Hello,

I will attempt to answer some of these for you.  There are some great Cisco GetVPN guides on the Cisco site that I would highly recommend looking at before you deploy GetVPN.

1. I would like to know if the intermediate GMs participate in crypting/decrypting the trafic or they just route the trafic based on the IP header which is copied and kept unencrypted - Not sure what you mean by 'intermediate GM' but here's how GetVPN works from a high level.  The GM registers with the KS and downloads the policy from the KS, this includes the access list/crypto map info.  Unlike other IPSec technologies, GetVPN will encrypt everything by default, so when you configure the GetVPN access list (on the KS), you actually define what 'NOT' to encrypt.  There are plenty of configuration guides that address recommendations for this but it's pretty common to exclude traffic that is already encrypted (ssh, hhtps etc.).  This is totally customizable and should be configured to meet your specific security requirements.  The GMs use the access list that they receive from the KS to decide what traffic to encrypt.

2. Also, I would like to know if I can test GetVPN between two zones and let communication to/from other zones unencrypted? There are a couple of ways to do this.  You can either define this traffic in the access list that you create on the KS (which is sent to all GMs) or you can create local exceptions on the GM's where you want the unencrypted traffic to flow.  I prefer the local exception option personnaly and it's very easy to configure these.

3. And Finally, what happens if the KS fails?  GetVPN provides the option to configure multiple Key Servers, which I would absolutely recommend when implementing GetVPN.