Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

GRE Tunnel and IP Sec Tunnel difference

Dear Team

I want to know the difference between GRE and IPSec tunnels . When i need to use on of them and if any one  have pictorial diagram then its nice.

Regards

Waheed Ahmed


  • WAN Routing and Switching
4 REPLIES
VIP Purple

Re: GRE Tunnel and IP Sec Tunnel difference

Both have different goals:

IPSec-Tunnels are used when you want to transport IP over a forreign IP-network and your data should be protected cryptographically.

GRE is used if you want to transport something (not public routable IP, IPX, Ethernet, ...) over an IP network but you don't need to protect the data.

And you can combine both if you want the function of GRE with the protection of IPSec.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: GRE Tunnel and IP Sec Tunnel difference

One additional difference is that IPSec cannot to forward broadcast and multicast traffic. It can to forward only unicast.

GRE tunnel can to forward all types of traffic.

If you want to forward multicast or broadcast and you need to protect data, you can use IPSec+GRE combination.

Best Regards,

Ognjen

Best Regards, Ognjen
VIP Purple

Re: GRE Tunnel and IP Sec Tunnel difference

One additional difference is that IPSec cannot to forward broadcast and multicast traffic. It can to forward only unicast.

That statement is only valid for older IOS-releases. In recent IOS (I think it started 12.3T, so it's quite a while) you don't need GRE any more to run Multicast like a routing-protocol through a crypto-map based IPSec-Tunnel. And VTIs never had any restrictions like that.

EDIT: I think I remembered wrong on one feature. Of course VTIs can run Multicast without GRE, but the feature I was referring to was to run a routing-protocol with a crypto-map-based config. But I think that worked by sending the Routing-protocol-traffic as unicast and not as multicast. Sadly I don't find any old config for that to make sure what it really was. Sorry for any confusion ...

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: GRE Tunnel and IP Sec Tunnel difference

Both take IP packet and insert it into another packet.

Gre tunnel is not authenticated (it is valnerable to man in the middle attacks).

IPSec tunnel is authenticated (you communicate only with something that approved its identity)

GRE does not use encryption, IPSec traffic is usualy encrypted.

So If you just want to tunnel traffic, GRE is ok.

If you want eigther authentication or encryption... take IPSec.

IPsec can secure even GRE traffic, so you may tunnel traffic using GRE ( in case you want to tunnel multicast, broadcast or even  "not-IP traffic"), and then encrypt and authenticate this GRE packets using IPsec.

one thing... GRE is tunneling.

IPSec can tunnel traffic, or "just" secure content and not tunneling original IP header.

So IPSec tunnel mode is only one of two possible modes of using "IP security".

409
Views
0
Helpful
4
Replies
This widget could not be displayed.