GET VPN (GDOI) Configuration Guide: Cisco IOS Syntax

GET VPN (Group Encrypted Transport VPN) is a Cisco IOS technology that provides tunnel-less IPsec encryption across MPLS or private WAN networks using the GDOI protocol (RFC 3547).

! Key Server configuration
crypto gdoi group KS_GROUP
 identity number 100
 server local
  rekey retransmit 15 number 4
  rekey sa ipsec 1
  rekey timers lifetime 86400
  sa ipsec 1
   profile PROFILE_NAME
   match address ipv4 101
   replay interval window-size 512
  address ipv4 192.0.2.1
  redundancy
   local priority 100
   peer address 192.0.2.2
!

! Group Member configuration
crypto gdoi group GM_GROUP
 identity number 100
 server address ipv4 192.0.2.1
 exit
!
interface GigabitEthernet0/0/0
 ip address 203.0.113.1 255.255.255.0
 crypto map GETVPN_MAP
!

Tested on Cisco IOS XE 3S with GET VPN feature set on ASR 1000, ASR 900, and ISR 4451. Note: ASR 1000 with virtual-ppp interface cannot be a group member.

Table of Contents

Syntax

Configuration is performed in global configuration mode. The primary command tree for a Key Server (KS) and Group Member (GM) is shown above. The identity number must match on KS and GM; mismatches cause %GDOI-3-CONFIG_MISMATCH.

Options and Flags

Command	Type	Default	Description
`identity number`	Integer	None	Unique group identity; must match on KS and GM.
`server local`	Submode	N/A	Enables KS role within the GDOI group.
`rekey retransmit`	Integer\|Integer	20 sec, 2 times	Retransmit interval and number of retries for rekey messages.
`rekey sa ipsec`	Integer (1–255)	None	Associates an IPsec SA policy with the rekey.
`replay interval window-size`	Integer	1024	Time‑based anti‑replay window size (0–65535 packets).
`match address`	ACL number/name	None	Access list specifying traffic to protect (unicast/multicast).
`redundancy`	Submode	N/A	Cooperative KS configuration for high availability.

Usage Examples

1. Basic Key Server Configuration

! Create GDOI group and define IPsec proposals
crypto gdoi group GET-KS
 identity number 100
 server local
  rekey retransmit 15 number 4
  rekey sa ipsec 1
  rekey timers lifetime 86400
  sa ipsec 1
   profile GET-PROFILE
   match address ipv4 101
   replay interval window-size 512
  address ipv4 192.0.2.1
  redundancy
   local priority 100
   peer address 192.0.2.2
!
access-list 101 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255

Creates a cooperative KS with primary address 192.0.2.1, redundancy peer 192.0.2.2, and a rekey lifetime of 24 hours. The ACL defines traffic between two private subnets to be encrypted. Window‑size 512 provides sufficient anti‑replay for high‑speed links.

2. Group Member Registration

! GM points to KS IP
crypto gdoi group GET-GM
 identity number 100
 server address ipv4 192.0.2.1
!
interface GigabitEthernet0/0/0
 crypto map GETVPN-MAP
!
crypto map GETVPN-MAP 10 gdoi
 set group GET-GM

The GM registers with the KS using the same group identity. The crypto map binds the GDOI group to the physical interface. After registration, the GM downloads the IPsec SA and ACL automatically.

3. Forced Rekey and Verification

! On KS, trigger immediate rekey
crypto gdoi group GET-KS
 server local
  rekey
!
! Verify KS and GM status
show crypto gdoi group GET-KS
show crypto gdoi gm group GET-GM
show crypto ipsec sa | include spi

Admin‑initiated rekey is useful after policy changes or before an IOS upgrade to minimise disruption. The show commands confirm SA distribution and group member registration.

Error Codes (Syslog Messages)

Error Code	Meaning	Operational Impact
`COOP_KS_ELECTION`	Cooperative KS election in progress	GDOI group temporarily unstable; retransmissions may occur
`GDOI_ANN_TIMESTAMP_LARGE`	Received announcement with timestamp too far in future	Packet discarded; clock skew between KS and GM
`COOP_KS_BLOCK_NEW_GM_REGISTER_ELECTION`	New GM registrations blocked during election	GMs time out and lose connectivity
`COOP_KS_VALID_ANN_TIMER_EXPIRED`	Redundant KS peer unreachable; valid announcement timer expired	Standby KS takes over

Troubleshooting & Common Errors

Error Message / Condition	Root Cause	Resolution Command
`%GDOI-3-CONFIG_MISMATCH`	Identity number or ACL mismatch between KS and GM	`show crypto gdoi` on both sides; correct identity or ACL
GM fails to register after rekey	Rekey message dropped due to firewall or multicast reachability	`debug crypto gdoi`; verify multicast group 224.0.1.1 reachability
SA not installed on GM	KS IPsec policy incomplete; profile missing or ACL empty	`show run crypto gdoi`; ensure `sa ipsec` and `profile` are present
High packet drops with TBAR	Anti‑replay window size too small for traffic rate	Increase `replay interval window-size` to 4096 or disable TBAR

Frequently Asked Questions

What does the error COOP_KS_ELECTION mean?

It indicates a cooperative key server election is in progress. During this period, GDOI group stability may degrade; retransmissions of rekey messages can occur. Monitor with show crypto gdoi ks redundancy and verify reachability between peers.

How do I resolve GDOI_ANN_TIMESTAMP_LARGE?

This occurs when a GDOI announcement timestamp is too far in the future, typically due to clock skew between the KS and GM. Synchronize NTP on all devices. The packet is discarded; verify NTP using show ntp status.

Why can’t a virtual-ppp interface on ASR 1000 be a GET VPN group member?

Cisco documentation explicitly states that ASR 1000 routers with virtual-ppp interfaces cannot function as GET VPN group members. Use physical interfaces or subinterfaces instead.

What is the impact of an ISSU on GET VPN IPsec sessions?

Stateful ISSU is not supported for IPsec sessions on ASR 1000. Before performing an ISSU, explicitly terminate all existing IPsec sessions or tunnels, then re-establish them after the operation.

How do I verify cooperative KS synchronization?

Use show crypto gdoi ks redundancy to confirm both peers are synchronized. Verify that the standby KS shows a valid announcement timer and that no COOP_KS_VALID_ANN_TIMER_EXPIRED errors appear.

Closing Tip

Always schedule IOS upgrades between rekey intervals and verify both KS redundancy peers are synchronised (show crypto gdoi ks redundancy) before performing any maintenance to prevent a network‑wide rekey loss.

Thomas Heinrich

Command Line Expert & Software Engineer

Welcome! I’m Thomas Heinrich, a software engineer and system administrator with a deep passion for the Command Line Interface (CLI). With years of experience navigating the terminal, building backend architectures, and automating server deployments, I created this space to share practical, real-world terminal knowledge.

Whether you are a beginner taking your first steps in a Linux environment or a seasoned DevOps engineer looking to optimize your deployment scripts, you will find actionable solutions here. My goal is to help you ditch the mouse, speed up your workflow, and harness the full power of the command line.