Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

GET VPN with limited bandwidth


we want to deploy GET VPN and we have a big number of ATMs connected through VSAT connections to the headoffice. At time of congestion, bandwidth of the connection can degrdae to 2 Kbps for each router. (( believe it or not )) and this bandwidth is currently enough to carry the minimal text traffic that ATMs send when a transaction is conducted. Also, GRE tunnels are established between each ATM router, and the routers at Headoffice.

My qustion is : Does this bandwidth handle adding GetVpn encrytption to it ?

Also, how much bandwidth is required for communication with the KS, and could the link handle it if rekeying occured during congestion ?

Thanks for the help in advance

Cisco Employee

Re: GET VPN with limited bandwidth


In general, tunnel mode encryption adds about 60-70 bytes overhead depending on the encryption transform used. The rekey messages are large, and the size depends on the actual encryption policy defined on the KS. For a typical "permit ip any any" with a few deny entries in the crypto policy, the rekey messages can be anywhere between 1200 to 1400 bytes. The GETVPN rekey does offer a retransmission mechanism for both unicast and multicast rekey so that if one rekey messages is lost, the KM will retransmit the rekeys. In the event that all rekeys are lost, the GM would then have to re-register with the KS after TEK expiry. I hope this helps.



Community Member

Re: GET VPN with limited bandwidth

Hi Wen,

thanks for your reply. We will study this issue more in order to decide if GETVPN can be implemented.

On the other hand,  I want to ask about the ACL used in the GET VPN to determine the traffic encrypted. 

We have around 300 branches, and they are all in the subnet including the DC at HO, we will migrate one by one over a period of time... so I am thinking to do a specific permit for each branch traffic while denying the others, untill we reach a point where all the 300 are migrated, then we can do a permit any any with denying some protocols.

I am afraid that this long access list will affect the networks performance at times of rekeying. is there any other solution to control the traffic to be encrypted.


- amro

CreatePlease to create content