Hi Omer,
I would prefer VTI on GRE over IPSec . Although IPsec provides a secure method for tunneling data across an IP network, it has limitations. IPsec does not support IP broadcast or IP multicast, preventing the use of protocols that rely on these features, such as routing protocols. IPsec also does not support the use of multiprotocol traffic.
GRE is a protocol that can be used to “carry” other passenger protocols, such as IP broadcast or IP multicast, as well as non-IP protocols.
Vitual Tunnel Interfaces you can set them up with a profile that uses IPsec for transport and so the interface tu0 is treated like a usual IP interface that can also handle routing protocols.
However, different tunnel mode can apply different application. Here are some considerations for IPSec VTI. The IPsec VTI is limited to IP unicast and multicast traffic only, as opposed to GRE tunnels, which have a wider application for IPsec implementation. Thus, for some non-IP traffic, we still need IPSec over GRE.
Header related overhead is about same, However VTI is less CPU intensive. Well also matter what platfrom is part of solution.
Br.
Mohseen