06-12-2016 10:53 AM - edited 03-08-2019 06:10 AM
hi,
if we have multiple branches, and we want to establish IPsec to all of them, then what are the limitation by running IPsec without GRE?
I tried to read some posts on this but did not get the idea.
the thing is that when you run IPsec ESP in tunnel mode, there are two IPs (Inner and Outer), so why we don't use the inner IP for the routing?
06-12-2016 11:32 AM
One limitation is, that in many implementations you can't tunnel IPv4 and IPv6 over the same VPN.
What is not a limitation is that you can use routing protocols with or without GRE if you use VTIs (virtual tunnel interfaces).
06-12-2016 01:56 PM
To add a bit to the explanation that Karsten provides - IPsec was designed to support unicast packets. If you run IPsec without GRE (or some other tunneling protocol like VTI) then there is no support for forwarding multicast traffic. And with no support for multicast traffic then our interior routing protocols can not run over IPsec without GRE.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide