Solved: Re: Difference between IPSEC over GRE and GRE over IPSEC

Suresh Babu · ‎11-21-2012

Hi All,

I always confuse on the difference b/w the IPSEC over GRE and GRE over IPSEC as both the functionality looks same to me but not finding the difference.

Please help to understand this.

Regards

Suresh

Peter Paluch · ‎11-21-2012

Hello Suresh,

You may be interested in reading the following thread:

https://supportforums.cisco.com/message/3786671#3786671

It is very closely related to your question. Please read it carefully and feel welcome to ask further!

Best regards,

Peter

View solution in original post

rais · ‎11-21-2012

IPSec over GRE means Outer Header is GRE. In other words, IPSec is riding over GRE.

GRE over IPSec means Outer Header is IPSec.

Voice over IP means Outer Header is IP. Voice is riding over IP packet. In this case, don't think we'll ever come across IP over Voice. may be a Modem over PSTN.

Hope this helps.

Abzal · ‎11-21-2012

Hi,

I can add this to what Rais already said:

The advantage of using SVTIs as opposed to crypto map configurations is that users can

enable dynamic routing protocols on the tunnel interface without the extra 4 bytes required

for GRE headers, thus reducing the bandwidth for sending encrypted data.

The use of IPsec VTIs both greatly simplifies the configuration process when you need to

provide protection for remote access and provides a simpler alternative to using generic

routing encapsulation (GRE) or Layer 2 Tunneling Protocol (L2TP) tunnels for encapsulation

and crypto maps with IPsec.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html

And interesting documentation

https://learningnetwork.cisco.com/docs/DOC-2457

Please rate helpful posts.

Best regards,
Abzal

Peter Paluch · ‎11-21-2012

Hello Suresh,

You may be interested in reading the following thread:

https://supportforums.cisco.com/message/3786671#3786671

It is very closely related to your question. Please read it carefully and feel welcome to ask further!

Best regards,

Peter

avichaud · ‎07-31-2019

Hi Dear,

Below link page is not found

sirbulandkhan1 · ‎06-15-2015

if it's "IPSec over GRE", only Payload will be encrypted, Crypto map will be applied to Tunnel Interface, Inside traffic will first hit the Tunnel Interface then will be encrypted & forwarded to physical interface where GRE header is attached to the packet & it is forwarded...

if it's "GRE over IPSec", then whole packet including Payload will be encrypted, Crypto map will be applied to Physical Interface, inside traffic will first hit the tunnel interface, forwarded to physical interface... GRE header & new IP header is attached & traffic will be encrypted & forwarded...

so in "IPSec over GRE", only interested traffic is encrypted not GRE's (hello packets etc), whereas in "GRE over IPSec", interested traffic plus GRE's traffic both are encrypted...

iores · ‎07-19-2022

In IPsec over GRE, isn't the whole GRE packet, including GRE IP header, GRE flags, original IP header, and payload that gets encrypted?

In GRE over IPsec, isn't the GRE IP header only part that doesn't get encrypted?

Manual404 · ‎10-08-2023

You got it backwards.

AdityaMajumdar · ‎08-29-2022

The link is not working @Peter Paluch

Joseph W. Doherty · ‎08-29-2022

Link might be broken due to one of the many upgrades to this site, made since 2012.

If Peter doesn't respond, you, @AdityaMajumdar, might be able to find the thread Peter originally linked to using advanced search, and looking for something older than his reference post, that discusses GRE and IPSec, and possibly, includes Peter as a poster in that thread.