GET VPN COOP Explained (Simple + Practical Guide)
๐ Table of Contents
- What is GET VPN?
- The Real Problem (Why COOP is Needed)
- What is COOP?
- How COOP Works
- Primary Key Server Election
- Key Features
- Real-World Example
- Configuration Example
- CLI Verification
- Common Mistakes
- Key Takeaways
๐ What is GET VPN?
GET VPN is a VPN technology used to securely connect multiple sites without creating tunnels between each pair.
๐ก Simple idea:
All sites share encryption keys → secure communication without complex tunnels
Key components:
- Key Server (KS) → manages keys
- Group Members (GMs) → use keys to encrypt traffic
⚠️ The Real Problem
Everything depends on the Key Server.
If the Key Server fails:
- No new TEK (Traffic Encryption Key)
- Old key expires
- Traffic starts dropping ❌
๐ก One Key Server = Single Point of Failure
Now imagine adding multiple Key Servers...
- Each creates its own keys
- Mismatch happens
- Sites cannot talk ❌
๐ What is COOP?
COOP (Cooperative Key Server Protocol) allows multiple Key Servers to work together as one system.
๐ก All Key Servers stay synchronized → no mismatch → no downtime
⚙️ How COOP Works (Simple Flow)
- Multiple Key Servers are configured
- COOP syncs all data between them
- One becomes Primary KS
- Primary handles key distribution
- If it fails → another takes over automatically
๐ Primary Key Server Election
- Highest priority wins
- If same → highest IP wins
Important:
๐ก Election happens ONLY when current Primary fails
✨ Key Features of COOP
- Key synchronization (TEK, KEK)
- Policy sync (ACLs)
- Automatic failover
- No traffic interruption
๐ Real-World Example
Imagine 3 data centers:
- Mumbai (KS1)
- Delhi (KS2)
- Bangalore (KS3)
Without COOP:
- Each creates different keys → failure
With COOP:
- All share same keys ✅
- If Mumbai fails → Delhi takes over ✅
๐ป Configuration Example
crypto isakmp profile GETVPN match identity group GETVPN-GROUP crypto gdoi group GETVPN-GROUP identity number 100 server local redundancy local priority 200 peer address ipv4 10.1.1.2 peer address ipv4 10.1.1.3
๐ฅ CLI Verification
show crypto gdoi ks coop Primary KS: 10.1.1.1 Secondary KS: 10.1.1.2 Status: Synchronized
⚠️ Common Mistakes
- Not configuring COOP → mismatch keys
- Wrong priority settings
- Assuming new KS will auto become Primary
๐ฏ Key Takeaways
✔ COOP removes single point of failure
✔ Keeps all Key Servers synchronized
✔ Automatic failover ensures uptime
✔ Essential for large enterprise networks
๐ Final Thought
COOP makes GET VPN reliable by ensuring: "Even if one server fails, your network keeps running without interruption."
