FlexVPN vs GetVPN: Detailed Comparison

Rashmi Bhardwaj | Blog,Config & Troubleshoot,Routing & Switching

VPNs provide secure communication between two points across a public network such as the Internet. The traffic flows between these two points passes through shared resources in a secure manner usually encrypted. There are several types of VPNs available – such as Point to Point, Mobile VPN (secure connection with a private network using a cellular network), Hub and spoke, partial mesh VPN, Get VPN etc. 

Today we look more in detail about FlexVPN and Get VPN, how they differ from each other, their advantages and use cases etc.

What is Flex VPN?

FlexVPN is Cisco implementation of IKEv2 framework which combines site to site, remote access, hub and spoke topologies and partial mesh (Spoke to spoke direct) VPNs. Flex VPN offers a simple and modular approach which extensively uses tunnel interface models along with remaining compatible to legacy VPN implementations using crypto maps. 


Components of FlexVPN

FlexVPN has two components – Server and client.

  • Server acts as VPN head end for remote access and hub-spoke VPNs and
  • Clients are IOS router based remote offices and mobile networks which provide connectivity to head office. 

FlexVPN can be spoke-to-spoke or we can have MPLS over FlexVPN.

Spoke to Spoke design enabled two clients to establish a direct crypto tunnel and Next Hop Resolution Protocol (NHRP) is used to resolve clients on the network. 

MPLS and MP-BGP is used for distribution of overlay labels for different VRFs ideally suited where the customer requires to dynamically discover overlapping networking with NHRP and encryption with IPSec.

What is Get VPN?

Get VPNs provide large scale, connectionless, tunnel free transmission protection taking advantage of existing routing infrastructure and can be used with MPLS, IP, Frame relay and ATM networks. Get VPNs makes point to point connections optional and therefore can be used to transmit voice and video with high quality and managed quality of service (QOS), routing and multicasting. Get VPNs use the concept of ‘trusted’ group members but it only works with Cisco devices. 

Components of GetVPN

The two main components of Get VPN architecture are : 

  • Key server – used to authenticate all group members, performs admission control over Get VPN domain, creates and supplies group authentication key as security association (SA) to group members. 
  • Group members – provides transmission protection to sensitive site to site (member to member) traffic. Key server distributes keys and policies across all registered and authenticated group members. All communication between key server and group members is encrypted and secured using the Internet key exchange (IKE) Group Domain of Interpretation (GDOI) protocol.

IKE GDOI supports use of two types of keys – Traffic encrypting key (TEK) and Key encrypting key (KEK).

TEK is used for protection of traffic between group members and KEK is used to protect keys during a key refresh between key servers and group members. 

Comparison Table: FlexVPN vs GetVPN

Below table summarizes the differences between the two:


Flex VPN


Supported EnvironmentsFlex VPN is more flexible as it allows to deal with Intranet as well as Internet based scenariosDesigned for use in environments which don’t have public/private addressing issue and is well suited for Secure intranet service
MethodologyFlex VPN is tunnel based and able to handle environments having dynamic tunnel setup between spokesGet VPN is tunnel less and relies on trust level shared by VPN users.
SecurityFlex VPN deploys Point to Point security associations (SA)Get VPN employs group-based security associations (SA)
Use CasesFlex VPN can be used for site-to-site VPN, remote access (RA VPN) deploymentsGet VPN is used for site to site only
Protocols SupportedFlex VPN requires IKE version 2Get VPN uses IKE version 1
IP Multicast SupportMulticast replication at hub, native multicast replication supportedMulticast replication in IP WAN network
Features●Can use over any network transport

●Support for multiple topologies like p2p, remote access, hub-spoke, dynamic mesh

●Multicast support

●Superior QoS – per tunnel or per SA

●Supports dynamic overlay routing

●Integrates with AAA

●Supports GRE and native IPSec encapsulation technologies

●Supports IPV4 and IPV6 overlay and underlay with auto detection IP transport type

●Adds encryption to MPLS or IP WANs with preserving any-to-any connectivity

●Networking features

●Offers scalable, full-time mesh for IPSec VPNs

●Enable participation of smaller routers into network

●Simplification of encryption key management along with QoS and multicast support

Download the comparison table: FlexVPN vs GetVPN

Continue Reading:

GETVPN vs DMVPN: Understand the difference

Introduction to GETVPN: Group Encrypted Transport VPN


Leave a Comment

Your email address will not be published. Required fields are marked *

Shopping Cart