cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
424
Views
5
Helpful
1
Replies
DaeHeon Kang
Beginner

How is different between two ways for GRE over IPSec?

How is different between the below ways for GRE over IPSec? and how is the structure of the frame different between the two ways? And also which ways is the recommend way to deploy GRE over IPSec?

 

  • Apply Crypto map to physical interface by using access-list 100 permit gre host [ interface ip address] host [interface ip address]
  • Apply tunnel protection ipsec profile to tunnel interface
1 REPLY 1
Mohammed al Baqari
VIP Advisor

Hi,

 

The 1st method is called policy based VPN. You define your interesting traffic using ACL rules to pass through VPN. The 2nd method is called route based VPN. You interesting traffic should be routed over the VPN tunnel.

 

If you look at the traffic selectors (SPD) using show crypto ipsec sa you will see for the 1st method that your SPD is matching your ACLs. For the 2nd method you will see your SPD as 0.0.0.0/0 and the interesting traffic is defined using routing. 

 

This is irrelevant whether your interesting traffic is GRE, TCP, UDP, etc. 

 

Now using Tunnel interface is called VTI method (Virtual Tunnel Interface) an its the preferred method to use when you are configuring VPN between Cisco routers. Crypto maps are the legacy methods and they are preferred for vpn between different vendors for interoperatibility 

Content for Community-Ad