question
Sep 11th, 2007

Hi ,

We are trying to deploy GET(Group Encrypted Tunnel) VPN in our LAB and in the process of that, we were able to setup a key server and 2 group members. In addition to that, we would like to know, whether its possible to configure the key server as also a group memeber router.

Kindly let us know, if you have any answers related to it.

Thanking You

Regards

Anantha Subramanian Natarajan

I have this problem too.
0 votes
Correct Answer by swainner about 9 years 3 months ago

The Key Server and Group Member functionality cannot be co-resident on the same platform.

Correct Answer by swainner about 9 years 3 months ago

Indeed, we (Cisco) intentionally wanted to separate the KS from the GM functionality. One of the primary reasons is to avoid the data plane (ESP) from affecting the control plane (IKE/GDOI). By moving the control plane off of the data plane path, we're able to scale to larger networks. There's nothing to preclude you from running the KS on a very small platform in the lab (say an 1800).

Scott Wainner

Correct Answer by gjstem about 9 years 3 months ago

I thought I heard it is in the roadmap.

I believe the limitation at some level helps to protect the architecture by requiring the usage of a dedicated router in this first release. In a production environment you would want to avoid any uneccessary additional load/features running on the key server that may negatively impact the critical key server functions.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (5 ratings)
Loading.
anasubra_2 Wed, 09/12/2007 - 11:38

Hi Lars,

Thank you very much and is there any roadmap for the same in the upcomming IOS. Kindly let me know,if you are aware about that.

Thanks

Regards

Anantha Subramanian Natarajan

Correct Answer
gjstem Sun, 09/23/2007 - 20:22

I thought I heard it is in the roadmap.

I believe the limitation at some level helps to protect the architecture by requiring the usage of a dedicated router in this first release. In a production environment you would want to avoid any uneccessary additional load/features running on the key server that may negatively impact the critical key server functions.

anasubra_2 Sun, 09/23/2007 - 20:46

Hi Gistem,

Thank you very much for the answer

Regards

Anantha Subramanian Natarajan

Correct Answer
swainner Mon, 09/24/2007 - 08:13

Indeed, we (Cisco) intentionally wanted to separate the KS from the GM functionality. One of the primary reasons is to avoid the data plane (ESP) from affecting the control plane (IKE/GDOI). By moving the control plane off of the data plane path, we're able to scale to larger networks. There's nothing to preclude you from running the KS on a very small platform in the lab (say an 1800).

Scott Wainner

anasubra_2 Mon, 09/24/2007 - 12:45

Hi Scott,

Thanks .....Great.

Regards

Anantha Subramanian Natarajan

anasubra_2 Wed, 10/10/2007 - 18:05

Hi Guru Prasad R,

I have send the configs and a topology diagram for your reference. Let me know, If you need any help on this which I would be able to help

Regards

Anantha Subramanian Natarajan

guruprasadr Wed, 10/10/2007 - 23:18

HI Anantha Subramanian Natarajan,

Have Rated your POST.

I received your Config and Topology Digs and it was very helpful.

If i have any clarifications on the same, i will come back to you.

Thanks again for your help

Best Regards,

Guru Prasad R

anasubra_2 Thu, 10/11/2007 - 02:35

Hi Guru Prasad,

Thanks and no probs

Regards

Anantha Subramanian Natarajan

Correct Answer
swainner Wed, 10/10/2007 - 05:46

The Key Server and Group Member functionality cannot be co-resident on the same platform.

Actions

This Discussion