GET VPN deployment question

Unanswered Question
Jun 19th, 2010
User Badges:


Is it possible to deploy GET VPN to certain ip routes / routers within our WAN as some routers (older Cisco routers) do no support GET VPN and we are unable to upgrade those sites till late next Quarter.

Half of the sites are supportive of GETVPN - are you simply able to apply the crypto map to certain IP ranges ? Still allowing the non supportive routers to communicate unencrypted with the other routers ?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marcin Latosiewicz Sun, 06/20/2010 - 03:28
User Badges:
  • Cisco Employee,


If I understand your question correctly ...

There is no problem to make a deployment like this. GET requires you to specify which subnets or hosts  will be encrypted and expected to be decrypted as set on the Key Server.

In a mixed scenario it is VERY important that hosts that participate in GET do not receive unencrypted packets matching the ACL for encryption/decrytpion. Or that hosts not participating GET receive encrypted packets.

Which can mean a BIG and very specific acl on KS.


brettborschel Tue, 10/05/2010 - 12:06
User Badges:

This is addressed very clearly in the Design Guide section 4.4.4.What you will want to do is set up the sites with GET VPN to accept encrypted packets but not send encrypted packets. This will have the effect of having the GDOI control plane configured, tested and ready to go but still give you time to migrate all of your sites.

The command to do this is below for only the key server.

crypto gdoi group dgvpn1
server local
sa receive-only

The previous poster is correct as well, but this becomes unscalable if you go over say ten sites. I just finished the migration of 105 sites from DMVPN over MPLS to GETVPN over MPLS. So I didn't run into this exact problem, but I'm very familiar with the technology.

The DIG is your friend.


This Discussion

Related Content