Solved: Re: GRE

M.Sultan · ‎05-25-2023

Hello guys

GRE by itself is clear text not much secure tunnel to carry multicast, for better security we combine IPSEC with GRE.

If I only use IPsec without GRE tunnel, can I still carry multicast or in other word, can i connect to remote site through Internet public static IPs ? like routing of EIGRP or OSPF ???

thank you

M02@rt37 · ‎05-25-2023

Hello @M.Sultan,

Routing protocols like EIGRP or OSPF can work over an IPsec tunnel without the need for GRE. IPsec can encrypt and protect the routing protocol traffic, allowing the routers at both ends of the tunnel to establish and maintain the routing adjacency. This enables you to extend your routing domain securely over the Internet using IPsec.

Also, you can still carry multicast traffic and establish connectivity to a remote site.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

MHM Cisco World · ‎05-26-2023

many points different but the main differ is

if you use public network (internet) use IPsec since it secure (I am talking about differ between GRE and IPsec not between GRE/IPsec and IPsec)
if you use private use GRE

if you need to run IGP over tunnel use GRE, IPsec not support multicast (IPsec is P2P)

firewall not support GRE you need to use IPsec and if you face issue with multicast go to use SVTI

View solution in original post

MHM Cisco World · ‎05-28-2023

You are Correct

View solution in original post

M02@rt37 · ‎05-25-2023

Hello @M.Sultan,

Routing protocols like EIGRP or OSPF can work over an IPsec tunnel without the need for GRE. IPsec can encrypt and protect the routing protocol traffic, allowing the routers at both ends of the tunnel to establish and maintain the routing adjacency. This enables you to extend your routing domain securely over the Internet using IPsec.

Also, you can still carry multicast traffic and establish connectivity to a remote site.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

M.Sultan · ‎05-28-2023

I don't think so, GRE tunel support multicast, but ipsec by itself do not support multicast, how is it possible to use EIGRP OSPF ?

GRE is none-secure tunel which carries multicast site to site via public Static IP, IPsec is use to encrypt and secure the tunel which is create by GRE.

Karsten Iwen · ‎05-25-2023

As already mentioned, yes, this will work. But you have to configure the VPN with virtual tunnel interfaces (VTI) and not with the legacy crypto maps.

MHM Cisco World · ‎05-26-2023

many points different but the main differ is

if you use public network (internet) use IPsec since it secure (I am talking about differ between GRE and IPsec not between GRE/IPsec and IPsec)
if you use private use GRE

if you need to run IGP over tunnel use GRE, IPsec not support multicast (IPsec is P2P)

firewall not support GRE you need to use IPsec and if you face issue with multicast go to use SVTI

M.Sultan · ‎05-28-2023

Yes GRE support multi cast, BuT IPsec is point-to-point, i think if we use GRE for IGR protocols it's none secure, because of security issue Ipsec is combined with GRE.

If i use only IPsec to route IGPs it won't work, so i need first GRE and then over the GRE apply IPsec to secure the tunel data .

is the above understanding true ???

MHM Cisco World · ‎05-28-2023

You are Correct

Joseph W. Doherty · ‎05-26-2023

"If I only use IPsec without GRE tunnel, can I still carry multicast or in other word, can i connect to remote site through Internet public static IPs ? like routing of EIGRP or OSPF ???"

I believe within IPv4, without GRE, i.e. with just IPSec, alone, no.

But must you use GRE, also no. As @Karsten Iwen mentioned, you might use VTI with IPSec (which, if I remember correctly, has less encapsulation overhead).

Understand, at least with IPv4, IPSec is a security protocol add-on. You generally need "something" on both ends to use IPSec on top of the basic communication which isn't IPSec aware.

I believe, though, in IPv6, IPSec is integral.