cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2934
Views
0
Helpful
2
Replies

GRE over IPSec vs IPsec over GRE

Jonn cos
Level 4
Level 4

Hi all.

Dont know but i am confusing a lot in understanding the difference between the above two. By "over" what we mean ? which header comes first ?

When i apply crypto map on physical interface with original IPs (of both ends) in crypto acl, is it GRE over IPSec or other way around ?

Kindly help me out

2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Jonn,

GRE over IPSEC means  IPSEC/GRE/IP and is the more common option as GRE is used to build a logical point to point link and IPSEC is used to protect the communication.

IPSEC over GRE should mean GRE/IPSEC/IP but to be noted some people also in the forums use this expression to address the IPSEC/GRE/IP encapsulation and this causes confusion,

When you apply the crypto map over the physical interface the encapsulation is  GRE over IPSEC if:

-you have defined on both endpoints a p2p GRE tunnel and you use it to route between remote LAN IP subnets (internal networks that have to be routed within the VPN)

- the crypto ACL lists the GRE traffic as the only interesting traffic to be encrypted

  example:

permit gre host host

if the there is no GRE Tunnel configured and the crypto ACL specifies some specific IP flow you are dealing with IPSEC/IP just IPSEC.

Hope to help

Giuseppe

Hi Giuseppe,

Good explaination on the difference.

May i know if you can further shed some light on under which senario, which method is preferred?

In performance or security wise, which one is a better choice?

Thanks

br,

Zhong

Review Cisco Networking for a $25 gift card