I read that tunnel GRE,provides the possibility to use dynamic routing protocol such as EIGRP or OSPF ,because IPsec doesn't support multicast and broadcast which are used by theses protocols,i read about the gre encapsulation,but i don't understand how these encapsulation pemit multicast,
Ipsec don't support multicast because of the fact that the protocol IKE do not expect to negotiate security associations between more than two devices.
please i need some detailed explanations about this,to know how GRE encapsulation allows the multicast
thanks in advance
You can have multicast over IPsec directly, in several ways, one such implementation is called (s)VTI, it has it's limitations.
With GRE (over IPsec and without it) allows greater flexibility, in fact it allows IP and non-IP protocol to ride on top.
If you will...
GRE encapsulation emulates a virtual p2p circuit between end points.
mGRE emulates point to multipoint circuit(s).
Actually, just to be clear, to quote the from the link.
There is really no reason that the ESP in IPSec could not transport multicast. It is just challenging because IPSec is implemented as a policy based VPN as opposed to a route based VPN
Most implmentations (including Cisco) are agnostic to what rides on top as long as it's IP.
The challange is building the right policy. IPsec "supports" multicast, or rather it's not aware whether packet forwarded is mcast or not. With notable exceptions related to some implmentations.
thanks M, my understanding so far that "normal" ipsec can only transport unicast packets not multicast and broadcast(unless vti is used as you have mentioned above), that is why we need to encapsulate the multicast packet in gre first if we want to have routing protocol/multicast running on ipsec.
NHRP is not an ip protocol but a layer 2 protocol. Because of that we need GRE which can encapsulate ANYTHING from IPX to MPLS or CDP ].
IPSEC ipv4 can encasulate and encrypt only ip.....
That's the only reason...