Hello Zhiling,
Sorry for responding late.
Is the off-site using private addressing?
No, they use public IP address.
Alright. This would require you to configure the routing on your branch so that the networks reachable on the off-site location are reachable via the IPsec tunnel.
Are you going to run a routing protocol over the IPsec tunnel?You would need additional GRE encapsulation for that.
No. But would you please explain what is the difference by running and not running?
If you used a plain IPsec tunnel, you would not be able to run an IGP routing protocol over it, as IPsec does not do well with multicasts - and IGP protocols use multicasts. Also, in most cases, the plan IPsec tunnel is not represented as a Tunnel interface but rather only a crypto map placed on an appropriate egress interface, and there is no way how to tell a routing protocol to work "over" this crypto map, rather than on the interface itself.
Using GRE with IPsec solves both problems. It gives you the the ability of running IGP between the IPsec sites and provides you with the Tunnel interface that represents the tunnel. In fact, using GRE, you can pass any traffic, not just IPv4 unicast, between your sites, and because that is IP+GRE encapsulated, IPsec will be happy with that and will be able to protect it. The downside is, of course, the added overhead of 24 bytes per packet before encryption (new GRE+IP header) including MTU issues that need to be solved.
In recent IOSes, there is a way of configuring a plain IPsec tunnel interface as well, without running GRE. That would not allow you to run IGP easily (only in a per-neighbor configuration) but the tunnel would be represented by an interface which can be considered an improvement. The choice of configuration depends on you.
Best regards,
Peter
