Re: [OSL | CCIE_Security] GETVPN in internet

[Pieter-Jan Nefkens]

Hi dean, It is only possible to use GETVPN on the Internet if all sites are using publicly assigned ip-address and not using RFC 1918 (private address range) addressing. The reason is that GETVPN only encrypts the payload of the IP packet, and not the original source and destination address. Private IP's are therefore not possible to be used, as those IP addresses are at most ISP's, and at least at the carrier level, dropped at the edge (RFC2827 ingress and egress filtering) So yes, you can setup a GETVPN session, but only traffic from public ip-addresses are possible, no traffic is possible (not even without encryption) with private ip-addresses Pieter-Jan On 8 sep 2009, at 20:19, Dean Armada wrote: From my understanding If we use internet as a transport of GETVPN. - The GM will get a GDOI_REKEY/GDOI_IDLE a will able to download ACL from the KS right? - But there will be no traffic encryption from GM to other GMs (Private IP used) - traffic encryption from GM to other GMs if Public IP is used I might be wrong or may be lacking something. Please post any additional information. Thanks On Fri, Sep 4, 2009 at 4:23 AM, Tyson Scott <tsc...@ipexpert.com> wrote: It was designed for internal encryption.  I.E.  between branches of a financial institutions, government entities, etc, or other hypersensitive information companies.  It is very well designed for this purpose.   Regards,   Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto:  tsc...@ipexpert.com   Join our free online support and peer group communities: http://www.IPexpert.com/communities   IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications.   From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Kingsley Charles Sent: Thursday, September 03, 2009 6:09 AM To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] GETVPN in internet   Hi all   GETVPN is an IPSec feature which adds the IP source/destination address from the payload which was encrypted. It is equivalent to IPSec transport mode. Due to this feature, GETVPN can't be used on private networks like MPLS but not on Internet.   Does anyone know, why was GETVPN implemented this way where it uses the original IP source/destination address and thereby can't be used on Internet?         With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com --- Nefkens Advies Enk 26 4214 DD Vuren The Netherlands Tel: +31 183 634730 Fax: +31 183 690113 Cell: +31 654 323221 Email: pjnefk...@nefkensadvies.nl Web: http://www.nefkensadvies.nl/  Think before you print.

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com