Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
201
Views
0
Helpful
4
Replies

IPsec not supporting Multicast

parthrawat979
Spotlight
Spotlight

‎05-05-2026 10:43 PM

My question is quite simple: Why does IPSec doesn't support multicast? What does it means by not supporting multicast? And how does GRE changes it all?? Are we talking about mGRE here with GRE being multicast!

Labels:
0 Helpful
4 Replies 4

ashish.kushwaha
Level 4
Level 4

‎05-05-2026 11:08 PM

IPSec is fundamentally a point-to-point, unicast technology. The reason is baked into how it works:

  • IPSec builds a Security Association (SA) between exactly two peers. An SA is identified by SPI+destination IP+protocol, and that destination IP must be a single unicast peer.
  • IKE (the key exchange) negotiates keys between two endpoints. There's no native mechanism in classic IPSec to negotiate a shared key with a group of receivers

So "IPSec doesn't support multicast" literally means: if a packet's destination IP is a multicast address, a standard IPSec tunnel won't carry it.

,,
Ashish K
***Please rate the helpful responses and accept the solution if it satisfies your problem***
0 Helpful

pman
Spotlight
Spotlight

‎05-06-2026 12:50 AM

To add to the excellent explanation above:

classic IPSec works between two specific unicast peers so it does not natively carry multicast traffic.

GRE changes this by encapsulating the original multicast packet inside a normal unicast GRE packet between the tunnel endpoints.
IPSec then encrypts that GRE packet.

So effectively:

[ Multicast Packet ]
↓ GRE encapsulation
[ Unicast GRE Packet ]
↓ IPSec encryption
[ Encrypted Unicast Packet ]

and yes — mGRE/DMVPN uses the same GRE-over-IPSec concept, but for multiple dynamic peers instead of a single point-to-point GRE tunnel.

cisco also describes GRE as supporting multicast traffic while IPSec provides the encryption:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-11/configuration_guide/sec/b_1711_sec_9300_cg/configuring_gre_over_ipsec.pdf

 

https://study-ccnp.com/site-to-site-gre-over-ipsec-configuration-verification/

pman_0-1778053727432.png

 

0 Helpful

parthrawat979
Spotlight
Spotlight
In response to pman

‎05-06-2026 01:33 AM

I don't agree with your:

So effectively:

[ Multicast Packet ]
↓ GRE encapsulation
[ Unicast GRE Packet ]
↓ IPSec encryption
[ Encrypted Unicast Packet ]
because you could do the same with ipsec in place just put the multicast packet inside the esp encapsulation and your unicast ipsec packet will be on place. Am I getting this right??

0 Helpful

Karsten Iwen
VIP
VIP

‎05-06-2026 01:51 AM

This is, in fact, a little bit more complex. ESP itself supports multicast. But the implementation needs to include some controls. For policy-based VPNs, Cisco never implemented them. But for route-based VPNs, it is a standard, supported feature used quite extensively.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Helpful
Customers Also Viewed These Support Documents