I was confusing IPSec over GRE this term before. Spent some hours to google Internet. Found out lots of people doesnot really understanding what are difference between them. Eventually found this answer at http://onlinestudylist.com/archives/ccie_security/2009-August/018744.html

"

There is no terminology as IPSec over GRE. It is always GREoIPSec.

But the question, do you want to put the IPSec into GRE or GRE into IPSec.
It all depends on your configuration.

GREoIPSec is mostly used, when we need encryption but the traffic is not
IPSec compatible. For example, multicast or non IP traffic can't be
encapsulated directly into IPSec. Hence first we encapsulate using GRE and then place it in IPSec.


When you apply crypto map directly on the GRE tunnel interface, IPSec
encapulates the interesting traffic and then this IPSec packet is placed
into GRE.

interface Tunnel0
ip address 10.20.30.40
tunnel source FastEthernet1/0
tunnel destination 10.20.30.43
crypto map vpn ----------------> IPSec over GRE


or

interface Tunnel0
ip address 10.20.30.40
tunnel source FastEthernet1/0
tunnel destination 10.20.30.43
tunnel protection ipsec profile mine ----------->
IPSec over GRE
When you apply crypto map on the physical interface to which the GRE tunnel
is sourced and have interesting traffic as GRE, then the GRE traffic is placed into IPSec.

interface Tunnel0
ip address 10.20.30.40 255.255.255.0
tunnel source FastEthernet1/0
tunnel destination 10.20.30.43

int FastEthernet1/0
crypto map vpn
-------------------> GRE over IPsec

" 

By Jon

3 thoughts on ““GRE over IPSec” or “IPSec over GRE” ?”
  1. Have you ever considered publishing an ebook or guest authoring on other websites?
    I have a blog based upon on the same subjects you discuss and would love
    to have you share some stories/information. I know my audience
    would enjoy your work. If you are even remotely interested, feel free to send me an
    email.
    My webpageSandpoint waterfront for sale

Leave a Reply to Алексей ВыродовCancel reply