Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IPSEC over GRE

<p>Hi,</p>

<p>Can you please brief me the difference between the two technology mentioned below:</p>

<p>1. IPSEC over GRE</p>

<p>2. GRE over IPSEC</p>

<p>I am not getting clear document differentiating this</p>

<p>R.B.Kumar</p>

6 REPLIES
Hall of Fame Super Gold

Re: IPSEC over GRE

1 - never seen deployed. The reason is that if a router can reach a certain address to terminate GRE, the same address shold be used for IPSEC. Also, you would be carring the IP header one more time, as IPSEC cannot run directly on GRE:

[ip hdr]--[gre]--[ip hdr/udp]--[ipsec]---[ip hdr]--[data]

2 -The standard way to encrypt a GRE tunnel.

 

New Member

Re: IPSEC over GRE

.

New Member

Re: IPSEC over GRE

Hi Kumar,


1. IPSec over GRE

IPSec has two modes: tunnel and transport. In tunnel mode you encrypt all: IP header and payload and create an entire new packet. In transport mode IPSec only encrypt the payload, the header is preserved.

Now, just imagine you already have a GRE tunnel set up, and you want add some confidentiality to the data (payload) it carries. In this case, you can cryptograph the data using IPSec in transport mode and the send it into a GRE tunnel. This is the case for IPSEC over GRE. One application to this is to cryptograph multicast traffic, like OSPF, because GRE does support multicast, but IPSec in tunnel mode doesn't. Take a look in DMVPN on Cisco site.

2. GRE over IPSec

This can be a like any other protocol/application encryption. First you create a GRE tunnel and then cryptograph it with IPSec. If you use IPSec in tunnel mode you will create a lot of wasteful overhead and inefficiency. If you use the transport mode you will fall into the "ipsec over gre" (the chicken-egg problem).

New Member

Re: IPSEC over GRE

Hi paulrogue,

Thankyou, Now i got good understanding on the concept.

I have detailed idea on IPSEC over GRE. That is GRE tunnel is created first and over that IPSEC tunnel is created to pass multicast and broadcast traffic.

But your definition on GRE over IPSEC seems similar. You mentioned as "First you create GRE tunnel and then cryptograph it with IPSEC". don't it have same meaning as IPSEC over GRE.

can you please explain again. Please provide some link to get acquainted on this more.

R.B.Kumar

New Member

Re: IPSEC over GRE

Hi Kumar,

You mention "GRE tunnel is created first and over that IPSEC tunnel is created to pass multicast and broadcast traffic".

The correct order for IPSEC over GRE is ...

The GRE tunnel is first created and it is used to pass multicast and broadcast. The GRE data is then encrypted with IPSec (no ipsec tunnel).

There is no IPSec tunnel in this scenario. Remember IPSec transport mode is only encryption. GRE does the tunneling work and IPsec does the encryption part.

"But your definition on GRE over IPSEC seems similar ..."

There is a slightly difference...

1) In IPSec over GRE, you encrypt some data and send it as an IPSec packet into the GRE tunnel. If you look at the IP packet going out the interface, you will see it as an IP packet carrying a GRE protocol.

2) In GRE over IPSec (in tunnel mode), you create the GRE tunnel and send it into IPSec tunnel. If you look at the packet you will see it as an IP packet carrying the IPSec protocol.

3) In GRE over IPSec (in transport mode), you create the GRE tunnel and cryptograph its payload using IPSec. If you look at the packet you will see it as an IP packet carrying the GRE protocol.

That is ...

Case 1 - You have a tunnel inside a tunnel, a wasteful situation that should be avoided, but it can appear in real scenarios.

Case 3 is here only to illustrate the situation. Since IPSec transport mode doesn't carry nothing only encrypt, I would describe this not as "GRE over IPSec", but as "IPsec/GRE combination".

Case 2 is the only useful scenario. So be cautious if you see "GRE over IPSec" again.

PRoque

New Member

Re: IPSEC over GRE

Edit ...

I changed the case number above. The correct version is ...

Case 2 - You have a tunnel inside a tunnel, a wasteful situation that should be avoided, but it can appear in real scenarios.

Case 3 is here only to illustrate the situation. Since IPSec transport mode doesn't carry nothing only encrypt, I would describe this not as "GRE over IPSec", but as "IPsec/GRE combination".

Case 1 is the only useful scenario. So be cautious if you see "GRE over IPSec" again.

PRoque

333
Views
0
Helpful
6
Replies
CreatePlease to create content