352-001 · Question #201
Which restriction prevents a designer from using a GDOI-based VPN to secure traffic that traverses the Internet?
The correct answer is C. Network address translation functions interfere with tunnel header preservation.. GDOI-based GET VPN preserves the original IP header during encryption, which is fundamentally incompatible with NAT because NAT must rewrite the very IP addresses that are cryptographically protected by IPsec.
Question
Which restriction prevents a designer from using a GDOI-based VPN to secure traffic that traverses the Internet?
Options
- AEnterprise host IP addresses are typically not routable.
- BGDOI is less secure than traditional IPsec.
- CNetwork address translation functions interfere with tunnel header preservation.
- DThe use of public addresses is not supported with GDOI.
How the community answered
(51 responses)- A6% (3)
- B12% (6)
- C80% (41)
- D2% (1)
Why each option
GDOI-based GET VPN preserves the original IP header during encryption, which is fundamentally incompatible with NAT because NAT must rewrite the very IP addresses that are cryptographically protected by IPsec.
Non-routable enterprise IP addresses are a general Internet routing issue that affects all VPN types equally and is not a restriction specific to GDOI or GET VPN.
GDOI and GET VPN are not less secure than traditional IPsec; they provide equivalent encryption with the added benefit of scalable group key management via a key server.
GET VPN uses tunnel-header preservation, meaning the original source and destination IP addresses remain in the outer IP header after encryption rather than being replaced by tunnel endpoint addresses. NAT devices in the Internet path attempt to rewrite those outer IP addresses, but because those addresses fall within the IPsec-protected scope, the modification breaks IPsec integrity verification and causes packet drops. This incompatibility restricts GET VPN to private MPLS or non-NAT environments where the original IP addressing is preserved end to end.
GDOI does not prohibit the use of public IP addresses; the actual restriction is NAT incompatibility caused by tunnel header preservation, not any limitation on address type.
Concept tested: GET VPN GDOI NAT incompatibility with header preservation
Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_getvpn/configuration/xe-16/sec-conn-getvpn-xe-16-book/sec-conn-getvpn.html
Topics
Community Discussion
No community discussion yet for this question.