Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1492
Views
0
Helpful
2
Replies

IPsec, VTI, GRE and over

gornication
Level 1
Level 1

‎06-21-2021 05:23 AM

Hi!
How do differ from each other IPsec over GRE, VTI over IPsec(IPSec VTI), GRE over IPsec tunnel mode?

image.png

What is described as GRE over IPsec tunnel mode in the picture is signed "IPsec over GRE Tunnel Mode".
What is described as IPsec tunnel mode with a VTI (sometimes just IPsec VTI) is labeled "IPsec Tunnel Mode" in the picture.

I tend to think that:
IPsec over GRE = GRE over IPsec tunnel mode
IPsec VTI is GRE over IPsec tunnel mode without GRE-IP-header. It is duplicated by the IPsec-IP-header and can be saved on this by adding tunnel mode ipsec {ipv4 | ipv6} to the config. 
But I do not find a clear confirmation of this.


On the other hand, the terms seem to me to be incorrect, since IPsec over GRE implies that IPsec is enclosed in the GRE.
image.png

- but this is already GRE over IPsec (transport mode), and not vice versa.

In addition, when the original data or the original header is said, it is not always clear how original they are, since this concept is relative in the context of encapsulations.

 

I would be grateful if you could help me figure out how correct it is written in bold.

Labels:
0 Helpful
2 Replies 2

Kasper Elsborg
Level 1
Level 1

‎09-25-2022 06:05 AM

I tend to think that:
IPsec over GRE = GRE over IPsec tunnel mode
IPsec VTI is GRE over IPsec tunnel mode without GRE-IP-header. It is duplicated by the IPsec-IP-header and can be saved on this by adding tunnel mode ipsec {ipv4 | ipv6} to the config. 
But I do not find a clear confirmation of this.

 

 

 

You are correct. when config a (default) tunnel and use IPSec as transport, you unnessesary add two IP headers. you can either remove the GRE header, or the IPsec header.

in this pic they change the (default) tunnel mode GRE to IPSec, hence removing the GRE IP header. This is also the recommended way to do it.

 

0 Helpful

MHM Cisco World
VIP
VIP

‎09-25-2022 06:29 AM - edited ‎09-25-2022 06:30 AM

IPsec VTI is GRE over IPsec tunnel mode without GRE-IP-header.

Without the all GRE encapsulation. 
so IPSec VTI there is NO GRE at all 
what different between IPsec tunnel mode and IPSec VTI ?
the answer is 
by add tunnel interface (VTI) we change the VPN from policy to route mode 
and then we protect it with IPsec. 

0 Helpful
Customers Also Viewed These Support Documents