we want to deploy GET VPN and we have a big number of ATMs connected through VSAT connections to the headoffice. At time of congestion, bandwidth of the connection can degrdae to 2 Kbps for each router. (( believe it or not )) and this bandwidth is currently enough to carry the minimal text traffic that ATMs send when a transaction is conducted. Also, GRE tunnels are established between each ATM router, and the routers at Headoffice.
My qustion is : Does this bandwidth handle adding GetVpn encrytption to it ?
Also, how much bandwidth is required for communication with the KS, and could the link handle it if rekeying occured during congestion ?
In general, tunnel mode encryption adds about 60-70 bytes overhead depending on the encryption transform used. The rekey messages are large, and the size depends on the actual encryption policy defined on the KS. For a typical "permit ip any any" with a few deny entries in the crypto policy, the rekey messages can be anywhere between 1200 to 1400 bytes. The GETVPN rekey does offer a retransmission mechanism for both unicast and multicast rekey so that if one rekey messages is lost, the KM will retransmit the rekeys. In the event that all rekeys are lost, the GM would then have to re-register with the KS after TEK expiry. I hope this helps.
thanks for your reply. We will study this issue more in order to decide if GETVPN can be implemented.
On the other hand, I want to ask about the ACL used in the GET VPN to determine the traffic encrypted.
We have around 300 branches, and they are all in the 10.0.0.0/8 subnet including the DC at HO, we will migrate one by one over a period of time... so I am thinking to do a specific permit for each branch traffic while denying the others, untill we reach a point where all the 300 are migrated, then we can do a permit any any with denying some protocols.
I am afraid that this long access list will affect the networks performance at times of rekeying. is there any other solution to control the traffic to be encrypted.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...