Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

GRE over IPSec vs IPsec over GRE

Hi all.

Dont know but i am confusing a lot in understanding the difference between the above two. By "over" what we mean ? which header comes first ?

When i apply crypto map on physical interface with original IPs (of both ends) in crypto acl, is it GRE over IPSec or other way around ?

Kindly help me out

Everyone's tags (5)
Hall of Fame Super Silver

GRE over IPSec vs IPsec over GRE

Hello Jonn,

GRE over IPSEC means  IPSEC/GRE/IP and is the more common option as GRE is used to build a logical point to point link and IPSEC is used to protect the communication.

IPSEC over GRE should mean GRE/IPSEC/IP but to be noted some people also in the forums use this expression to address the IPSEC/GRE/IP encapsulation and this causes confusion,

When you apply the crypto map over the physical interface the encapsulation is  GRE over IPSEC if:

-you have defined on both endpoints a p2p GRE tunnel and you use it to route between remote LAN IP subnets (internal networks that have to be routed within the VPN)

- the crypto ACL lists the GRE traffic as the only interesting traffic to be encrypted


permit gre host host

if the there is no GRE Tunnel configured and the crypto ACL specifies some specific IP flow you are dealing with IPSEC/IP just IPSEC.

Hope to help


Community Member

GRE over IPSec vs IPsec over GRE

Hi Giuseppe,

Good explaination on the difference.

May i know if you can further shed some light on under which senario, which method is preferred?

In performance or security wise, which one is a better choice?




CreatePlease to create content