28-20
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 28 Group Encrypted Transport (GET) VPNs
Configuring GET VPN Group Members
Field Reference
Configuring GET VPN Group Members
Use the Group Members policy to define the group members in a GET VPN topology.
To open the Group Members policy, in the Site-to-Site VPN Manager Window, select an existing GET
VPN topology, then select Group Members from the Policies list.
The group members table lists the members of the GET VPN, showing the device name, GET-enabled
interface, local interface, and security policy. For detailed information about these attributes, see Edit
Group Member Dialog Box, page 28-21.
To add a group member to the table, click the Add Row button and select the device from the list
presented. Only devices that can be included as group members are shown.
To edit the endpoint characteristics of a group member, select it and click the Edit Row button. Fill
in the Edit Group Member dialog box (see Edit Group Member Dialog Box, page 28-21).
If you select multiple group members in the table, you can also right-click and select the following
commands to edit just these attributes:
Edit Key Server Order—To change the key server list and priority order for the selected group
members.
Edit Passive SA Mode—To change whether the selected group members use passive SA mode.
To delete a group member, select it and click the Delete Row button.
Tip You can toggle between showing the interface roles or the actual interfaces defined by those roles in the
interfaces columns using the Show field below the table.
Related Topics
Configuring Fail-Close to Protect Registration Failures, page28-8
Using Passive Mode to Migrate to GET VPN, page 28-23
Table28-3 Edit Key Server Dialog Box
Element Description
Identity Interface The interface that group members use to identify the key server and
register with it. The default is the Loopback interface role, which
identifies all Loopback interfaces.
Priority A number between 1-100 that designates the role of the key server,
either primary or secondary. The key server with the highest number
becomes the primary key server. If two or more key servers are assigned
the same priority, the device with the highest IP address is used. The
default priority is 100 for the first key server, 95 for the second, and so
on.
Note There can be more than one primary key server if the network
is partitioned.
Registration Interface The interface on which group domain of interpretation (GDOI)
registrations can be accepted. If you do not specify a registration
interface, GDOI registrations can occur on any interface.