Monday, August 17, 2009

GET VPN - Implementation Issues

Cisco's implementation of GETVPN uses "header preservation" - the header of the IP Packet is preserved and the payload is encrypted. As a result, GETVPN is not suitable for IPSEC VPN across the internet (except the inside network uses public ip addresses). A workaround is to use GRE tunnels.
Besides this obvious caveat, there are some more subtle security issues with GETVPN. Jan Bervar highlights some of these issues in Fragments.

That said, IMHO, GETVPN is still a nice implementation of VPNs.

No comments:

Post a Comment