cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
44805
Views
64
Helpful
9
Replies

Difference between IPSEC over GRE and GRE over IPSEC

Suresh Babu
Level 1
Level 1

Hi All,

I always confuse on the difference b/w the IPSEC over GRE and GRE over IPSEC as both the functionality looks same to me but not finding the difference.

Please help to understand this.

Regards

Suresh

1 Accepted Solution

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

Hello Suresh,

You may be interested in reading the following thread:

https://supportforums.cisco.com/message/3786671#3786671

It is very closely related to your question. Please read it carefully and feel welcome to ask further!

Best regards,

Peter

View solution in original post

9 Replies 9

rais
Level 7
Level 7

IPSec over GRE means Outer Header is  GRE. In other words, IPSec is riding over GRE.

GRE over IPSec means Outer Header is IPSec.

Voice over IP means Outer Header is IP. Voice is riding over IP packet. In this case,  don't think we'll ever come across IP over Voice. may be a Modem over PSTN.

Hope this helps.

Abzal
Level 7
Level 7

Hi,

I can add this to what Rais already said:

The advantage of using SVTIs as opposed to crypto map configurations is that users can

enable dynamic routing protocols on the tunnel interface without the extra 4 bytes required

for GRE headers, thus reducing the bandwidth for sending encrypted data.

The use of IPsec VTIs both greatly simplifies the configuration process when you need to

provide protection for remote access and provides a simpler alternative to using generic

routing encapsulation (GRE) or Layer 2 Tunneling Protocol (L2TP) tunnels for encapsulation

and crypto maps with IPsec.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html

And interesting documentation

https://learningnetwork.cisco.com/docs/DOC-2457

Please rate helpful posts.

Best regards,
Abzal

Peter Paluch
Cisco Employee
Cisco Employee

Hello Suresh,

You may be interested in reading the following thread:

https://supportforums.cisco.com/message/3786671#3786671

It is very closely related to your question. Please read it carefully and feel welcome to ask further!

Best regards,

Peter

Hi Dear,

Below link page is not found

 

sirbulandkhan1
Level 1
Level 1

if it's "IPSec over GRE", only Payload will be encrypted, Crypto map will be applied to Tunnel Interface, Inside traffic will first hit the Tunnel Interface then will be encrypted & forwarded to physical interface where GRE header is attached to the packet & it is forwarded...

if it's "GRE over IPSec", then whole packet including Payload will be encrypted, Crypto map will be applied to Physical Interface, inside traffic will first hit the tunnel interface, forwarded to physical interface... GRE header & new IP header is attached & traffic will be encrypted & forwarded...

so in "IPSec over GRE", only interested traffic is encrypted not GRE's (hello packets etc), whereas in "GRE over IPSec", interested traffic plus GRE's traffic both are encrypted...

In IPsec over GRE, isn't the whole GRE packet, including GRE IP header, GRE flags, original IP header, and payload that gets encrypted?

In GRE over IPsec, isn't the GRE IP header only part that doesn't get encrypted?

You got it backwards.

AdityaMajumdar
Level 1
Level 1

The link is not working @Peter Paluch 

Link might be broken due to one of the many upgrades to this site, made since 2012.

If Peter doesn't respond, you, @AdityaMajumdar, might be able to find the thread Peter originally linked to using advanced search, and looking for something older than his reference post, that discusses GRE and IPSec, and possibly, includes Peter as a poster in that thread.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: