Cisco GRE and IPSec - GRE over IPSec (2024)

GRE Tunnels are very common amongst VPN implementations thanks to their simplicity and ease of configuration. With broadcasting and multicasting support, as opposed to pure IPSec VPNs, they tend to be the number one engineers' choice, especially when routing protocols are used amongst sites.

The problem with GRE is that it is an encapsulation protocol, which means that while it does a terrific job providing connectivity between sites, it does a terrible job encrypting the data being transferred between them. GRE is stateless, offering no flow control mechanisms (think of UDP). This is where the IPSec protocol comes into the picture.

IPSec’s objective is to provide security services for IP packets such as encrypting sensitive data, authentication, protection against replay and data confidentiality. IPSec is extensively covered in our IPSec protocol article.

IPSec can be used in conjunction with GRE to provide top-notch security encryption for our data, thereby providing a complete secure and flexible VPN solution. IPSec can operate in two different modes, Tunnel mode and Transport mode. Both of these modes are covered extensively in our Understanding VPN IPSec Tunnel Mode and IPSec Transport Mode article. Additionally, Cisco GRE Tunnel configuration is covered in our Configuring Cisco Point-to-Point GRE Tunnels. We highly recommend reading these articles before proceeding as it is a prerequisite for understanding the information covered here.

As with IPSec, when configuring GRE with IPSec there are two modes in which GRE IPSec can be configured, GRE IPSec Tunnel mode and GRE IPSec Transport mode.

This article examines the difference between GRE IPSec Tunnel and GRE IPSec Transport mode, and explains the packet structure differences along with the advantages and disadvantages of each mode.

GRE IPSec Tunnel Mode

With GRE IPSec tunnel mode, the whole GRE packet (which includes the original IP header packet), is encapsulated, encrypted and protected inside an IPSec packet. GRE over IPSec Tunnel mode provides additional security because no part of the GRE tunnel is exposed, however, there is a significant overhead added to the packet. This additional overhead decreases the usable free space for our payload (Original IP packet), that means possibly more fragmentation will occur when transmitting data over a GRE IPSec Tunnel VPN.

IPSec Tunnel mode is the default configuration option for both GRE and non-GRE IPSec VPNs. When configuring the IPSec transform set, no other configuration commands are required to enable tunnel mode:

R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac

Calculating GRE IPSec Tunnel Mode Overhead

Calculating the overhead will help us understand how much additional space GRE over IPSec in Tunnel mode requires and our effective usable space.

The packet structure below shows an example of a GRE over IPSec in Tunnel mode:

Two important points to keep in mind when calculating the overhead:

Depending on the encryption algorithm used in the crypto transform set, the Initialization Vector (IV) shown could be 8 or 16 bytes long. For example DES or 3DES introduces an 8-byte IV field, where as AES introduces a 16-byte IV field. In our example, we are using 3DES encryption, therefore producing a 8-byte IV field.

The ESP Trailer will usually vary in size. Its job is to ensure that the Pad Length, Next Header fields (both 1-byte long and contained within the ESP Trailer) & ESP Auth.Trailer are aligned on a 4-byte boundary. This means the total number of bytes, when adding the three fields together, must be a multiple of 4.

Following is the calculated overhead:

ESP Overhead: 20 (IP Hdr) + 8 (ESP Hdr) + 8 (IV) + 4 (ESP Trailer) + 12 (ESP Auth) = 52 Bytes

Note: ESP Trailer has been calculated as 4 bytes as per above note.

GRE Overhead: 20 (GRE IP Hdr) + 4 (GRE) = 24 Bytes

Total Overhead: 52 + 24 = 76 Bytes

GRE IPSec Transport Mode

With GRE IPSec transport mode, the GRE packet is encapsulated and encrypted inside the IPSec packet, however, the GRE IP Header is placed at the front. This effectively exposes the GRE IP Header as it is not encrypted the same way it is in Tunnel mode.

IPSec Transport mode is not used by default configuration and must be configured using the following command under the IPSec transform set:

R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
R1(cfg-crypto-trans)# mode transport

GRE IPSec transport mode does have a few implementation restrictions. It is not possible to use GRE IPSec transport mode if the crypto tunnel transits a device using Network Address Translation (NAT) or Port Address Translation (PAT). In such cases, Tunnel mode must be used.

Finally, if the GRE tunnel endpoints and Crypto tunnel endpoints are different, GRE IPSec transport mode cannot be used.

These limitations seriously restrict the use and implementation of the transport mode in a WAN network environment.

Calculating GRE IPSec Transport Mode Overhead

Calculating the overhead will help us understand how much space GRE over IPSec in Transport mode uses and our effective usable space.

The packet structure below shows an example of GRE over IPSec in transport mode:

Again, two important points that must kept in mind when calculating the overhead:

Depending on the encryption algorithm used in the crypto transform set, the Initialization Vector (IV) shown could be 8 or 16 bytes long. For example DES or 3DES introduces an 8-byte IV field, where as AES introduces a 16-byte IV field. In our example, we are using 3DES encryption, therefore producing a 8-byte IV field.

The ESP Trailer will usually vary in size. Its job is to ensure that the Pad Length, Next Header fields (both 1-byte long and contained within the ESP Trailer) & ESP Auth.Trailer are aligned on a 4-byte boundary. This means the total number of bytes, when adding the three fields together, must be a multiple of 4.

Following is the calculated overhead:

ESP Overhead: 20 (IP Hrd) + 8 (ESP Hdr) + 8 (IV) + 4 (ESP Trailer) + 12 (ESP Auth) = 52 Bytes

Note: ESP Trailer has been calculated as 4 bytes as per above note.

GRE Overhead: 4 (GRE) = 4 Bytes

Total Overhead: 52 + 4 = 56 Bytes

It is evident that GRE IPSec Transport mode saves approximately 20 bytes per packet overhead. This might save a moderate amount of bandwidth on a WAN link, however, there is no significant increase in CPU performance by using this mode.

Summary

When comparing GRE over IPSec tunnel and GRE over IPSec transport mode, there are significant differences that cannot be ignored.

If the GRE tunnels and crypto endpoints are not the same (IP address wise), transport mode in definitely not an option.

If packets traverse a device (router) where NAT or PAT is used then again, transport mode cannot be used.

On the other hand, tunnel mode seems to pay-off its 20-byte additional overhead by being flexible enough to be used in any type of WAN environment and offering increased protection by encrypting the GRE IP Header inside the ESP packet.

Taking in consideration the small additional CPU load the tunnel mode produces and advantages it offers, we don’t believe it’s a coincidence Cisco has selected this mode in IPSec’s default configuration.

FAQs

Cisco GRE and IPSec - GRE over IPSec? ›

GRE is a tunneling protocol which is used to transport multicast, broadcast and non-IP packets like IPX etc. IPSec is an encryption protocol. IPSec can only transport unicast packets not multicast & broadcast. Hence we wrap it GRE first and then into IPSec which is called as GRE over IPSec.

Read On ›

Is it GRE over IPSec or IPSec over GRE? ›

GRE over IPSec is supported by all AR models and versions, whereas IPSec over GRE is supported only by AR models that run V200R005C10 or later versions. IPSec over GRE technology uses GRE to encapsulate packets that have been encapsulated using IPSec.

Discover More Details ›

Why GRE is preferred over IPSec? ›

GRE and IPsec complement each other nicely in that IPsec offers confidentiality, integrity and authentication while GRE offers the ability to tunnel traffic that IPsec alone cannot. As such it is of no surprise that GRE over IPsec is a popular solution.

What is the difference between IPSec and Cisco IPSec? ›

Cisco IPsec vs.

The term Cisco IPsec is just a marketing ploy which basically means plain IPsec using ESP in tunnel mode without any additional encapsulation, and using the Internet Key Exchange protocol (IKE) to establish the tunnel. IKE provides several authentication options, preshared keys (PSK) or X.

See Details ›

What is a difference between GRE over IPSec and IPSec with crypto maps? ›

When you apply the crypto map on the tunnel interface, you are employing IPSec over GRE while when you apply it on the physical interface, you are employing GRE over IPSec.

Find Out More ›

What are the 2 types of GRE? ›

Taking the GRE can be stressful, and the first step towards your preparation should be getting yourself familiarized with the GRE exam pattern and syllabus for 2024 There are two types of GRE – GRE General test and Subject test.

Tell Me More ›

Why is the GRE being discontinued? ›

Why schools stopped requiring GRE test scores. The problems with the GRE are well-documented, including the exam's limited ability to measure whether a student will succeed in school. Multiple studies also have found that the test is biased against people based on their socioeconomic backgrounds.

Show Me More ›

What are the two types of IPsec? ›

The IPsec standards define two distinct modes of IPsec operation, transport mode and tunnel mode. The modes do not affect the encoding of packets. The packets are protected by AH, ESP, or both in each mode.

Explore More ›

Is IPsec outdated? ›

The era of relying on the cumbersome, outdated IPsec is fading. The emergence of WireGuard brings a breath of fresh air to secure networking, offering simplicity, performance, and enhanced security. As organizations evolve and demand more from their secure communication protocols, the choice becomes evident.

What are the two main IPsec protocols? ›

IPSec (IP Security) architecture uses two protocols to secure the traffic or data flow. These protocols are ESP (Encapsulation Security Payload) and AH (Authentication Header). IPSec Architecture includes protocols, algorithms, DOI, and Key Management.

Show Me More ›

Which mode of IPsec should you use? ›

1. Which mode of IPsec should you use to assure the security and confidentiality of data within the same LAN? Explanation: ESP transport mode should be used to ensure the integrity and confidentiality of data that is exchanged within the same LAN.

Read The Full Story ›

What is the header size for GRE over IPsec? ›

For GRE tunnel, the header length = 24 bytes. For IPsec tunnel, the header length is variable and can be upto 64 bytes.

See Details ›

What are the differences between a GRE tunnel and a site to site tunnel VPN? ›

With VPNS, the biggest advantage is that they provide a more secure way for site-to-site traffic to communicate over the internet which is a public space. VPN tunnels encrypts traffic that is sent across the link while GRE tunnels simply encapsulate the traffic before sending it over the link.

Get More Info Here ›

What is the GRE test over? ›

The GRE General Test measures verbal reasoning, quantitative reasoning, critical thinking and analytical writing skills that have been developed over a long period of time and are required for success in today's demanding programs.

What is the difference between mGRE and GRE? ›

Regular GRE tunnels are configured in a point-to-point arrangement, where each tunnel has two endpoints. Multipoint GRE or mGRE as the name implies allows us to have multiple endpoints, resulting in a point to multipoint topology.

What is the difference between L2TP and GRE over IPsec? ›

Their main difference is that L2TP is a user access protocol whereas GRE is a network protocol. Therefore, L2TP involves only user-side access, and GRE involves only network-side tunnel connectivity. In addition, the packet structures of GRE and L2TP are quite different.

View Details ›

What is the difference between the old GRE and the new GRE? ›

In the GRE new format, the number of questions is reduced in the verbal reasoning and quantitative reasoning sections. 'Analyze an Argument' task is removed from the analytical writing section. The unscored section is removed from the GRE 2024 exam pattern.