Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2066
Views
60
Helpful
14
Replies

How to know GRE over IPsec or IPsec over GRE

Go to solution
MrBeginner
Spotlight
Spotlight

‎09-15-2022 08:16 PM

Hi , 

I am confused on GRE over IPsec and IPsec over GRE.As my understanding, GRE over IPsec = GRE is inside packet and IPsec is outside packet. IPsec over GRE==> IPsec is inside packet , GRE is outside packet, right ?

My concern is  if we applied ipsec profile on GRE tunnel interface , is it IPsec over GRE ? if we applied ipsec profile on interface which is the source of GRE tunnel , is it IPsec over GRE ?

can we deploy both GRE over IPsec and IPsec over GRE on same router which is only one WAN interface ?

How to understand of traffic flow of GRE over IPsec and IPsec over GRE ?

For example , For GRE over IPsec  : intrested traffic==> LAN Interface ==> GRE tunnel ==> Add IPsec header ==> send out via WAN interface to remote terminal ?

DMVPN is IPsec over GRE ?

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to MrBeginner

‎09-20-2022 01:55 AM

@MrBeginner first of all, if you are setting up a VPN between an HP device and a Cisco router are you using a Policy Based VPN or a Route Based VPN?

If using a Policy Based GRE over IPSec VPN you'd configure the crypto map on the physical interface, the GRE tunnel traffic is matched against the crypto ACL and encrypted.

ip access-list extended VPN-ACL
 permit gre host 1.1.1.1 host 2.2.2.1
!
crypto map CMAP 1 ipsec-isakmp
 set peer 2.2.2.1
 set transform-set TSET
 set ikev2-profile IKEV2-PROFILE 
 match address VPN-ACL
!
interface GigabitEthernet0/0
 ip address 1.1.1.1 255.255.255.0
 crypto map CMAP
!
interface tunnel 1
 ip address 192.168.250.1 255.255.255.252
 tunnel source gigabitethernet0/0
 tunnel destination 2.2.2.1
 keepalive 10 3

If using a Route Based VPN (GRE over IPSec with Tunnel Protection), use a tunnel interface and reference an ipsec profile on the tunnel interface. You don't require a crypto map, all traffic is encapsulated in GRE and routed over the VPN encrypted.

interface tunnel 0
 ip unnumbered loopback 0
 tunnel source gigabitethernet 0/0
 tunnel destination 1.1.1.1
 tunnel mode gre ip << this is default and is not displayed in running config.
 tunnel protection ipsec profile default

IPSec over GRE is rarely used and unsupported on newer Cisco IOS versions, but you'd assign a crypto map to the GRE interface. On newer software versions it does not allow you to do this.

The recommended deployment, would be the second example - GRE over IPSec with Tunnel Protection or a VTI.

View solution in original post

14 Replies 14

Go to solution
MHM Cisco World
VIP
VIP

‎09-16-2022 04:59 AM - edited ‎09-23-2022 12:28 AM

...

Go to solution
MrBeginner
Spotlight
Spotlight

‎09-18-2022 06:01 PM

Hi ,

Can we deploy IPSEC over GRE and GRE over IPSEC in one router ?

WE have one WAN interface only .

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to MrBeginner

‎09-19-2022 02:37 AM

@MrBeginner you'd only be able to use IPSec over GRE if you are running a really old IOS version, the configuration is no longer supported.

Why would you want to run IPSec over GRE anyway?

Generally you'd use GRE over IPsec with Tunnel Protection (FlexVPN), Multipoint GRE (DMVPN) or a VTI (FlexVPN).

Go to solution
MrBeginner
Spotlight
Spotlight
In response to Rob Ingram

‎09-20-2022 01:30 AM

Hi @Rob Ingram 

I still confusing  Ipsec over GRE and GRE over IPsec depend on configuration. I knew different header type and how to work. i confuse configuration session only. We are using HP device and now we will tunnel to cisco routers. Existing configuration all IPsec profile are apply on physical interface.

