GETVPN

tmesbah · ‎05-06-2008

I am just starting to configure GETVPN in the lab before puting it in production and I am having a lot of issues. Hope I can get some help here :

1) "sh crypto iskmp sa" display the tunnels for about 10 minute and after that we don't any ipsec tunnel. Put sniffer and still seeing that the traffic is encrypted ...

2) When trying a multicast application "whiteboard, got it from Internet", it work for a minute and after that stop working .....

I am just questioning my self now if it is the right thing to go with GETVPN instead of DMVPN.....

Opened a TAC and still they haven"t resolved these issues.

Thanks

ramiro.espinoza · ‎05-07-2008

well acording to the guy from TAC GETVPN doesnt support NAT, i didnt see that on the documentation so im sticking with dmvpn for now

serkanozden · ‎05-10-2008

anybody can help me with the getvpn configuration i have made on my 1841 routers in a lan environment. It is not working with the attached configurations.

dsandre-toh · ‎05-27-2010

to question #1:

sh cry isa sa - shows only the SAs for ike phase1, not for traffic encryption

sh cry ips sa - will show u what traffic is being encrypted - that's why with sniffer you still see traffic encrypted.

see: getvpn design & impl'n guide section; 5.3.2 verifying gm operation

Todd Pula · ‎05-27-2010

Section 3.6.2 of the GETVPN design guide covers the reasoning behind shortened ISAKMP lifetime value on the GM.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETVPN_DIG_version_1_0_External.pdf