We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 641 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

465 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Due to an audit we just had we need to encrypt all traffic going out MPLS, should my ACL include the LANs and BGP/30 network in the ACL on my MPLS router in the datacenter (which is acting as the KS)?
    In your lab you used OSPF but we’re running BGP, is it better to use a IGP verse BGP?

  2. Hi Corwyn,

    It shouldn’t matter too much that you use BGP. There is one issue with BGP/GETVPN where traffic can be get blackholed if a GM doesn’t receive keys. Take a look at this:


    Apparently, the “Routing Awareness for BGP” feature prevents this from happening but that’s something you should test.

    I think the answer depends on what “all traffic” exactly means. Is this about data from your LANs o

    ... Continue reading in our forum

  3. Rene,

    can u provide some examples of the use cases of GETVPN?

  4. Hello Ray

    Rene explains the difficulties that IPsec presents when you have a multi site WAN deployment. Even with DMVPN, it is difficult and cumbersome to employ IPsec within such a WAN topology.

    The advantages of GETVPN will allow you to create a multi site WAN topology with a single IPsec SA, thus simplifying the implementation of IPsec into a multi site WAN topology.

    So examples for the use of GETVPN include all multi site WAN topologies that want to employ IPsec in a scalable manner. For example, a corporation with a DMVPN hub and spoke topology with multi

    ... Continue reading in our forum

  5. Hi everybody. I am trying to undestand the TEK and KEK lifetime.
    I copied the topology you explained and did extra change like this:

    KS1#show run | s crypto
    crypto isakmp policy 10
     encr aes
     authentication pre-share
     group 5
     lifetime 86000
    crypto isakmp key MY_KEY address        
    crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac 
     mode tunnel
    crypto ipsec profile IPSEC_PROFILE
     **set security-association lifetime seconds 120**
     set transform-set TRANSFORM_SET 
    crypto gdoi group GDOI_GROUP
     identity number 123
     server local
      **rekey lifeti
    ... Continue reading in our forum

5 more replies! Ask a question or join the discussion by visiting our Community Forum