09-24-2012 02:47 AM - edited 02-21-2020 06:21 PM
Hi all,
Do any one have good doc for how GETVPN works??
How this GETVPN is differ from IPSec??
Solved! Go to Solution.
09-24-2012 09:24 PM
Thanks for your understanding.
The GDOI implementation in Cisco and JUNOS Software is based on RFC 3547, that is why they can work in conjunction.
So, as long as other vendors follow this RFC, I think they should work fine.
Let me know.
Please rate any post you find helpful.
Message was edited by: Javier Portuguez
09-24-2012 03:57 AM
Duplicate post: https://supportforums.cisco.com/thread/2172803?tstart=0
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-24-2012 06:59 AM
Hi all,
I have 2 more doubts
1. Group Encrypted Transport VPN encrypt the packet using which protocol IPSec?
Once GMs join the group, commmunication between GMs will be encrypted using IPSec or some other protocol??
2. GETVPN support in non cisco devices ??
If GMs are cisco, juniper and other devices, will it work??
09-24-2012 07:33 AM
Hi Sankar,
1- Using IPsec.
2- Group VPN Interoperability with Cisco’s GET VPN
"Cisco GET VPN members and Juniper Group VPN members can interoperate as long as the server role is played by a Cisco GET VPN server, Juniper Networks security devices are group members."
* At least with JUNO software (Juniper devices).
If you do not have any further questions please mark this post as answered.
Thanks.
Portu.
Please rate helpful answers.
09-24-2012 07:51 PM
Hi Portu,
Thanks for your comments.
I understood that KS should be Cisco and GM can be cisco or Juniper. But, what abt other vendor devices ? Will it be same for other vendors also ?
09-24-2012 09:09 PM
Hi Sankar,
For that my friend, I would suggest to check with each specific vendor, sinc we do not handle that kind of information.
Thanks.
Portu.
09-24-2012 09:19 PM
Hi Portu,
Ok thanks, i do that. My intention is that Cisco GET VPN have any proprietary procotol? Hope COOP is proprietary. Is there any things else is prorietary??
Rgds,
Sankar V
09-24-2012 09:24 PM
Thanks for your understanding.
The GDOI implementation in Cisco and JUNOS Software is based on RFC 3547, that is why they can work in conjunction.
So, as long as other vendors follow this RFC, I think they should work fine.
Let me know.
Please rate any post you find helpful.
Message was edited by: Javier Portuguez
09-24-2012 09:29 PM
Hi Portu,
Thanks for your valuable comment.
Rgds,
Sankar V
09-24-2012 09:29 PM
It was very nice working with you Sankar
Have a good one!
09-26-2012 04:00 AM
Hi Portu,
Currently, our DC, DR are connected to multiple branch using WAN MPLS links through multiple ISPs. All are connected with IPSec tunnel VPNs.
I am planning to migrate to tunnel-less VPN implementation for our multi-branch office to DC and DR network.
I found GETVPN as good solution. But few doubts are still not clear
1. Currently, each branch has a unique KEY for IPSec handshake. But in GETVPN all branch have same KEY right? Is there any way to achieve unique KEY for Each Branch office?
2. Currently, since it is IPSec VPN our LAN IP pool is not advertised to ISPs. In GETVPN is required to share the LAN IP Pool to ISP right?
Rgds,
Sankar V
09-27-2012 11:28 AM
Hi Sankar,
1. Currently, each branch has a unique KEY for IPSec handshake. But in GETVPN all branch have same KEY right? Is there any way to achieve unique KEY for Each Branch office?
No, if you use an IKE pre-shared-key, it must match on each KS (if more than one exists) and each GM's. To improve the security level, you may want to considerer certificate authentication instead.
2. Currently, since it is IPSec VPN our LAN IP pool is not advertised to ISPs. In GETVPN is required to share the LAN IP Pool to ISP right?
This is intended for private networks like MPLS, since GET VPN involves IP Preservation, where the original IP header is not replaced with the VPN endpoints IP.
Yes, in case of MPLS, the cloud must be aware of your LAN networks.
"IP Address Preservation enables encrypted packets carry the original source and destination IP addresses in the outer IP header rather than replacing them with tunnel endpoint addresses. This technique is known as IPSec Tunnel Mode with Address Preservation. Some of the IP header parameters are also preserved. Many network features like routing, basic firewall, QoS, traffic management etc. work based on the information contained in the IP header. Since the IP header is persevered, all the network features will work as before. This eliminates lot of issues associated with deploying point to point encryption in a core network."
*************
Please read these docs, which are awesome and will answer even more questions:
Cisco IOS GETVPN Solution Deployment Guide
Group Encrypted Transport VPN (Get VPN) Design and Implementation Guide
Tunnel-less VPN with Cisco Group Encrypted Transport (GET)
Hope to help.
Portu.
Please rate any helpful posts
Message was edited by: Javier Portuguez
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide