Between GRE/IPSEC and IPSEC VPN tunnels Cisco Forum FAQ»Cisco Forum FAQ »Setting Up Private Site-To-Site Connections
Introduction
IPSec VPN tunnel is one way of setting up private site-to-site connection by utilizing public network (the Internet). Since it is utilizing public network, there would be no need to have dedicated physical circuit to interconnect the sites, hence requiring low cost to setup while maintain private and secure connection.
With site-to-site IPSec VPN, there is a IP routing in place to interconnect multiple subnet. This IP routing could be static routing or dynamic routing. In a small network where there is only one path connecting two sites, then static routing should be sufficient. When there are multiple paths connecting two sites, then dynamic routing (i.e. EIGRP, OSPF) and/or load balancing (either per-packet or per-destination) should be used to have optimal connection.
Note that IPSec tunnelling technology is only able to support static routes and basic IP interconnection. When there are more advance IP interconnections needed; such as running Novell IPX, dynamic routing, and load balancing between the sites; then IPSec tunnelling itself is unable to support. For such advance IP interconnections, GRE tunnelling is the choice. The downside of GRE tunnelling is that GRE tunnel is less-secure tunnel compared to IPSec tunnel.
Should you decide to have advance IP interconnection support while maintain secure connection over public network, the workaround is to run GRE over IPSec. IPSec will then be encrypting the GRE tunnel securely and GRE tunnel will be providing the advance IP interconnection support.
Some Discussions
said by gramzster:
--------------------------------------------------------------------------------
I do have a quick question, When I was looking through the example configurations on the Cisco site, it seemed that GRE was what I wanted to try to configure, since it supported routing protocols. Does this type of IPSEC tunnel also support routing protocols? (basically, what's the difference between a GRE tunnel, and this type of tunnel?)
--------------------------------------------------------------------------------
In a nutshell, the VPN tunnel never forwards the routing broadcasts through the tunnels. Neither do they send the routing updates. To send the routing updates (so that the remote location can learn the network on the local side) you must use GRE over IPSec. With this feature, the routing updates are first encapsulated over a new GRE packet and then forwarded through the VPN (IPSec) tunnel. This is useful and required if you are using OSPF, RIP, EIGRP in your internal network and need to build a routing tunnel.
--------------------------------------------------------------------------------
Here's some more detail and links/differences between a pure IPSec vpn tunnel and a GRE over IPSec tunnel:
Pure IPSec vpn tunnel
=====================
In a pure IPSec vpn tunnel, only ip traffic is encrypted/decrypted.
If you have non ip traffic, example, ipx, then it is not able to go into the vpn tunnel.
OSPF, EIGRP, are not transferred in the tunnel.
The urls below might be helpful for you about IPSec,
An Introduction to IP Security (IPSec) Encryption
http://www.cisco.com/en/US/netsol/ns110/ns170/ns172/ns334/networking_solutions_design_guide_chapter09186a008017e272.html
http://www.cisco.com/en/US/products/sw/secursw/ps2133/products_user_guide_chapter09186a00800d9f4c.html
GRE over IPSec vpn tunnel
=========================
In a GRE over IPSec vpn tunnel, the original packet whether ip, ipx, etc... is first going to be GRE encapsulated and then this packet is then subjected to IPSec encapsulation.
Therefore, in a GRE over IPSec tunnel, all routing traffic (ip and non ip) can be routed through because when the original packet (ip/non ip) is GRE encapsulated, then it will have an ip header (as defined by the GRE tunnel (normally the tunnel interface ip addresses)) then the IPSec protocol can understand the ip packet and and can therefore be able to encapsulate the GRE packet to make it GRE over IPSec.
please visit the urls below for more info.,
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800946ba.shtml
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094865.shtml
--------------------------------------------------------------------------------
Sample Configurations
»Cisco Forum FAQ »Various Site-to-Site IPSec VPN: Cisco, Juniper, Checkpoint, Sonicwall, Zywall
»Cisco Forum FAQ »Private Routing over VPN: GRE over IP Sec
Last but not least, here's another link for a sample config. which uses GRE/IPSEC, CBAC and NAT but I am sure that you will be able to remove the CBAC if you do not want it.
Hope that helps.
Configuring Router-to-Router IPsec (Pre-shared Keys) on GRE Tunnel with IOS Firewall and NAT
This FAQ brought to you by this post http://www.dslreports.com/forum/remark,8108888~root=equip,cis~mode=flat#8176897 by Covenant.
feedback form
by nozero edited by aryoba
last modified: 2008-05-27 16:24:05