Multicast via GRE over IPSec basic questions

Unanswered Question
Feb 19th, 2007

I'm attempting to configure a GRE tunnel over IPSec to a remote network for the first time; my core 6500 switch lacks the hardware for this, so I'm trying to implement two 1700 routers as the headends in both networks.

Are 1700s up to the task of this implementation, or are other routers required?

Can a VPN endpoint device also be a GRE headend device?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dominic.caron Mon, 02/19/2007 - 11:10


A 1711 can do this...but not fast. If I remember correctly, you should get 8 Mbps out of this box.

drumrb0y Mon, 02/19/2007 - 11:15

Thanks for the post;

I have a 1710 on one end - is it underpowered, or might it work?

8 Mbps should be ok; I'll have to let the performance speak for itself once I get it stood up.

dominic.caron Mon, 02/19/2007 - 13:23

1710 is rated a 4 mbps of vpn. 1711 is rated at 15 mbps.

The GRE will degrade performance. In real life, my 1711 with ipsec over gre did 8 mbps using 800 bytes packets.

drumrb0y Tue, 02/20/2007 - 05:49

This 1710 will be dedicated for GRE over IPSec traffic, so I hope it will handle the bandwidth.


roluce Tue, 02/20/2007 - 08:56

Does your 1700 have the VPN hardware adapter?

We normally find that (depending on exact type of traffic) we can count on a 1721 -WITH- the hardware encryption adapter will push about 1.9mbit (just short of an E1) of mixed traffic (average packet size 1280 bytes) full duplex over GRE/IPSec 3DES.

Your milage may very, but I wouldn't expect much more than that.

Software based encryption will be slower.


drumrb0y Tue, 02/20/2007 - 08:58

My 1710 has a VPN module, so I hope it doesn't degrade the video stream too badly.



This Discussion