×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

GETVPN Questions

Answered Question
Feb 25th, 2014
User Badges:

I am in the process of trying to implement GETVPN in order to encrypt all sensitive data across the telco provider network. Just

to give you a little background, we have approximately 500 1921 routers located at remote agencies.   We also have a headend device

here that will act as the Key Server for all the GM's at the remote agencies.   The router at the central/headquarters site will obviously be something a lot larger to function as the Key Server. 


Some of the remote agencies use an IP subnet we assign from our network and others use their own subnet so they can interact with their local

network as well.    For those that use their own private scheme's, we do either a static NAT or a PAT in the remote router in order to allow their

workstations access to appropriate applications.     We were told that GETVPN would NOT work if we were PAT'ing addresses.   Is this a true

statement?   I'm a little confused by this statement as the order of operations happens AFTER NAT on outbound traffic and BEFORE NAT on

inbound traffic.  


So I guess in short i'm just asking does NAT/PAT make a difference?  If it works today without GETVPN, shouldn't it work with? 


If someone could enlighten me a little bit, I'd appreciate it.  


In addition, since we have about 500 remote users, how does GETVPN work during implementation?   So lets say we apply the config to the headquarters

side and just one of the remotes, does this cause ALL the other remotes to go down because they haven't been set up yet or can we slowly config each remote router over time?


Thanks in advance,

Correct Answer by Marcin Latosiewicz about 3 years 5 months ago

Disclaimer: This is around year old knowledge, feel free to fact check me.


You are correct on the count on NAT and GETVPN on same device. It will work (with obvious due diligence).

What will not work is when a getvpn device is behind a NATing device.



For your second question, have a look at the GETVPN DIG

http://www.cisco.com/c/dam/en/us/products/collateral/security/group-encrypted-transport-vpn/GETVPN_DIG_version_1_0_External.pdf

Particualrly, passive SA and receive-only SA is something that could be of interest.


FYI, config guide;

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_getvpn/configuration/15-mt/sec-get-vpn-15-mt-book/sec-get-vpn.html

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Marcin Latosiewicz Wed, 02/26/2014 - 00:27
User Badges:
  • Cisco Employee,

Disclaimer: This is around year old knowledge, feel free to fact check me.


You are correct on the count on NAT and GETVPN on same device. It will work (with obvious due diligence).

What will not work is when a getvpn device is behind a NATing device.



For your second question, have a look at the GETVPN DIG

http://www.cisco.com/c/dam/en/us/products/collateral/security/group-encrypted-transport-vpn/GETVPN_DIG_version_1_0_External.pdf

Particualrly, passive SA and receive-only SA is something that could be of interest.


FYI, config guide;

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_getvpn/configuration/15-mt/sec-get-vpn-15-mt-book/sec-get-vpn.html

jonesl1 Thu, 02/27/2014 - 05:08
User Badges:

Thank you for confirming what I thought.  

Actions

This Discussion