02-01-2009 11:32 AM - edited 03-04-2019 01:04 AM
<p>Hi,</p>
<p>Can you please brief me the difference between the two technology mentioned below:</p>
<p>1. IPSEC over GRE</p>
<p>2. GRE over IPSEC</p>
<p>I am not getting clear document differentiating this</p>
<p>R.B.Kumar</p>
02-01-2009 01:47 PM
1 - never seen deployed. The reason is that if a router can reach a certain address to terminate GRE, the same address shold be used for IPSEC. Also, you would be carring the IP header one more time, as IPSEC cannot run directly on GRE:
[ip hdr]--[gre]--[ip hdr/udp]--[ipsec]---[ip hdr]--[data]
2 -The standard way to encrypt a GRE tunnel.
02-01-2009 03:46 PM
.
02-01-2009 03:50 PM
Hi Kumar,
1. IPSec over GRE
IPSec has two modes: tunnel and transport. In tunnel mode you encrypt all: IP header and payload and create an entire new packet. In transport mode IPSec only encrypt the payload, the header is preserved.
Now, just imagine you already have a GRE tunnel set up, and you want add some confidentiality to the data (payload) it carries. In this case, you can cryptograph the data using IPSec in transport mode and the send it into a GRE tunnel. This is the case for IPSEC over GRE. One application to this is to cryptograph multicast traffic, like OSPF, because GRE does support multicast, but IPSec in tunnel mode doesn't. Take a look in DMVPN on Cisco site.
2. GRE over IPSec
This can be a like any other protocol/application encryption. First you create a GRE tunnel and then cryptograph it with IPSec. If you use IPSec in tunnel mode you will create a lot of wasteful overhead and inefficiency. If you use the transport mode you will fall into the "ipsec over gre" (the chicken-egg problem).
02-01-2009 09:12 PM
Hi paulrogue,
Thankyou, Now i got good understanding on the concept.
I have detailed idea on IPSEC over GRE. That is GRE tunnel is created first and over that IPSEC tunnel is created to pass multicast and broadcast traffic.
But your definition on GRE over IPSEC seems similar. You mentioned as "First you create GRE tunnel and then cryptograph it with IPSEC". don't it have same meaning as IPSEC over GRE.
can you please explain again. Please provide some link to get acquainted on this more.
R.B.Kumar
02-03-2009 04:30 PM
Hi Kumar,
You mention "GRE tunnel is created first and over that IPSEC tunnel is created to pass multicast and broadcast traffic".
The correct order for IPSEC over GRE is ...
The GRE tunnel is first created and it is used to pass multicast and broadcast. The GRE data is then encrypted with IPSec (no ipsec tunnel).
There is no IPSec tunnel in this scenario. Remember IPSec transport mode is only encryption. GRE does the tunneling work and IPsec does the encryption part.
"But your definition on GRE over IPSEC seems similar ..."
There is a slightly difference...
1) In IPSec over GRE, you encrypt some data and send it as an IPSec packet into the GRE tunnel. If you look at the IP packet going out the interface, you will see it as an IP packet carrying a GRE protocol.
2) In GRE over IPSec (in tunnel mode), you create the GRE tunnel and send it into IPSec tunnel. If you look at the packet you will see it as an IP packet carrying the IPSec protocol.
3) In GRE over IPSec (in transport mode), you create the GRE tunnel and cryptograph its payload using IPSec. If you look at the packet you will see it as an IP packet carrying the GRE protocol.
That is ...
Case 1 - You have a tunnel inside a tunnel, a wasteful situation that should be avoided, but it can appear in real scenarios.
Case 3 is here only to illustrate the situation. Since IPSec transport mode doesn't carry nothing only encrypt, I would describe this not as "GRE over IPSec", but as "IPsec/GRE combination".
Case 2 is the only useful scenario. So be cautious if you see "GRE over IPSec" again.
PRoque
02-03-2009 05:20 PM
Edit ...
I changed the case number above. The correct version is ...
Case 2 - You have a tunnel inside a tunnel, a wasteful situation that should be avoided, but it can appear in real scenarios.
Case 3 is here only to illustrate the situation. Since IPSec transport mode doesn't carry nothing only encrypt, I would describe this not as "GRE over IPSec", but as "IPsec/GRE combination".
Case 1 is the only useful scenario. So be cautious if you see "GRE over IPSec" again.
PRoque
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide