Your browser failed to load CSS style sheets. Your browser or web proxy might not support elliptic-curve TLS

Building network automation solutions

9 module online course

Start now!
back to overview

GETVPN in 20 seconds

One of the VPN technologies discussed in the Choose the Optimal VPN Service webinar (click here to register for the next session) is GETVPN, which is introduced with this slide:

To understand GETVPN and its usability, you have to know that it’s a large-scale almost-transport-mode IPSec implementation with shared keys, group SA (to make multicast replication in SP network work) and centralized policy and key management (which is the true value-add GETVPN brings).

GETVPN actually uses IPSec tunnel mode and reuses the original IP header as IP header of the tunnel packet. Tunnel mode is used to avoid any interference with fragmentation/reassembly.

You cannot use GETVPN to transport data sent between hosts with private IP addresses across public IP infrastructure (for example, the Internet); the existing IP infrastructure of your network should provide end-to-end routing. GETVPN is thus best used to encrypt sensitive data travelling across private IP infrastructure (for example, data exchanged between MPLS/VPN sites or data sent across a VPLS cloud).

To learn more about GETVPN and other VPN technologies and implementations, register for the next session of the Choose the Optimal VPN Service webinar. You’ll find more GETVPN technical details and design guidelines in the Designing Site-to-Site IPsec VPNs - Part 5 IP Corner article.

Please read our Blog Commenting Policy before writing a comment.


  1. You said "You cannot use GETVPN to transport data sent between hosts with private IP addresses across public IP infrastructure (for example, the Internet)"

    But if we have a DMVPN network we can then use GETVPN, right?

  2. GETVPN as the encryption mechanism for a DMVPN-based network? Absolutely.

  3. You can use GETVPN across public infrastructure if you use LISP :-)

  4. Can we use GET VPN technology to encrypt P to P and PE to P traffic in enterprise MPLS VPN deployment?

    1. Not directly, as the traffic is no longer IP at that point... unless of course you put it into GRE envelope first. More details here:

  5. Hi,
    Is it possible to bring GET VPN between 2 endpoints, if the remote site (branch) has private ip address? Normally should not work, but worth to ask.


    1. Don't think so (but then "never say never") - NAT in the path will most probably totally mess everything up.


Constructive courteous comments are most welcome. Anonymous trolling will be removed with prejudice.