Group Encrypted Transport VPN (GETVPN)

Hello Mohanad

This feature is being implemented within a lab environment, so the address space that is being used is private. It could easily use a public address space such as if you like, the results in the lab will be the same.

In order to apply this to a real world environment, you can simply replace the network in the diagram that has the network with any IP address space that is provided to you by your ISP for routing over the Internet.

I hope this has been helpful!


I did the laboratory (just like the example) and according to what I observed that the GMs lose communication with the KS once GETVPN is implemented. Did I do something wrong or can something additional be done to achieve communication with the KS?
Can the KS also participate in the communication?

I have other questions:

In a DMVPN environment, could the KS be the HUB or does it have to be another device? Could you give me an example or a reference link?

Why is a transform-set created in the GM if they download the transform from the KS?

Thank you very much for the material.

Hello Christian

In order to determine what went wrong you will have to do some troubleshooting. Follow the lesson as you did, but see what error messages you get, and also check the syslogs to see events that take place, especially at the moment you lose communication. Take a look at the following documentation to help you in your troubleshooting process:

DMVPN and GETVPN are two different approaches to deploying multisite communication. They are mutually exclusive in the sense that you can deploy either one or the other. Take a look at this Cisco documentation that describes both of these technologies in detail, compares them, and also gives you principles to use in selecting which technology to use, and how to use it for particular use cases:

The KS is responsible for group registration and authentication of GMs. As stated in the lesson:

When a GM tries to register with the KS, the KS checks a group ID and IKE credentials. When this checks out, the KS sends the following items to the GM:

  • The security policy that we use for the group.
  • Two keys:
    • KEK (Key Encryption Key): this is used to encrypt rekey messages. GMs use this key to decrypt rekey messages from the KS.
    • TEK (Traffic Encryption Key): this becomes the IPSec SA that all GMs use to encrypt traffic between each other.

The transform set is not downloaded from the KS, so it must be configured as shown in the lesson.

I hope this has been helpful!