Résolu : Re: Tunnel gre tunnel ipsec

Saldebob · ‎17-07-2024

Hello,

I don't understand the difference between a gre tunnel and a site-to-site ipsec tunnel. I have the impression that it's exactly the same principle (authentication, encryption)?

Thanks

M02@rt37 · ‎17-07-2024

Hello @Saldebob

GRE and site-to-site IPsec tunnels serve different purposes and operate in distinct ways despite both being used to create virtual links over networks like the internet. GRE is primarily an encapsulation protocol that allows various network layer protocols to be tunneled between two endpoints, making it versatile for transporting different types of traffic such as multicast and IPv6 over an IPv4 network. However, GRE itself does not provide any built-in security features like encryption or authentication, meaning it can encapsulate data packets but cannot protect the data from being viewed or altered by unauthorized parties.

In contrast, site-to-site IPsec tunnels are designed to secure IP communications through robust encryption and authentication mechanisms. IPsec ensures data confidentiality, integrity, and authenticity by encrypting and authenticating each IP packet in a communication session. This makes IPsec suitable for secure VPNs over untrusted networks. IPsec can operate in transport mode (securing only the payload) or tunnel mode (securing the entire IP packet), with the latter commonly used for site-to-site VPNs. Combining GRE with IPsec allows leveraging GRE's encapsulation flexibility while benefiting from IPsec's security features, creating a secure and versatile tunneling solution ideal for complex enterprise network requirements.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Voir la solution dans l'envoi d'origine

MHM Cisco World · ‎17-07-2024

GRE have no security at all
I think you meaning GRE over IPsec

so the Q will be different between IPsec VS GRE over IPSec
the ipsec is not support multicast
GRE over IPsec is support multicast

that all different

the Cisco and other vendor later introduce SVTI instead of using GRE over IPsec which secure and support multicast and have less overhead.

MHM

M02@rt37 · ‎17-07-2024

Hello @Saldebob

GRE and site-to-site IPsec tunnels serve different purposes and operate in distinct ways despite both being used to create virtual links over networks like the internet. GRE is primarily an encapsulation protocol that allows various network layer protocols to be tunneled between two endpoints, making it versatile for transporting different types of traffic such as multicast and IPv6 over an IPv4 network. However, GRE itself does not provide any built-in security features like encryption or authentication, meaning it can encapsulate data packets but cannot protect the data from being viewed or altered by unauthorized parties.

In contrast, site-to-site IPsec tunnels are designed to secure IP communications through robust encryption and authentication mechanisms. IPsec ensures data confidentiality, integrity, and authenticity by encrypting and authenticating each IP packet in a communication session. This makes IPsec suitable for secure VPNs over untrusted networks. IPsec can operate in transport mode (securing only the payload) or tunnel mode (securing the entire IP packet), with the latter commonly used for site-to-site VPNs. Combining GRE with IPsec allows leveraging GRE's encapsulation flexibility while benefiting from IPsec's security features, creating a secure and versatile tunneling solution ideal for complex enterprise network requirements.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Jerems · ‎05-09-2024

I could recently identify some setup where tunnels were running jointly with GRE and Ipsec for some flexibility/security purpose.

I wondered what could be the best practice in terms of mtu for such kind of tunnel ? Especially with ipv4 datagrams as a payload.

How works the mtu inheritance for such tunnel interface?

Thanks and regards,

Jerems

M02@rt37 · ‎05-09-2024

Hello @Jerems

For GRE over IPsec tunnels, adjusting the MTU is crucial to avoid fragmentation and ensure optimal performance. GRE adds around 24 bytes of overhead, while IPsec typically adds 50-60 bytes, depending on the encryption and authentication methods. This overhead reduces the available payload size from the standard Ethernet MTU of 1500 bytes, meaning you need to lower the tunnel interface MTU to account for this.

A common best practice is to set the tunnel MTU to 1400 bytes, which leaves room for the added overhead, and adjust the TCP MSS to 1360 bytes to prevent fragmentation in TCP traffic. MTU inheritance on the tunnel interface typically comes from the underlying physical interface, but it doesn't automatically adjust for the GRE and IPsec overhead, so manual adjustment is necessary. PMTUD can help avoid fragmentation, but it relies on ICMP messages being unblocked, which may not always be the case. By setting appropriate MTU and MSS values, you can minimize the risk of packet fragmentation inside the tunnel and ensure that large packets are handled efficiently before they enter the tunnel...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Tunnel gre tunnel ipsec

Liens rapides