Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPsec with GRE question


Anyone has good reference doc about GRE with IPsec .

I am a little confused about 2 flavors of crypto ACL used:

A) permit ip <source-net> <destination-net>

B) permit gre any any

It seems option A is encry first then GRE encap, while option B is encap first then encrypt.

Is there a good ref about these setups?



  • Other Security Subjects
New Member

Re: IPsec with GRE question

I am unsure about any good references. I guess it all depends on what you want to do. It also depends on if you are running a GRE tunnel (which is optional) as well.

Option A would encrypt all traffic matching the ACL. Option B, would encrypt all tunnel traffic leaving that interface.

It all depends on what you want to accomplish. I ended up going with option B as we had a large amount of tunnels and it was just easier for me to see.

I can tell you, about the most important thing you can do for VPN router to router access is to get loopbacks on the router(s) in question.


New Member

Re: IPsec with GRE question

Cisco Employee

Re: IPsec with GRE question


Cisco SDM might help you. Its a UI device manager which comes with access routers and help you in setting up your VPN network with ease.

Please take a look at



New Member

Re: IPsec with GRE question

Hi Macheal,

As you understand, there are 2 ways to use IPSec with GRE. One GRE inside IPSec (this is the most oftenly used) and IPSec inside GRE. Your option A is the case of IPSec inside GRE and option B is the case of GRE inside IPSec.

You would require GRE inside IPSec when you want to non-IP packets or multicast packets to be encrypted and sent over a tunnel. This is because IPSec can encrypt only unicast traffic. For eg: A routing protocol like RIP uses multicast for communicating with RIP enabled routers. In this case, the multicast traffic is first encapsulated with GRE(which will turn the multicast packet to unicast packet by changing the source and destination address as the tunnel source and destination address) and then IPSec is applied on it.

The necessary rule of thumb is:


For GRE inside IPSec tunnel, use only GRE as the protocol and the GRE tunnel end points as the traffic source and destination in the crypto ACL.

For IPSec inside GRE tunnel, use only IP as the protocol and only hosts as the traffic source and destination in your crypto ACL.

Hope that is clear. Let me know if you have more questions.


This widget could not be displayed.