Sumit/Kingsley,
It doesn't matter which you generate it on it just matters that they are the same. My personal opinion is it is just easier to remember to always use exportable keys. Whether it be with Cisco CA or GetVPN. Then you don't have to remember when or when not to do it. Generalizing the rule is easier than remembering the exceptions. There are too many things to remember for the lab to remember every exception. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Friday, May 07, 2010 11:05 AM To: Sumit Mahla Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Getvpn Rekey authentication Whatever key you have associated in the sever GDOI of the primary, should be exported to all the secondary servers On Fri, May 7, 2010 at 8:25 PM, Sumit Mahla <[email protected]> wrote: According to your logic... i think we should only generate the expotable keys on primary key server and import the keys to secondary.... or what we can do is genrate exportable keys on secondary and import these on Primary...... but we can not create the exportable keys on both and then import the keys on each other... i think this would confuse device... Please correct me i am wrong... _____ Date: Fri, 7 May 2010 20:07:37 +0530 Subject: Re: [OSL | CCIE_Security] Getvpn Rekey authentication From: [email protected] To: [email protected] CC: [email protected] Yes, if you are going to use just one, then you don't require exportable keys. The logic is that GMs should authenticate the GDOI from any key servers and the public key downloaded from the KS. KS will encrypt the GDOI using it's private key. Hence when one KS goes down other should will come up. Hence all KS should use the same RSA keys. Hence, I think vice-versa also should worked but I never tried it. Ccing OSL, so that others can correct any mistakes in my explanation and thus you don't get the wrong understanding :-) With regards Kings On Fri, May 7, 2010 at 7:59 PM, Sumit Mahla <[email protected]> wrote: ok... So if we have one KS then only non-exportable keys would work... and also exportable keys would also work... Right ? and if there are two server... as you said keys of primary server must be imported on secondary... so vice-versa shoul also be appplicable.. right ? _____ Date: Fri, 7 May 2010 19:53:32 +0530 Subject: Re: [OSL | CCIE_Security] Getvpn Rekey authentication From: [email protected] To: [email protected] CC: [email protected] The keys should be exportable, if you are planning for using cooperative servers i.e., having more than one KS. The keys should be generated should on the primary, exported and imported to secondary KS. With regards Kings On Fri, May 7, 2010 at 7:17 PM, Sumit Mahla <[email protected]> wrote: Hello All, For get Vpn.... is it neccessary generate the exportable keys and then export then..... can normal crypto key work ? Regards _____ The latest auto launches and test drives Drag n' drop <http://autos.in.msn.com/> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/> _____ Invest your money wisely post Budget Sign up now. <http://news.in.msn.com/moneyspecial/> _____ Invest your money wisely post Budget Sign up now. <http://news.in.msn.com/moneyspecial/> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
