We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 651 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

451 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Hi Corwyn,

    It shouldn’t matter too much that you use BGP. There is one issue with BGP/GETVPN where traffic can be get blackholed if a GM doesn’t receive keys. Take a look at this:


    Apparently, the “Routing Awareness for BGP” feature prevents this from happening but that’s something you should test.

    I think the answer depends on what “all traffic” exactly means. Is this about data from your LANs o

    ... Continue reading in our forum

  2. Hello Ray

    Rene explains the difficulties that IPsec presents when you have a multi site WAN deployment. Even with DMVPN, it is difficult and cumbersome to employ IPsec within such a WAN topology.

    The advantages of GETVPN will allow you to create a multi site WAN topology with a single IPsec SA, thus simplifying the implementation of IPsec into a multi site WAN topology.

    So examples for the use of GETVPN include all multi site WAN topologies that want to employ IPsec in a scalable manner. For example, a corporation with a DMVPN hub and spoke topology with multi

    ... Continue reading in our forum

  3. Hi everybody. I am trying to undestand the TEK and KEK lifetime.
    I copied the topology you explained and did extra change like this:

    KS1#show run | s crypto
    crypto isakmp policy 10
     encr aes
     authentication pre-share
     group 5
     lifetime 86000
    crypto isakmp key MY_KEY address        
    crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac 
     mode tunnel
    crypto ipsec profile IPSEC_PROFILE
     **set security-association lifetime seconds 120**
     set transform-set TRANSFORM_SET 
    crypto gdoi group GDOI_GROUP
     identity number 123
     server local
      **rekey lifeti
    ... Continue reading in our forum

  4. Thanks for your reply. This is the output of the command show crypto gdoi ks policy

    KS1#show crypto gdoi ks policy
    Key Server Policy:
    For group GDOI_GROUP (handle: 2147483650) server (handle: 2147483650):
      # of teks : 3  Seq num : 1
      KEK POLICY (transport type : Unicast)
        spi : 0xCC24F40DCEA032105661C392ACB9A5E5
        management alg     : disabled    encrypt alg       : AES       
        crypto iv length   : 16          key size          : 32      
        orig life(sec): 360         remaining life(sec): 305       
        time to rekey (sec): 
    ... Continue reading in our forum

  5. excellent explanation , i already listen to brain from ine read cisco document i lose the concept… …but but …
    you are the best rene ,your language is easy easy & cover more in concepts in few words
    god safe you & we always trust you

8 more replies! Ask a question or join the discussion by visiting our Community Forum