Cisco Support Community

Gre + IPSec


I have question,

1)does IPSec support Multicaste capability ?

2)Why we configure IPsec tunnel into GRE tunnel ?

I have read one cisco documents as per doc , IPSec does not support IP multicast , but when we use netscreen firewall ( end to end ) IPsec tunnel on internet, this will routing internet, how this both things are different.

I hope you understand my queary.



Re: Gre + IPSec

Hi Minu,

Ans 1. The IPSec, in IPSec Direct Encapsulation doesnt support.

Ans 2. In order to get Multicast enabled across the VPN, we can use the Peer to Peer IPSec in GRE

Please visit for more info:

However your 3 question I couldnt understand very well, could you please elaborate.

Please feel free to revert back with any queries you might have.

Kind Regards,

Wilson Samuel

PS: Please rate if it helps.

Hall of Fame Super Gold

Re: Gre + IPSec


If we are talking pure IPSec as per the standards then IPSec is for unicast IP traffic and does not support multicast.

For the most common of the Interior Routing Protocols (especially OSPF and EIGRP) they require multicast for their routing packets. So traditional IPSec did not support Interior routing protocols. The solution was to combine IPSec (not support multicast) with GRE which does support multicast to be able to route with OSPF or EIGRP over IPSec tunnels.

In recent releases Cisco has given an enhancement called Virtual Tunnel Interface and with VTI you run IPSec, do not run GRE, and it is able to support OSPF and EIGRP routing.

I am not clear what the Netscreen is doing. It would be logical that they might be translating all the local addresses to send them over the Internet. And if they were translating all the addrersses then they could establish connectivity over an IPSec tunnel which would provide connectivity to the networks on both ends and still not be running a routing protocol through the IPSec tunnel. If that is not what is happening then perhaps someone who has more experience with this vendor can clarify what is being done here.



CreatePlease to create content