Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
671
Views
5
Helpful
1
Replies

How is different between two ways for GRE over IPSec?

DaeHeon Kang
Level 1
Level 1

‎12-19-2017 07:41 PM - edited ‎03-12-2019 04:51 AM

How is different between the below ways for GRE over IPSec? and how is the structure of the frame different between the two ways? And also which ways is the recommend way to deploy GRE over IPSec?

 

  • Apply Crypto map to physical interface by using access-list 100 permit gre host [ interface ip address] host [interface ip address]
  • Apply tunnel protection ipsec profile to tunnel interface
Labels:
0 Helpful
1 Reply 1

Mohammed al Baqari
Level 11
Level 11

‎12-19-2017 10:33 PM

Hi,

 

The 1st method is called policy based VPN. You define your interesting traffic using ACL rules to pass through VPN. The 2nd method is called route based VPN. You interesting traffic should be routed over the VPN tunnel.

 

If you look at the traffic selectors (SPD) using show crypto ipsec sa you will see for the 1st method that your SPD is matching your ACLs. For the 2nd method you will see your SPD as 0.0.0.0/0 and the interesting traffic is defined using routing. 

 

This is irrelevant whether your interesting traffic is GRE, TCP, UDP, etc. 

 

Now using Tunnel interface is called VTI method (Virtual Tunnel Interface) an its the preferred method to use when you are configuring VPN between Cisco routers. Crypto maps are the legacy methods and they are preferred for vpn between different vendors for interoperatibility 

Customers Also Viewed These Support Documents