GRE over IPSec vs IPsec over GRE

Jonn cos · ‎07-10-2012

Hi all.

Dont know but i am confusing a lot in understanding the difference between the above two. By "over" what we mean ? which header comes first ?

When i apply crypto map on physical interface with original IPs (of both ends) in crypto acl, is it GRE over IPSec or other way around ?

Kindly help me out

Giuseppe Larosa · ‎07-11-2012

Hello Jonn,

GRE over IPSEC means IPSEC/GRE/IP and is the more common option as GRE is used to build a logical point to point link and IPSEC is used to protect the communication.

IPSEC over GRE should mean GRE/IPSEC/IP but to be noted some people also in the forums use this expression to address the IPSEC/GRE/IP encapsulation and this causes confusion,

When you apply the crypto map over the physical interface the encapsulation is GRE over IPSEC if:

-you have defined on both endpoints a p2p GRE tunnel and you use it to route between remote LAN IP subnets (internal networks that have to be routed within the VPN)

- the crypto ACL lists the GRE traffic as the only interesting traffic to be encrypted

example:

permit gre host host

if the there is no GRE Tunnel configured and the crypto ACL specifies some specific IP flow you are dealing with IPSEC/IP just IPSEC.

Hope to help

Giuseppe

fengzhong · ‎02-25-2013

Hi Giuseppe,

Good explaination on the difference.

May i know if you can further shed some light on under which senario, which method is preferred?

In performance or security wise, which one is a better choice?

Thanks

br,

Zhong