Filter
Top Products
28-18
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 28 Group Encrypted Transport (GET) VPNs
Configuring GET VPN Key Servers
Related Topics
• Understanding IKE, page 25-5
• Understanding IPsec Proposals for Site-to-Site VPNs, page 25-18
• Understanding Group Encrypted Transport (GET) VPNs, page 28-2
• Configuring GET VPN, page 28-12
Configuring GET VPN Key Servers
Use the Key Servers policy to define key servers to be used by a GET VPN topology.
To open the Key Servers policy, in the Site-to-Site VPN Manager Window, select an existing GET VPN
topology, then select Key Servers from the Policies list.
The table lists the key servers used in the VPN, showing the device name, identity, priority, and
registration interface. For detailed information about these attributes, see Edit Key Server Dialog Box,
page 28-19.
• To add a key server to the table, click the Add Row button and select the device from the list
presented. Only devices that can be included as key servers are shown.
• To edit the characteristics of a key server, select it and click the Edit Row button. Fill in the Edit
Key Server dialog box (see Edit Key Server Dialog Box, page 28-19).
• To delete a key server, select it and click the Delete Row button.
• To synchronize the RSA keys among the key servers, so that they all use the identical key, click the
Synchronize Keys button. For detailed information about the key synchronization process,
including when and why you would do it, see Generating and Synchronizing RSA Keys, page 28-13.
• To change the order of a key server when using cooperative key servers, select it and click the up or
down arrow button. This order does not define which server is the primary key server (this is
determined by the Priority value, the higher the value, the higher the likelihood that the server will
be elected the primary key server).
Instead, the order determines the default order in which group members will try to register with a
key server. Group members register with the first key server in the list. If the first key server cannot
be reached, group members register with the second key server, and so on. For more information
IPsec Settings Select Enable Lifetime if you want to change the default lifetime
settings for IPsec SAs. You can configure a lifetime based on the
volume of traffic (in kilobytes) between group members, seconds, or
both. The key expires when either of the values is reached. The defaults
(which are configured even if you do not select this option) are:
• Lifetime (secs)—3600 seconds (one hour).
• Lifetime (kbytes)—4,608,000 kilobytes.
Tip You can override these values for the traffic encryption key
when configuring a security association. See Defining GET
VPN Group Encryption, page 24-51 and Add New or Edit
Security Association Dialog Box, page 24-55.
Table 28-2 Global Settings for GET VPN (Continued)
Element Description