Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member


I have been looking at various documents about GRE and IPSec and was wondering what the configuration difference is? I found an old post that said GRE over IPSec is not the same as IPSec over GRE. It referred to

Which one am I looking at? Could someone supply me with a small sample config of a GRE/IPSec and also a IPSec/GRE. The examples that I saw had a crypto-map no the tunnel and WAN interface. Why is it on both?



  • Other Security Subjects
Cisco Employee

Re: GRE/IPSec or IPSec/GRE?

Here's a GRE over IPSec tunnel. There is a PIX to PIX IPSec tunnel built and we are forming a GRE tunnel between the two peers behind it.

Here's an example of a GRE tunnel being IPSec protected on the same router. Basically we form a GRE tunnel and then IPSec protect it. You would need to apply the crypto map on both logical (tunnel) and physical interface.

New Member

Re: GRE/IPSec or IPSec/GRE?


Aren't both these examples a demonstration of IPSEC over GRE, or in other words, a GRE tunnel protected or encapsulated by an IPSEC tunnel? The only difference being, that the first example shows GRE tunnel termination on internal routers, and the second showing GRE and IPSEC tunnel termination on the same router? Correct me if I am wrong, but I too have had conflicting reports on this subject.

Cisco Employee

Re: GRE/IPSec or IPSec/GRE?

both examples show GRE over IPSec i.e. encrypting GRE packets over IPSec tunnel.

your understanding of 2 configs are right i.e. in first example GRE terminates on internal router and IPSec on external PIXs, and in the second example, both GRE and IPSec are terminating on the same router. Both situations are possible, depends what you want to do.



Cisco Employee

Re: GRE/IPSec or IPSec/GRE?

I found a thread for the same discussion and pasting a snip of it which might help understand further


IPsec over GRE is not currently supported. In some version of IOS it can be

configured and it will work, in other versions of IOS it will not work.

We are planning to support it and we are going to make the following


crypto map ...

--- will ALWAYS encrypt before the encapsulation for

the interface where it is configured.

On a GRE tunnel interface that means IPsec before

GRE tunnel encapsulation.

On a physical interface that means IPsec before

Layer-2 encapsulation.

tunnel protection ipsec profile ...

--- will ALWAYS tunnel encapsulate before encryption

for the tunnel interface where it is configured.

On a GRE tunnel interface that means GRE encapsulation

before IPsec encryption.

This command doesn't apply on physical interfaces.

The above will be done after the work to make it so that you don't need

to apply a crypto map to both the GRE tunnel interface and the outbound

physical interface is completed.



Re: GRE/IPSec or IPSec/GRE?


GRE over IPSec :

"GRE over IPSec" means GRE is transported over an IPSec tunnel, so the

outter most encapsulation is IPSec with GRE inside of it.

current implementation of GRE over IPSec(IOS) requires you to apply crypto map Both on tunnel and physical interface, but this behaviour is going to be changed, and crypto map will be required only on tunnel interfaces in the future, as it sounds logical.

IOS to IOS GRE over IPSec sample:



This widget could not be displayed.