GRE with Static Routes

Unanswered Question
Apr 21st, 2010

The purpose of using GRE encapsiulation over IPSec is to allow multicast routing updates to flow between the hub and spoke routers.

Is there another purpose for running GRE with IPSec?

If only static routing is used, is there a need for GRE?

In a second set of questions...

If GRE is used, one can leverage DMVPN to facilitate configuration and adding spokes.

If GRE is not used, is there a mechanism native to IPSec to make the adding of spokes streamlined in the same way GRE streamlines the process?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (3 ratings)
Lei Tian Wed, 04/21/2010 - 06:43


GRE can be used to support some legacy layer 3  protocols as well.

GETVPN doesnt require GRE, but it  will automatically create tunnel using the original IP header.


Lei  Tian

Federico Coto F... Wed, 04/21/2010 - 07:12

GRE is encapsulation and IPsec is encryption (IPsec can also do encapsulation, but it is avoided when using GRE)
DMVPN facilitates the GRE tunnels in that it make it dynamic (you no longer need to define statically all the endpoint IP of the GRE devices)
GETVPN is a relative new technology which does not use GRE
VTI is another way to send multicast between routers.


ex-engineer Wed, 04/21/2010 - 08:29

I am looking for more specific and informative answers that address my questions. I already know what GRE and IPSec are.

Federico Coto F... Wed, 04/21/2010 - 10:01

I thought we pretty much gave you the answer, if you're looking for more detailed information shoot the question again with exactly what you want to know.


Laurent Aubert Wed, 04/21/2010 - 10:30


The first implementation of IPSec within IOS (crypto-map based) doesn't support multicast traffic encapsulation so adding the GRE layer was the workaround so GRE encapsulate multicast and IPSec encrypt GRE packets which are unicast.

So yes this was the main purpose of having GRE on top of IPSec. The other advantage is you can encapsulate other protocol like IPX and transport it over an IP backbone.

With static routing, GRE layer is not mandatory but it will make your backup routing policy more complex (need to rely on IKE DPD and RRI) and globaly slower than having a dynamic routing protocol.

For Hub&Spoke topology, DVTI is a good alternative to mGRE. Configuration is similar to Dial-In based on virtual-template (each tunnel is associated to a virtual-access interface). Please refer to the following link for more information:




This Discussion