I am in the process of trying to implement GETVPN in order to encrypt all sensitive data across the telco provider network. Just

to give you a little background, we have approximately 500 1921 routers located at remote agencies.   We also have a headend device

here that will act as the Key Server for all the GM's at the remote agencies.   The router at the central/headquarters site will obviously be something a lot larger to function as the Key Server. 

Some of the remote agencies use an IP subnet we assign from our network and others use their own subnet so they can interact with their local

network as well.    For those that use their own private scheme's, we do either a static NAT or a PAT in the remote router in order to allow their

workstations access to appropriate applications.     We were told that GETVPN would NOT work if we were PAT'ing addresses.   Is this a true

statement?   I'm a little confused by this statement as the order of operations happens AFTER NAT on outbound traffic and BEFORE NAT on

inbound traffic.  

So I guess in short i'm just asking does NAT/PAT make a difference?  If it works today without GETVPN, shouldn't it work with? 

If someone could enlighten me a little bit, I'd appreciate it.  

In addition, since we have about 500 remote users, how does GETVPN work during implementation?   So lets say we apply the config to the headquarters

side and just one of the remotes, does this cause ALL the other remotes to go down because they haven't been set up yet or can we slowly config each remote router over time?

Thanks in advance,