We are trying to deploy GET(Group Encrypted Tunnel) VPN in our LAB and in the process of that, we were able to setup a key server and 2 group members. In addition to that, we would like to know, whether its possible to configure the key server as also a group memeber router.
Kindly let us know, if you have any answers related to it.
Anantha Subramanian Natarajan
The Key Server and Group Member functionality cannot be co-resident on the same platform.
Indeed, we (Cisco) intentionally wanted to separate the KS from the GM functionality. One of the primary reasons is to avoid the data plane (ESP) from affecting the control plane (IKE/GDOI). By moving the control plane off of the data plane path, we're able to scale to larger networks. There's nothing to preclude you from running the KS on a very small platform in the lab (say an 1800).
I thought I heard it is in the roadmap.
I believe the limitation at some level helps to protect the architecture by requiring the usage of a dedicated router in this first release. In a production environment you would want to avoid any uneccessary additional load/features running on the key server that may negatively impact the critical key server functions.