Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11090
Views
15
Helpful
4
Replies

IPSec Tunnel and GRE over IPSec Tunnel

Go to solution
vishalsinha
Level 1
Level 1

‎07-26-2012 08:55 AM

Hi Guys,

I am confused about the IPSec Tunnels and GRE over IPSec Tunnel. I know the configuration of both but struggeling to find out the difference in capabilities of these two methods.

Please help.

Thanks >> VISHAL

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to vishalsinha

‎07-27-2012 07:52 PM

Your original question asked about IPSec and GRE over IPSec. Jennifer (and I) interpreted the question to be about traditional IPSec and GRE with IPSec. And her answer was spot on for that interpretation of the question. One thing that she did not say, but is true, is that traditional IPSec VPN does not use a tunnel interface (even though we frequently call it an IPSec tunnel there is really no tunnel interface).

Your current question is about two different implementations where both of them use a tunnel interface. Your second example uses the technology of Virtual Tunnel Interface or VTI and the first example is the traditional IPSec with GRE. You are correct that both of these implementations can run dynamic routing protocols over the tunnel. From a functionality and capability perspective I believe that both of these are very similar. The differences between them are mostly differences in syntax (do you need a crypto map or not, do you use tunnel mode gre or tunnel mode ipsec ipv4). But the functionality and capability of both technologies are very much the same.

HTH

Rick

HTH

Rick

View solution in original post

4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-26-2012 10:31 AM

Just IPSec tunnel does not support routing of multicast traffic, hence if you need to route multicast traffic, you can configure GRE over IPSec to route them.

With IPSec tunnel, normally you configure subnet(s) as the encryption subnet, but with GRE tunnel, you just configure the GRE end point and all you have to do is routing anything that you need to route towards the remote end via the GRE tunnel. Crypto ACL is simpler if you have a long list of local/remote domains as all you have to do is to route it via the GRE tunnel for GRE over IPSec.

Go to solution
vishalsinha
Level 1
Level 1
In response to Jennifer Halim

‎07-26-2012 11:01 AM

Hi Jennifer,

I was looking for the difference in below 2 configs. both can run routing protocols.

GRE over IPSec

=============

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key MYKEY address 153.10.10.1

crypto ipsec transform-set MYVPN esp-aes esp-sha-hmac

mode transport

crypto map Lahore 1 ipsec-isakmp

set peer 153.10.10.1

set transform-set MYVPN

match address INT_TRAFFIC

interface Tunnel1

ip unnumbered Loopback0

tunnel source GigabitEthernet0/1 (WAN Side interface)

tunnel destination 119.63.130.1 (other site WAN side)

interface GigabitEthernet0/1

ip address 119.63.130.2 255.255.255.0

crypto map Lahore

!

ip route 153.10.10.1 255.255.255.255 119.63.130.1

-------------------------------------------------------------------------

IPSec Tunnel

===========

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key Cisco12345 address 0.0.0.0 0.0.0.0

crypto IPsec transform-set T1 esp-3des esp-sha-hmac

crypto IPsec profile P1

set transform-set T1

interface Tunnel0

ip address 10.0.51.203 255.255.255.0

tunnel source 10.0.149.203 (your WAN Side)

tunnel destination 10.0.149.217 (Other WAN Side)

tunnel mode IPsec ipv4

tunnel protection IPsec profile P1

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to vishalsinha

‎07-27-2012 07:52 PM

Your original question asked about IPSec and GRE over IPSec. Jennifer (and I) interpreted the question to be about traditional IPSec and GRE with IPSec. And her answer was spot on for that interpretation of the question. One thing that she did not say, but is true, is that traditional IPSec VPN does not use a tunnel interface (even though we frequently call it an IPSec tunnel there is really no tunnel interface).

Your current question is about two different implementations where both of them use a tunnel interface. Your second example uses the technology of Virtual Tunnel Interface or VTI and the first example is the traditional IPSec with GRE. You are correct that both of these implementations can run dynamic routing protocols over the tunnel. From a functionality and capability perspective I believe that both of these are very similar. The differences between them are mostly differences in syntax (do you need a crypto map or not, do you use tunnel mode gre or tunnel mode ipsec ipv4). But the functionality and capability of both technologies are very much the same.

HTH

Rick

HTH

Rick

Go to solution
Javier Portuguez
Level 9
Level 9

‎07-28-2012 08:22 AM

Hi,

I completely agree with the two previous posts, 5 stars !!

Let me add this:

IPsec VTIs simplify configuration of IPsec for protection of remote links, support multicast, and simplify network management and load balancing.

Please check the features and restrictions for IPsec Virtual Tunnel Interface

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/15-2mt/sec-ipsec-virt-tunnl.html

Please rate any post that you find useful and mark this question as answered if you do not have any further questions.

Thanks.

Portu

Sent from Cisco Technical Support Android App

Customers Also Viewed These Support Documents