I’m starting to research replacements for DMVPN. If there is one. And GETVPN has really peaked my interest.
-
Am I correct in understanding that it only uses Ike for KS and GM communication? And then establishes the IPsec tunnel. So essentially it only has the phase two portion of the VPN after initial setup?
-
Because of the preservation of the original IP header, does the underlying transport have to know or learn the networks being encrypted?
-
If you did implement GETVPN, did you see a performance improvement on bandwidth, application traffic, file transfers etc…
Don’t use GETVPN. Its an interesting idea and once you get it working, it can run smooth for a long time without issue. However, it is difficult by nature to troubleshoot, and upgrading IOS is excruciating. Level 3 TAC intimated to me that while it is supported still, it will go the way of the Dodo.
I used to run a GETVPN network. I also upgraded it.
I have never deployed GETVPN either. Tons of DMVPN though
I’m looking at GETVPN for encrypting our private WAN links (Metro-E) between datacenters. What is everyone using then?
Old post, but it seems like getvpn is for tunneling across mpls where dmvpn is more for Internet, since getvpn doesn’t support nat.
None of my many customers use it. Probably for good reason
You’re saying Cisco TAC is intimidated by it?
I would assume if you don’t need dynamic spoke to spoke routing you could easily use FlexVPN. I don’t think FlexiVPN has dynamic tunnel creation capabilities. But it doesn’t have the complexities of DMVPN either. Or the overhead
And I’ve used FlexVPN, And it’s quite nice.
Edit: I stand corrected. FlexVPN can provide dynamic spoke to spoke with NHRP.
Here is an article comparing DMVPN to FLEX:Cisco FlexVPN DMVPN, Part 1 - Overview and Design
And here is a video on FlexVPN and Dynamic tunnels: https://www.youtube.com/watch?v=rRamefIdMx8
They intimated = they implied without saying directly. GETVPN is a Cisco product, some TAC are most open than others. The engineer was trying to tell me that DMVPN was better.
Correct - No dynamic spoke to spoke needed. Only looking for something to encrypt the WAN links between data centers and one branch for auditing purposes. Using BGP at the moment between all three.
I get that feeling. At Cisco Live they push it. But I really don’t know anybody that use it. It seems like they’re trying to find a replacement for a DMVPN. With the likes of flex and get. But DMVPN is so well established.
Can I ask, if you ran it how many key servers did you have and how many group members?
2 KS 70 GMs. It ran great. Basically no issues until due to critical bugs I was forced to upgrade a router. But, there are interoperability issues between versions, and it turned out KSs had been running for years without reboot (ie upgrade). Their version was so old it didnt have a GETVPN version listed (pre-versioning). Even if you didn’t have stuff so old, its very tricky. You need to get all devices working on the same major release (of GETVPN, not IOS). This needs to be done in between your rekey timers, otherwise GETVPN will drop. The danger here is of course geographical distance, you can cut your hand off and all of your GMs are far away from each other. Then there are bugs. I wont describe the one I encountered here, but they tend to be pretty involved. Again, troubleshooting is hard. Its usually not obvious what is going wrong.
I really cant stress enough what kind of trouble you get yourself into long term. DMVPN is the winner. Consider whether you really need all of your spokes talking to each other. Most traffic probably needs to go through your hub anyway.
I’m just thinking of overhead. Is there an alternative to running IPSEC and GREs with DMVPN. I’ve ran into M issues with GREs even with path MTU discovery enabled.