I am in the process of trying to implement GETVPN in order to encrypt all sensitive data across the telco provider network. Just
to give you a little background, we have approximately 500 1921 routers located at remote agencies. We also have a headend device
here that will act as the Key Server for all the GM's at the remote agencies. The router at the central/headquarters site will obviously be something a lot larger to function as the Key Server.
Some of the remote agencies use an IP subnet we assign from our network and others use their own subnet so they can interact with their local
network as well. For those that use their own private scheme's, we do either a static NAT or a PAT in the remote router in order to allow their
workstations access to appropriate applications. We were told that GETVPN would NOT work if we were PAT'ing addresses. Is this a true
statement? I'm a little confused by this statement as the order of operations happens AFTER NAT on outbound traffic and BEFORE NAT on
So I guess in short i'm just asking does NAT/PAT make a difference? If it works today without GETVPN, shouldn't it work with?
If someone could enlighten me a little bit, I'd appreciate it.
In addition, since we have about 500 remote users, how does GETVPN work during implementation? So lets say we apply the config to the headquarters
side and just one of the remotes, does this cause ALL the other remotes to go down because they haven't been set up yet or can we slowly config each remote router over time?
Thanks in advance,
Disclaimer: This is around year old knowledge, feel free to fact check me.
You are correct on the count on NAT and GETVPN on same device. It will work (with obvious due diligence).
What will not work is when a getvpn device is behind a NATing device.
For your second question, have a look at the GETVPN DIG
Particualrly, passive SA and receive-only SA is something that could be of interest.
FYI, config guide;