Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
GETVPN over DMVPN - IPV6 DMVPN Included
Two very important VPN technologies have been introduced over the last 10 years:
Dynamic Multipoint VPN (DMVPN) – with us since 2000
Group Encrypted Transport VPN (GETVPN) – with us since Dec 2006
Both technologies has revolutionize network security and are widely used today (at least DMVPN) by the companies over the world. General rule for both is the same: to send traffic encrypted over unsecured network. However, there is a major difference which must be considered during the designing phase. DMVPN is designed to secure traffic over the Internet, and GETVPN is designed to secure traffic over WAN (i.e. MPLS VPN). Thus, it should be clearly understood that these are complementary technologies. People are asking me why GETVPN cannot be used over the Internet. The answer is simple: because it used something called IP Header Preservation, which disclose real (private in most cases) IP addresses. However, GETVPN has one BIG advantage over the DMVPN – it is tunnelless. This means, there is no IPSec peers and dynamic/static tunnels building involved. As we should expect this is much faster than normal IKE negotiations in order to build up IPSec SAs. Hence, a silly idea comes to my mind to configure the following:
Build up a DMVPN network without any encryption (only mGRE encapsulation)
Secure GRE traffic by tunnelless GETVPN
Topology Details –
HOME-SYD-RTR02 is GETVPN KS.
R2 & R3 are GETVPN Members.
R2 is IPv4 DMVPN Hub.
R1 is IPv6 DMVPN Hub.
R3 is DMVPN Spoke.
R2 is IPv6 DMVPN Spoke.
HOME-PIX01 is Firewall between R2 and R3.
IP Addressing Details –
HOME-SYD-RTR01 is on 10.249.1.5.
R2 is 10.249.200.1/24, 192.168.200.1/24 & 2001:DB8:23::1/64
R3 is 10.249.10.1/24 & 192.168.170.1/24
HOME-PIX01 is 10.249.1.6/24 & 10.249.10.6/24.
R1 is 10.249.100.1/24, 192.168.100.1/24 & 2001:DB8:23::2/64.