Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

GRE over IPSec vs IPsec over GRE

Hi all.

Dont know but i am confusing a lot in understanding the difference between the above two. By "over" what we mean ? which header comes first ?

When i apply crypto map on physical interface with original IPs (of both ends) in crypto acl, is it GRE over IPSec or other way around ?

Kindly help me out

Everyone's tags (5)
2 REPLIES
Hall of Fame Super Silver

GRE over IPSec vs IPsec over GRE

Hello Jonn,

GRE over IPSEC means  IPSEC/GRE/IP and is the more common option as GRE is used to build a logical point to point link and IPSEC is used to protect the communication.

IPSEC over GRE should mean GRE/IPSEC/IP but to be noted some people also in the forums use this expression to address the IPSEC/GRE/IP encapsulation and this causes confusion,

When you apply the crypto map over the physical interface the encapsulation is  GRE over IPSEC if:

-you have defined on both endpoints a p2p GRE tunnel and you use it to route between remote LAN IP subnets (internal networks that have to be routed within the VPN)

- the crypto ACL lists the GRE traffic as the only interesting traffic to be encrypted

  example:

permit gre host host

if the there is no GRE Tunnel configured and the crypto ACL specifies some specific IP flow you are dealing with IPSEC/IP just IPSEC.

Hope to help

Giuseppe

Community Member

GRE over IPSec vs IPsec over GRE

Hi Giuseppe,

Good explaination on the difference.

May i know if you can further shed some light on under which senario, which method is preferred?

In performance or security wise, which one is a better choice?

Thanks

br,

Zhong

2244
Views
0
Helpful
2
Replies
CreatePlease to create content