So i assume that if we apply ipsec profile on physical interafce ,it is GRE over IPsec, If we apply ipsec profile on tunnel, it is IPsec over GRE . is it not correct ?

DMVPN and VTI are apply ipsec profile under tunnel interface, I don't know why it is GRE over IPsec ? 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MrBeginner

‎09-20-2022 01:52 AM

DMVPN and VTI are apply ipsec profile under tunnel interface, I don't know why it is GRE over IPsec ? 
add to this you can run DMVPN w/o IPSec!!!

Go to solution
Rob Ingram
VIP
VIP
In response to MrBeginner

‎09-20-2022 01:55 AM

@MrBeginner first of all, if you are setting up a VPN between an HP device and a Cisco router are you using a Policy Based VPN or a Route Based VPN?

If using a Policy Based GRE over IPSec VPN you'd configure the crypto map on the physical interface, the GRE tunnel traffic is matched against the crypto ACL and encrypted.

ip access-list extended VPN-ACL
 permit gre host 1.1.1.1 host 2.2.2.1
!
crypto map CMAP 1 ipsec-isakmp
 set peer 2.2.2.1
 set transform-set TSET
 set ikev2-profile IKEV2-PROFILE 
 match address VPN-ACL
!
interface GigabitEthernet0/0
 ip address 1.1.1.1 255.255.255.0
 crypto map CMAP
!
interface tunnel 1
 ip address 192.168.250.1 255.255.255.252
 tunnel source gigabitethernet0/0
 tunnel destination 2.2.2.1
 keepalive 10 3

If using a Route Based VPN (GRE over IPSec with Tunnel Protection), use a tunnel interface and reference an ipsec profile on the tunnel interface. You don't require a crypto map, all traffic is encapsulated in GRE and routed over the VPN encrypted.

interface tunnel 0
 ip unnumbered loopback 0
 tunnel source gigabitethernet 0/0
 tunnel destination 1.1.1.1
 tunnel mode gre ip << this is default and is not displayed in running config.
 tunnel protection ipsec profile default

IPSec over GRE is rarely used and unsupported on newer Cisco IOS versions, but you'd assign a crypto map to the GRE interface. On newer software versions it does not allow you to do this.

The recommended deployment, would be the second example - GRE over IPSec with Tunnel Protection or a VTI.

Go to solution
MHM Cisco World
VIP
VIP
In response to MrBeginner

‎09-20-2022 01:59 AM

I hope finish lab today

Go to solution
MHM Cisco World
VIP
VIP
In response to MrBeginner

‎09-19-2022 02:54 AM

I will run small lab and share results with you.

Go to solution
MHM Cisco World
VIP
VIP

‎09-20-2022 10:26 AM - edited ‎09-23-2022 12:28 AM

..

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎09-20-2022 10:41 AM - edited ‎09-23-2022 12:29 AM

...

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎09-20-2022 10:49 AM - edited ‎09-23-2022 12:29 AM

..

 

Go to solution
MrBeginner
Spotlight
Spotlight

‎09-20-2022 11:35 PM

Hi All ,

Now i know that which is IPsec over GRE/GRE over IPsec.Our current setup is policy base GRE over IPsec.let me know can we deploy both of policy base VPN and route based vpn together in one routers using same outing WAN interface?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to MrBeginner

‎09-20-2022 11:49 PM - edited ‎09-21-2022 02:20 AM

@MrBeginner yes, as long as the crypto ACL defining the interesting traffic for the Policy Based VPN does not match the traffic for the route based VPN. I don't think it's supported or at least not recommended though.

FYI, crypto map (policy based VPN) have been depreciated completely on newer IOS software releases, you should plan to migrate to a route based VPN (DMVPN or FlexVPN).

Go to solution
MHM Cisco World
VIP
VIP
In response to MrBeginner

‎09-21-2022 06:47 AM

just want to add something here 
route-based VPN can and canot be protect, so enable both, so
you can not protect route-based VPN and depend on protect the traffic in policy-based VPN

Customers Also Viewed These Support Documents