Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2027
Views
5
Helpful
12
Replies

What exactly does a site-to-site vpn emulate as compared to a gre tunnel?

Go to solution
Reprovoid
Level 1
Level 1

‎04-05-2012 07:43 AM - edited ‎03-04-2019 03:55 PM

Hi.

  Encryption aside , what Is the difference between a site-to-site vpn and a gre tunnel ? I know a gre tunnel emulates a leased line exactly (unless I've got It wrong , which Is a distinct possiblity !).What exactly does a site-to-site vpn emulate If I don't use It In conjunction with gre.If a site-to-site vpn emulates a leased line then why can't I use routing protocols between the two sites without configuring gre?

I guess my main question Is , what exactly would a site-to-site vpn be If It wasn't virtual.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎04-05-2012 03:25 PM

A site to site IPSec VPN essentially emulates a point to point connection that does not support multicast (and therefore does not support our dynamic routing protocols).

So, encryption aside, the differences between a site to site IPSec VPN and GRE include these:

- a GRE tunnel has its own IP addresses on each end of the tunnel. a site to site IPSec VPN does not have its own set of addresses.

- a GRE tunnel can carry non-IP traffic (but who does that in recent times?) while site to site IPSec VPN carries only IP traffic.

- a GRE tunnel supports multicast while site to site IPSec VPN does not. And since multicast/broadcast are used by dynamic routing protocols, they are supported on GRE but not on IPSec. (though if you look at the feature of VTI you find a compromise that is a tunnel that uses IPSec and not GRE and does support multicast and therefore does support routing protocols).

HTH

Rick

HTH

Rick

View solution in original post

12 Replies 12

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎04-05-2012 03:25 PM

A site to site IPSec VPN essentially emulates a point to point connection that does not support multicast (and therefore does not support our dynamic routing protocols).

So, encryption aside, the differences between a site to site IPSec VPN and GRE include these:

- a GRE tunnel has its own IP addresses on each end of the tunnel. a site to site IPSec VPN does not have its own set of addresses.

- a GRE tunnel can carry non-IP traffic (but who does that in recent times?) while site to site IPSec VPN carries only IP traffic.

- a GRE tunnel supports multicast while site to site IPSec VPN does not. And since multicast/broadcast are used by dynamic routing protocols, they are supported on GRE but not on IPSec. (though if you look at the feature of VTI you find a compromise that is a tunnel that uses IPSec and not GRE and does support multicast and therefore does support routing protocols).

HTH

Rick

HTH

Rick

Go to solution
Reprovoid
Level 1
Level 1
In response to Richard Burts

‎04-06-2012 02:49 AM

Thank you , that clears It up quite a bit.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Reprovoid

‎04-06-2012 06:40 AM

I am glad that our responses did help to clear this up for you. Thank you for using the rating system to mark this question as answered. It makes the forum more useful when other readers can see a question and can know that a solution was found. Your marking has contributed to this process.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
ramsaran777
Level 1
Level 1
In response to Richard Burts

‎03-02-2014 03:39 AM

Dear Rick,

Colud please let me know the do we need to configure Site to Site VPN to create GRE tunnel, after creating the Site to Site creating a tunnel is enough to configure GRE tunnel. Please clarify me..

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to ramsaran777

‎03-02-2014 06:40 PM

I am afraid that I do not understand your question. It is possible to create a site to site connection using GRE without IPSec. It is possible to create a site to site connection using IPSec without GRE. And it is possible to create a site to site connection using both GRE and IPSec. If you can help me understand which one of these your question is about then perhaps I can provide helpful responses.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame

‎04-06-2012 02:02 AM 

 I know a gre tunnel emulates a leased line exactly (unless I've got It 
wrong , which Is a distinct possiblity !).What exactly does a 
site-to-site vpn emulate If I don't use It In conjunction with gre.If a 
site-to-site vpn emulates a leased line then why can't I use routing 
protocols between the two sites without configuring gre? I guess my main question Is , what exactly would a site-to-site vpn be If It wasn't virtual.

A site-to-site VPN is an IPsec connection in tunnel mode, for which you have to read an learn about IPsec to understand

It does not emulat or attempt to emulate a serial circuit, or anything else.

In addition to what Richard said:

  • The most important thing is probably that IPSEC in crypted, while GRE is not. For some customers, that is important.
  • It is possible to use routing protocols over IPsecVPN. That is done using unicast routing updates.
0 Helpful

Go to solution
Reprovoid
Level 1
Level 1
In response to paolo bevilacqua

‎04-06-2012 02:50 AM

Thank you

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎04-06-2012 09:00 AM

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

A VPN (virtual private network) is the generic term for extending a private network across another network.  GRE is just one particular technology, that is often used to create VPNs.

VPNs besides using GRE, might be built with GRE/IPSec, VTI (IPSec w/o GRE), Q-in-Q, SSL, MPLS, mGRE, DMVPN (mGRE with IPSec), and more (?).

You can run routing protocols across many VPN technologies, what you might be confusing is just using pure IPSec, alone, doesn't.  I.e., GRE isn't always required for routing, as for example VTI support P2P and routing (multicast too?) w/o GRE.

Site-to-site VPN, usually implies logically joining the sites (they become, logically, one network), as distinguished from client VPN, where a single client appears as another host device at some site.

0 Helpful

Go to solution
Reprovoid
Level 1
Level 1
In response to Joseph W. Doherty

‎04-06-2012 09:35 AM

Thanks for the reply , I was referring to using purely IPSec , how that differs from using IPSec with GRE or using GRE alone.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Reprovoid

‎04-06-2012 09:47 AM

I believe that it has been common terminology to talk about site to site VPN and to mean the IPSec site to site encrypted method. And that is how I treated it in my first response. But as Joseph points out we probably need to be more careful about the terminology because there are several implementations that can correctly be called site to site VPN (IPSec without GRE, IPSec with GRE, just GRE, VTI which is a tunnel with IPSec but not with GRE, DMVPN, perhaps MPLS).

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Reprovoid

‎04-06-2012 09:53 AM

Disclaimer

The    Author of this posting offers the information contained within this    posting without consideration and with the reader's understanding that    there's no implied or expressed suitability or fitness for any  purpose.   Information provided is for informational purposes only and  should not   be construed as rendering professional advice of any kind.  Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In    no event shall Author be liable for any damages whatsoever  (including,   without limitation, damages for loss of use, data or  profit) arising  out  of the use or inability to use the posting's  information even if  Author  has been advised of the possibility of such  damage.

Posting

IPSec is a protocol for transferring data, encrypted. Think of it sort of like TCP or UDP but what it principally offers is encryption.

IPSec with GRE is encrypted GRE; without IPSec, non-encrypted GRE.  Sort of like the difference between SCP and FTP.

0 Helpful

Go to solution
Kishore Chennupati
Level 7
Level 7
In response to Reprovoid

‎04-09-2012 06:21 AM 

Thanks for the reply , I was referring to using purely IPSec , how that differs from using IPSec with GRE or using GRE alone.

IPsec with GRE : Encryption along with use of dynamic routing protocols

GRE                 : NO encryption. just a tunnel between sites and can run routing protocols.

HTH

Kishore

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card