Your scheme is not very clear, but you may notice that in typical implementations GETVPN is handled by client (on CE routers) and MPLS by provider (on PE router), and that the router used as a KS can't send trafic to other GM, so that it should be a separate router, which can be on a separate connexion to the provider backbone or behind a GM.
1- the GET VPN, as other VPN, make the SA only when interesting traffic is triggered (traffic in the ACL that is pushed by the KS). If you aactually have interesting traffic, I suggest running debug crypto isakmp/gdoi to see what's happening.
2- Maybe a routing or filtering issue, check your routing table.
3- Normally not, but there's maybe a workaround for this.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...