I've been running with GETVPN for a few months now and all seems to be good. I am running into one annoyance however...
If my branch's WAN connection goes down, I use a Verizon 4G connection to create an IPSEC tunnel back to my datacenter. The problem I'm seeing is that when the WAN comes back up, EIGRP establishes (because I have it excluded in the fail-close), and then the branch goes down for a while during the time betwen GDOI registrations to the Key servers. This is because route across the WAN is preferred over route from the VPN (EIGRP vs EIGRP EX)
The Question I have for others using GETVPN: Do you typically require EIGRP to be encrypted? Is there a way I can get around this issue? Can I lower a timer somewhere to make GDOI re-register at a shorter interval?
I haven't been able to get the branch router to register to the KS via the VPN. I have it explicitely allowed in my Crypto ACLs, NAT excluded, and it has access to the KS via the VPN, but it will not register. Is there a way to get it to register across the VPN?
How have others handled this situation? Thanks!