IPSec vs. GRE

Unanswered Question
Aug 20th, 2008

We are in the middle of planning a DR site for our Hq office. One of the requirements is to be able to allow Internet based users who are accessing our DR site web server, access to our HQ network via a publicly routable IP.

Over 90% of the traffic from our DR site web server is to/from the Internet and back to the user. However, the other 10% from the DR site web server is authentication traffic to our HQ dbase server. Once the users are logged-in most of the remaining traffic is between the user and the DR site web server only. My questions is; would it be best to setup ipsec between the DR site ASA and the HQ site ASA just for the authentication, or would it be better to do GRE?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Farrukh Haroon Wed, 08/20/2008 - 10:39

GRE is insecure when run without IPSEC. Its all clear-text!

You can use IPSEC (direct encapsulation without GRE) if all the following are true:

a) No Multicast Traffic (like dynamic routing is required)

b) No NON-IP Traffic (IPX etc.) is required to be routed.

Otherwise if any of the above is required, you can use GRE over IPSEC.

Have a look at this link for more details:


Please rate if helpful.



ccolom Wed, 08/20/2008 - 10:53

Would it be best just to use IPSEC? I'm a little new to the ASA but have worked on PIX 515s before (a couple oy years ago so I'm not a major practitioner).

The main challenge seems to be to allow Internet based users to authenticate from their insecure host(s) on the Internet, to our secure dbase server at HQ. Once they're authenticated most of the remaining traffic will come from the web server at our DR site whihc is closer to them so tunneling to our HQ will not be needed after that. How much bandwidth will IPSEC use per user? The DR site has a 10MB pipe and our HQ site has a 20MB pipe.

Farrukh Haroon Wed, 08/20/2008 - 11:40

The overhead introduced by IPSEC depends on the tunneling mechanism you will use. But it seems you have a lot of bandwidth and that should not be a major issue. If you will use the ASA/PIX to terminate your tunnel, then your only option is IPSEC direct encapsulation. GRE is not supported on the ASA/PIX.



ccolom Wed, 08/20/2008 - 14:48

Excellent, I'll start doing my homework. Thank you very much for the advice and the PDF link.



This Discussion