10-01-2010 05:11 PM - edited 03-04-2019 09:58 AM
I'm a little confused when to use a GRE tunnel and when to just use a simple VPN with IPSec tunnel.
For example, I have a development network (192.168.0.0/24) that I need to encrypt the traffic using IPSec, then tranport it over a 10.0.0.0/24 network.
The 10.0.0.0/24 network can not see the 192.168..0/24 in it's forwarding table. At the other end, the data gets unecrypted from 10.0.0.0 back to a 192.168.0.0/24. Is that just a simple VPN or GRE? The two confuses me. Thanks in advance.
10-01-2010 06:31 PM
This is from a fellow with roots in WAN routing; take it for what's it's worth.
I always use GRE when the equipment at both ends support it.
When utilizing a GRE tunnel you have routing at your finger tips. The forwarding decision over the tunnel is based on a routing decision. You can utilize all the dynamic routing protocols over the tunnel interface as if it were a physical interface. The GRE tunnel can be encrypted and when it's sent out over public networks such as the internet it should be encrypted. The encryption decision for a GRE tunnel is based on the source/destination addresses of the tunnel and not the traffic going through the tunnel. This simplifies the encryption decision into a 1 line ACL. It also decouples the forwarding decision from the encryption decision.
When utilizing a standard IPSEC tunnel the forwarding decision is based on an ACL. In essence the forwarding decision is based on the encryption decision. This decision is based on an ACL that is static and must be updated to increase or decrease functionality. This critical ACL must be an exact match at both locations to ensure stability.
Since I'm a WAN routing fellow I'm always more comfortable having a forwarding decision that's based on routes/routing protocols versus static ACL's.
GRE has a bit more overhead (24 bytes), but it's well worth it for the functionality gained.
I highly recommend reading this white paper in regard to MTU and tunnels to realize an increased understanding of different tunnel technologies.
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
Chris
10-02-2010 02:09 AM
Why would you tunnel traffic using GRE? Here are some of the reasons:
10-02-2010 06:42 AM
David
I believe that the first point from Anas is the most important reason that you would need GRE tunnels. Support for multicast, especially multicast as used by routing protocols, is the most common reason for using GRE in my experience. His second point, about support for non-routed protocols, is valid but from my perspective is becoming less common and the transport of non-IP protocols is quite rare these days.
I would suggest that his third point about connecting two similar networks is frequently given as a reason to use GRE but is not an appropriate answer to your question. If you need to connect two similar networks over a different network GRE is certainly an option, but an IPSec tunnel is also a viable option to accomplish this.
I would suggest that there may be at least one more reason why you might choose to use GRE with IPSec. With GRE you get an interface, and if you configure tunnel keepalives the tunnel interface will go down if traffic is not going through the tunnel successfully. So it provides an easy way to monitor whether your encrypted traffic is working or not.
HTH
Rick
08-26-2014 11:42 PM
One more most important advantage is there. - TTL.
When the actual packet is encapsulated inside the tunnel, its own ttl value will not be decreased until reaches the tunnel destination.
Thanks,
Arunkarthick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide