GETVPN (CA server & KS on the same router)

Unanswered Question
Mar 16th, 2010
User Badges:


I am fairly new to GETVPN and I hit a brick wall at the moment. I am hoping somene will be able to help me...

In attachement I will put a visio of my design in which I want to enable GETVPN.

I want to enable GETVPN on my testnetwork but I want to perform ISAKMP authentication by using PKI in stead of pre-shared keys. And I want the GETVPN key server to be the CA server also (and the COOP KS must be the backup CA server but this I haven't tried yet as I don't manage the KS to be CA).

To dismiss any connectivity issues in advance: when I use pre-shared keys, GETVPN operates as it should.

Can someone point me towards a document that explains clearly how and why I have to configure certain things?

I used following documents already:

- GETVPN design & implementation guide.

- GET VPN solution deployment guide

- Configure and enroll a cisco router to another cisco router configured as CA server

However without success at this point.

I am looking for some pointers: What should I configure first? Why (so I can understand what I did/do wrong), What second, etc...

The core is MPLS

GETVPN works when using ISAKMP pre-shared keys

WAN adresses are not known to the Customer, so the GETVPN uses the LAN addresses to authenticate en encrypt (with the crypto map Customer1 local-address "LAN interface" comand).

Crypto map is applied to WAN interface (172.16.0.x)

I also tried to make it work on an easier network R1-----SW1----R2



But I did not manage to make it work like this either.

If you need more info, I'll be glad to provide you with this. (Configs I can not provide at this moment as I am not at my lab).



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Sybren.Apiecionek_2 Wed, 03/17/2010 - 07:34
User Badges:

I solved the issue, I am busy right now, but I will upload the configs once I have some free time.


This Discussion