Get VPN over IPSec

awoog · ‎02-14-2011

Is it possible to run GetVPN over IPSec tunnels or are there some limitations e.g if Get-VPN uses multicast ?

Jennifer Halim · ‎02-14-2011

Not quite sure why you are trying to run GetVPN over IPSec as GetVPN is actually already leveraging the IPSec protocol, and Get VPN actually involve a number of devices (KS (Key Server) and GM (Group Member)).

So if you are actually trying to pass multicast traffic through IPSec tunnel, the best is to run GRE over IPSec.

Here is more information on GetVPN if you are interested to just run GetVPN in your network:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETVPN_DIG_version_1_0_External.pdf

awoog · ‎02-14-2011

My provider provides me an Internet backup connection IPSec protected but not end to end. I need an end to end encryption any to any, thus using Get VPN is a good solution. However I need to make it run over the IPSec of the provider. Hence my question. I don't know what are the pitfalls. I just gave an example of what I could think of. For instance, if Get VPN uses multicast (which I am not sure of, is it the case ?), then it could be a problem with the IPSec.

Jennifer Halim · ‎02-14-2011

Never tried to run GetVPN over IPSec, so I don't even know whether it would work.

But GetVPN has the option to use multicast for rekey transport mechanism, however, you can also use unicast for rekey.

But as far as the protocol to encrypt the data, it's IPSec as well, so I am not sure if you can run IPSec over IPSec.

It is also not recommended to run GetVPN over the Internet.

The document that I provided earlier will give you a good overview of GetVPN solution.