Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
748
Views
0
Helpful
6
Replies

IPSEC over GRE

hclisschennai
Level 1
Level 1

‎02-01-2009 11:32 AM - edited ‎03-04-2019 01:04 AM

<p>Hi,</p>

<p>Can you please brief me the difference between the two technology mentioned below:</p>

<p>1. IPSEC over GRE</p>

<p>2. GRE over IPSEC</p>

<p>I am not getting clear document differentiating this</p>

<p>R.B.Kumar</p>

Labels:
0 Helpful
6 Replies 6

paolo bevilacqua
Hall of Fame
Hall of Fame

‎02-01-2009 01:47 PM

1 - never seen deployed. The reason is that if a router can reach a certain address to terminate GRE, the same address shold be used for IPSEC. Also, you would be carring the IP header one more time, as IPSEC cannot run directly on GRE:

[ip hdr]--[gre]--[ip hdr/udp]--[ipsec]---[ip hdr]--[data]

2 -The standard way to encrypt a GRE tunnel.

 

0 Helpful

pauloroque
Level 1
Level 1

‎02-01-2009 03:46 PM

.

0 Helpful

pauloroque
Level 1
Level 1

‎02-01-2009 03:50 PM

Hi Kumar,


1. IPSec over GRE

IPSec has two modes: tunnel and transport. In tunnel mode you encrypt all: IP header and payload and create an entire new packet. In transport mode IPSec only encrypt the payload, the header is preserved.

Now, just imagine you already have a GRE tunnel set up, and you want add some confidentiality to the data (payload) it carries. In this case, you can cryptograph the data using IPSec in transport mode and the send it into a GRE tunnel. This is the case for IPSEC over GRE. One application to this is to cryptograph multicast traffic, like OSPF, because GRE does support multicast, but IPSec in tunnel mode doesn't. Take a look in DMVPN on Cisco site.

2. GRE over IPSec

This can be a like any other protocol/application encryption. First you create a GRE tunnel and then cryptograph it with IPSec. If you use IPSec in tunnel mode you will create a lot of wasteful overhead and inefficiency. If you use the transport mode you will fall into the "ipsec over gre" (the chicken-egg problem).

0 Helpful

hclisschennai
Level 1
Level 1
In response to pauloroque

‎02-01-2009 09:12 PM

Hi paulrogue,

Thankyou, Now i got good understanding on the concept.

I have detailed idea on IPSEC over GRE. That is GRE tunnel is created first and over that IPSEC tunnel is created to pass multicast and broadcast traffic.

But your definition on GRE over IPSEC seems similar. You mentioned as "First you create GRE tunnel and then cryptograph it with IPSEC". don't it have same meaning as IPSEC over GRE.

can you please explain again. Please provide some link to get acquainted on this more.

R.B.Kumar

0 Helpful

pauloroque
Level 1
Level 1
In response to hclisschennai

‎02-03-2009 04:30 PM

Hi Kumar,

You mention "GRE tunnel is created first and over that IPSEC tunnel is created to pass multicast and broadcast traffic".

The correct order for IPSEC over GRE is ...

The GRE tunnel is first created and it is used to pass multicast and broadcast. The GRE data is then encrypted with IPSec (no ipsec tunnel).

There is no IPSec tunnel in this scenario. Remember IPSec transport mode is only encryption. GRE does the tunneling work and IPsec does the encryption part.

"But your definition on GRE over IPSEC seems similar ..."

There is a slightly difference...

1) In IPSec over GRE, you encrypt some data and send it as an IPSec packet into the GRE tunnel. If you look at the IP packet going out the interface, you will see it as an IP packet carrying a GRE protocol.

2) In GRE over IPSec (in tunnel mode), you create the GRE tunnel and send it into IPSec tunnel. If you look at the packet you will see it as an IP packet carrying the IPSec protocol.

3) In GRE over IPSec (in transport mode), you create the GRE tunnel and cryptograph its payload using IPSec. If you look at the packet you will see it as an IP packet carrying the GRE protocol.

That is ...

Case 1 - You have a tunnel inside a tunnel, a wasteful situation that should be avoided, but it can appear in real scenarios.

Case 3 is here only to illustrate the situation. Since IPSec transport mode doesn't carry nothing only encrypt, I would describe this not as "GRE over IPSec", but as "IPsec/GRE combination".

Case 2 is the only useful scenario. So be cautious if you see "GRE over IPSec" again.

PRoque

0 Helpful

pauloroque
Level 1
Level 1
In response to pauloroque

‎02-03-2009 05:20 PM

Edit ...

I changed the case number above. The correct version is ...

Case 2 - You have a tunnel inside a tunnel, a wasteful situation that should be avoided, but it can appear in real scenarios.

Case 3 is here only to illustrate the situation. Since IPSec transport mode doesn't carry nothing only encrypt, I would describe this not as "GRE over IPSec", but as "IPsec/GRE combination".

Case 1 is the only useful scenario. So be cautious if you see "GRE over IPSec" again.

PRoque

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card