Explanation/Reference:
Section: Enterprise Network Design Explanation
Explanation:
Group Encrypted Transport (GET) virtual private network (VPN) supports neither static nor dynamic Network Address Translation (NAT). GET VPN is a Cisco-proprietary technology that provides tunnel-less, end-to-end security for both unicast and multicast traffic. GET VPN uses IP Security (IPSec) tunnel mode with address preservation to preserve the inner IP header of each encrypted packet? the IP source address and various IP header fields are unaffected by the encryption process. Because NAT changes information in the IP header, such as the IP source address, NAT is not supported by GET VPN and must be performed either before a packet is encrypted or after a packet is decrypted. Cisco recommends GET VPN for environments needing highly scalable, any-to-any encrypted connectivity for unicast and multicast traffic, such as a large financial network using a Multiprotocol Label Switching (MPLS) WAN.
In a GET VPN, trusted group member routers receive security policy and authentication keys from a central key server. Although group member routers obtain keying information from a central key server, the key server is not involved in the flow of traffic as in a hub-and-spoke design. Instead, group member routers can use the keying information from the key server to dynamically form direct connections with one another for data transmission. This enables group member routers to form security associations with sufficient speed to minimize transmission delay and to support the Quality of Service (QoS) levels necessary for voice traffic.
Reference:
CCDA 200-310 Official Cert Guide, Chapter 7, GETVPN, pp. 258-259
Cisco: Cisco Group Encrypted Transport VPN