Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1415
Views
15
Helpful
7
Replies

GETVPN Key Server

Hamada Ahmed
Level 1
Level 1

‎03-12-2022 11:00 AM

Is it possible to have a Router acting as Group Member and Key Server at same time?

Which means that HUB Router (HQ) can be HUB and key server in same time?

 

or better to have independent key server router?    

Labels:
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎03-12-2022 11:10 AM

As per CVD, they are should be separated all time each one does a different role.

 

The key server has two responsibilities: servicing registration requests and sending rekeys. A group member can register at any time and receive the most current policy and keys. When a group member registers with the key server, the key server verifies the group ID that the group member is attempting to join. If this ID is a valid group ID, the key server sends the SA policy to the group member. After the group member acknowledges that it can handle the downloaded policy, the key server downloads the respective keys.

 

you can find a good deployment guide :

 

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2014/CVD-GETVPNDesignGuide-AUG14.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Georg Pauwen
VIP
VIP

‎03-12-2022 11:33 AM

Hello ,

 

I do not think that is possible, since the key server does not use and install the IPSec SA. only the group members do.

0 Helpful

MHM Cisco World
VIP
VIP

‎03-12-2022 11:46 AM - edited ‎03-12-2022 12:39 PM

fdgljlgk.pngKey Server for GETVPN 
hub for what ? 
I remember your last post, the 4000 vpn and so you thing with tunnel-less VPN which is GETVPN. 

DMVPN vs GETVPN 
DMVPN can use if the Spoke know Hub IP and Hub learn all Spoke IP, DMVPN use mGRE which mean use multi GRE tunnel with single one tunnel config.
GETVPN use for only security. 

also you can check the flexVPN which give you DVTI and SVTI, DVTI single tunnel in Hub can connect as many as your all Site SVTI.

0 Helpful

Hamada Ahmed
Level 1
Level 1

‎03-13-2022 08:31 AM

I just want confirmation if Key server router can be implemented on GM Router Which is in HQ  , or KS should be independent?

 

MHM Cisco World
VIP
VIP
In response to Hamada Ahmed

‎03-13-2022 09:01 AM - edited ‎03-13-2022 09:07 AM

fdlgjdfl.pngKS must be router in HQ, 
All GM must have reached the KS but they don't need to reach each other. 

balaji.bandi
Hall of Fame
Hall of Fame
In response to Hamada Ahmed

‎03-13-2022 12:00 PM - edited ‎03-13-2022 01:29 PM

You can  can not mix as we mentioned already, they are different roles.  they need to be independent?

 

 

Note : Type issue corrected and edited

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Hamada Ahmed
Level 1
Level 1

‎03-13-2022 12:22 PM

my question is here because , looking for reducing Hardware

Hub router will be in DC and all branches will connect to it,

So I am looking to deploy KS in Hub router instead of deploying independent KS router to save cost.

0 Helpful
Customers Also Viewed These Support Documents