Hi all,

I have 2 more doubts

1. Group Encrypted Transport VPN encrypt the packet using which protocol IPSec?

       Once GMs join the group, commmunication between GMs will be encrypted using IPSec or some other protocol??

2. GETVPN support in non cisco devices ??

       If GMs are cisco, juniper and other devices, will it work??

Hi Sankar,

1- Using IPsec.

2- Group VPN Interoperability with Cisco’s GET VPN

"Cisco GET VPN members and Juniper Group VPN members can interoperate as long as the server role is played by a Cisco GET VPN server, Juniper Networks security devices are group members."

* At least with JUNO software (Juniper devices).

If you do not have any further questions please mark this post as answered.

Thanks.

Portu.

Please rate helpful answers.

Hi Portu,

Thanks for your comments.

I understood that KS should be Cisco and GM can be cisco or Juniper. But, what abt other vendor devices ? Will it be same for other vendors also ?

Hi Sankar,

For that my friend, I would suggest to check with each specific vendor, sinc we do not handle that kind of information.

Thanks.

Portu.

Hi Portu,

Ok thanks, i do that. My intention is that Cisco GET VPN have any proprietary procotol? Hope COOP is proprietary. Is there any things else is prorietary??

Rgds,

Sankar V

Hi Portu,

Thanks for your valuable comment.

Rgds,

Sankar V

It was very nice working with you Sankar

Have a good one!

Hi Portu,

Currently, our DC, DR are connected to multiple branch using WAN MPLS links through multiple ISPs. All are connected with IPSec tunnel VPNs.

I am planning to migrate to tunnel-less VPN implementation for our multi-branch office to DC and DR network.

I found GETVPN as good solution. But few doubts are still not clear

1. Currently, each branch has a unique KEY for IPSec handshake. But in GETVPN all branch have same KEY right? Is there any way to achieve unique KEY for Each Branch office?

2. Currently, since it is IPSec VPN our LAN IP pool is not advertised to ISPs. In GETVPN is required to share the LAN IP Pool to ISP right?

Rgds,

Sankar V

Hi Sankar,

1. Currently, each branch has a unique KEY for IPSec handshake. But in GETVPN all branch have same KEY right? Is there any way to achieve unique KEY for Each Branch office?

No, if you use an IKE pre-shared-key, it must match on each KS (if more than one exists) and each GM's. To improve the security level, you may want to considerer certificate authentication instead.

2. Currently, since it is IPSec VPN our LAN IP pool is not advertised to ISPs. In GETVPN is required to share the LAN IP Pool to ISP right?

This is intended for private networks like MPLS, since GET VPN involves IP Preservation, where the original IP header is not replaced with the VPN endpoints IP.

Yes, in case of MPLS, the cloud must be aware of your LAN networks.

"IP Address Preservation enables encrypted packets carry the original source and destination IP addresses in the outer IP header rather than replacing them with tunnel endpoint addresses. This technique is known as IPSec Tunnel Mode with Address Preservation. Some of the IP header parameters are also preserved. Many network features like routing, basic firewall, QoS, traffic management etc. work based on the information contained in the IP header. Since the IP header is persevered, all the network features will work as before. This eliminates lot of issues associated with deploying point to point encryption in a core network."

*************

Please read these docs, which are awesome and will answer even more questions:

Cisco IOS GETVPN Solution Deployment Guide

Group Encrypted Transport VPN (Get VPN) Design and Implementation Guide

Tunnel-less VPN with Cisco Group Encrypted Transport (GET)

Hope to help.

Portu.

Please rate any helpful posts

Message was edited by: Javier Portuguez