Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

GET VPN deployment question


Is it possible to deploy GET VPN to certain ip routes / routers within our WAN as some routers (older Cisco routers) do no support GET VPN and we are unable to upgrade those sites till late next Quarter.

Half of the sites are supportive of GETVPN - are you simply able to apply the crypto map to certain IP ranges ? Still allowing the non supportive routers to communicate unencrypted with the other routers ?



Everyone's tags (6)
Cisco Employee

Re: GET VPN deployment question


If I understand your question correctly ...

There is no problem to make a deployment like this. GET requires you to specify which subnets or hosts  will be encrypted and expected to be decrypted as set on the Key Server.

In a mixed scenario it is VERY important that hosts that participate in GET do not receive unencrypted packets matching the ACL for encryption/decrytpion. Or that hosts not participating GET receive encrypted packets.

Which can mean a BIG and very specific acl on KS.


Community Member

Re: GET VPN deployment question

This is addressed very clearly in the Design Guide section 4.4.4.What you will want to do is set up the sites with GET VPN to accept encrypted packets but not send encrypted packets. This will have the effect of having the GDOI control plane configured, tested and ready to go but still give you time to migrate all of your sites.

The command to do this is below for only the key server.

crypto gdoi group dgvpn1
server local
sa receive-only

The previous poster is correct as well, but this becomes unscalable if you go over say ten sites. I just finished the migration of 105 sites from DMVPN over MPLS to GETVPN over MPLS. So I didn't run into this exact problem, but I'm very familiar with the technology.

The DIG is your friend.

CreatePlease to create content