Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
330
Views
5
Helpful
7
Replies

GRE

Go to solution
jobquerymail
Beginner
Beginner

‎05-25-2023 05:23 PM

Hello guys

GRE by itself is clear text not much secure tunnel to carry multicast, for better security we combine IPSEC with GRE.

If I only use IPsec without GRE tunnel, can I still carry multicast or in other word, can i connect to remote site through Internet public static IPs ? like routing of EIGRP or OSPF ???

thank you 

Labels:
3 Accepted Solutions

Accepted Solutions

Go to solution
M02@rt37
Rising star
Rising star

‎05-25-2023 10:09 PM - edited ‎05-25-2023 10:09 PM

Hello @jobquerymail,

Routing protocols like EIGRP or OSPF can work over an IPsec tunnel without the need for GRE. IPsec can encrypt and protect the routing protocol traffic, allowing the routers at both ends of the tunnel to establish and maintain the routing adjacency. This enables you to extend your routing domain securely over the Internet using IPsec.

Also, you can still carry multicast traffic and establish connectivity to a remote site.

Best regards
******* If This Helps, Please Rate *******
Ben

View solution in original post

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

‎05-26-2023 12:17 AM - last edited on ‎05-30-2023 02:26 AM by Community Manager

many points different but the main differ is 

if you use public network (internet) use IPsec since it secure (I am talking about differ between GRE and IPsec not between GRE/IPsec and IPsec)
if you use private use GRE

if you need to run IGP over tunnel use GRE, IPsec not support multicast (IPsec is P2P)

firewall not support GRE you need to use IPsec and if you face issue with multicast go to use SVTI 

View solution in original post

7 Replies 7

Go to solution
M02@rt37
Rising star
Rising star

‎05-25-2023 10:09 PM - edited ‎05-25-2023 10:09 PM

Hello @jobquerymail,

Routing protocols like EIGRP or OSPF can work over an IPsec tunnel without the need for GRE. IPsec can encrypt and protect the routing protocol traffic, allowing the routers at both ends of the tunnel to establish and maintain the routing adjacency. This enables you to extend your routing domain securely over the Internet using IPsec.

Also, you can still carry multicast traffic and establish connectivity to a remote site.

Best regards
******* If This Helps, Please Rate *******
Ben

Go to solution
jobquerymail
Beginner
Beginner
In response to M02@rt37

‎05-28-2023 10:32 AM

I don't think so, GRE tunel support multicast, but ipsec by itself do not support multicast, how is it possible to use EIGRP OSPF ?

GRE is none-secure tunel which carries multicast site to site via public Static IP, IPsec is use to encrypt and secure the tunel which is create by GRE.

0 Helpful

Go to solution
Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

‎05-25-2023 11:00 PM

As already mentioned, yes, this will work. But you have to configure the VPN with virtual tunnel interfaces (VTI) and not with the legacy crypto maps.

0 Helpful

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

‎05-26-2023 12:17 AM - last edited on ‎05-30-2023 02:26 AM by Community Manager

many points different but the main differ is 

if you use public network (internet) use IPsec since it secure (I am talking about differ between GRE and IPsec not between GRE/IPsec and IPsec)
if you use private use GRE

if you need to run IGP over tunnel use GRE, IPsec not support multicast (IPsec is P2P)

firewall not support GRE you need to use IPsec and if you face issue with multicast go to use SVTI 

Go to solution
jobquerymail
Beginner
Beginner
In response to MHM Cisco World

‎05-28-2023 10:37 AM

Yes GRE support multi cast, BuT IPsec is point-to-point, i think if we use GRE for IGR protocols it's none secure, because of security issue Ipsec is combined with GRE.

If i use only IPsec to route IGPs it won't work, so i need first GRE and then over the GRE apply IPsec to secure the tunel data .

is the above understanding true ???

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor
In response to jobquerymail

‎05-28-2023 11:00 AM

You are Correct

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame Master Hall of Fame Master
Hall of Fame Master

‎05-26-2023 08:24 AM

"If I only use IPsec without GRE tunnel, can I still carry multicast or in other word, can i connect to remote site through Internet public static IPs ? like routing of EIGRP or OSPF ???"

I believe within IPv4, without GRE, i.e. with just IPSec, alone, no.

But must you use GRE, also no.  As @Karsten Iwen mentioned, you might use VTI with IPSec (which, if I remember correctly, has less encapsulation overhead).

Understand, at least with IPv4, IPSec is a security protocol add-on.  You generally need "something" on both ends to use IPSec on top of the basic communication which isn't IPSec aware.

I believe, though, in IPv6, IPSec is integral.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents