Is it possible to deploy GET VPN to certain ip routes / routers within our WAN as some routers (older Cisco routers) do no support GET VPN and we are unable to upgrade those sites till late next Quarter.
Half of the sites are supportive of GETVPN - are you simply able to apply the crypto map to certain IP ranges ? Still allowing the non supportive routers to communicate unencrypted with the other routers ?
There is no problem to make a deployment like this. GET requires you to specify which subnets or hosts will be encrypted and expected to be decrypted as set on the Key Server.
In a mixed scenario it is VERY important that hosts that participate in GET do not receive unencrypted packets matching the ACL for encryption/decrytpion. Or that hosts not participating GET receive encrypted packets.
This is addressed very clearly in the Design Guide section 4.4.4.What you will want to do is set up the sites with GET VPN to accept encrypted packets but not send encrypted packets. This will have the effect of having the GDOI control plane configured, tested and ready to go but still give you time to migrate all of your sites.
The command to do this is below for only the key server.
crypto gdoi group dgvpn1 server local sa receive-only
The previous poster is correct as well, but this becomes unscalable if you go over say ten sites. I just finished the migration of 105 sites from DMVPN over MPLS to GETVPN over MPLS. So I didn't run into this exact problem, but I'm very familiar with the technology.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...