cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1858
Views
0
Helpful
4
Replies

GRE Tunnel and IP Sec Tunnel difference

UniWAQ
Level 1
Level 1

Dear Team

I want to know the difference between GRE and IPSec tunnels . When i need to use on of them and if any one  have pictorial diagram then its nice.

Regards

Waheed Ahmed


4 Replies 4

Both have different goals:

IPSec-Tunnels are used when you want to transport IP over a forreign IP-network and your data should be protected cryptographically.

GRE is used if you want to transport something (not public routable IP, IPX, Ethernet, ...) over an IP network but you don't need to protect the data.

And you can combine both if you want the function of GRE with the protection of IPSec.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

One additional difference is that IPSec cannot to forward broadcast and multicast traffic. It can to forward only unicast.

GRE tunnel can to forward all types of traffic.

If you want to forward multicast or broadcast and you need to protect data, you can use IPSec+GRE combination.

Best Regards,

Ognjen

Best Regards, Ognjen

One additional difference is that IPSec cannot to forward broadcast and multicast traffic. It can to forward only unicast.

That statement is only valid for older IOS-releases. In recent IOS (I think it started 12.3T, so it's quite a while) you don't need GRE any more to run Multicast like a routing-protocol through a crypto-map based IPSec-Tunnel. And VTIs never had any restrictions like that.

EDIT: I think I remembered wrong on one feature. Of course VTIs can run Multicast without GRE, but the feature I was referring to was to run a routing-protocol with a crypto-map-based config. But I think that worked by sending the Routing-protocol-traffic as unicast and not as multicast. Sadly I don't find any old config for that to make sure what it really was. Sorry for any confusion ...

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Tomas Fidler
Level 1
Level 1

Both take IP packet and insert it into another packet.

Gre tunnel is not authenticated (it is valnerable to man in the middle attacks).

IPSec tunnel is authenticated (you communicate only with something that approved its identity)

GRE does not use encryption, IPSec traffic is usualy encrypted.

So If you just want to tunnel traffic, GRE is ok.

If you want eigther authentication or encryption... take IPSec.

IPsec can secure even GRE traffic, so you may tunnel traffic using GRE ( in case you want to tunnel multicast, broadcast or even  "not-IP traffic"), and then encrypt and authenticate this GRE packets using IPsec.

one thing... GRE is tunneling.

IPSec can tunnel traffic, or "just" secure content and not tunneling original IP header.

So IPSec tunnel mode is only one of two possible modes of using "IP security".

Review Cisco Networking for a $25 gift card