GETVPN in 20 seconds

One of the VPN technologies discussed in the Choose the Optimal VPN Service webinar (click here to register for the next session) is GETVPN, which is introduced with this slide:

To understand GETVPN and its usability, you have to know that it’s a large-scale almost-transport-mode IPSec implementation with shared keys, group SA (to make multicast replication in SP network work) and centralized policy and key management (which is the true value-add GETVPN brings).

GETVPN actually uses IPSec tunnel mode and reuses the original IP header as IP header of the tunnel packet. Tunnel mode is used to avoid any interference with fragmentation/reassembly.

You cannot use GETVPN to transport data sent between hosts with private IP addresses across public IP infrastructure (for example, the Internet); the existing IP infrastructure of your network should provide end-to-end routing. GETVPN is thus best used to encrypt sensitive data travelling across private IP infrastructure (for example, data exchanged between MPLS/VPN sites or data sent across a VPLS cloud).

To learn more about GETVPN and other VPN technologies and implementations, register for the next session of the Choose the Optimal VPN Service webinar. You’ll find more GETVPN technical details and design guidelines in the Designing Site-to-Site IPsec VPNs - Part 5 IP Corner article.

4 comments:

  1. You said "You cannot use GETVPN to transport data sent between hosts with private IP addresses across public IP infrastructure (for example, the Internet)"

    But if we have a DMVPN network we can then use GETVPN, right?

    ReplyDelete
  2. GETVPN as the encryption mechanism for a DMVPN-based network? Absolutely.

    ReplyDelete
  3. You can use GETVPN across public infrastructure if you use LISP :-)

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.