GRE and IPSec

When combining GRE with the use of IPSec it's important to understand that the way the crypto map is applied will affect how tunnelling and encryption take place.

When you apply the crypto map on the tunnel interface, you are employing IPSec over GRE while when you apply it on the physical interface, you are employing GRE over IPSec. Yes both do work, but it must be understood that they do different things.

  • IPSec over GRE: outer header is GRE, so IPSec is being encapsulated within GRE. This means that only the payload will be encrypted, and not the GRE header.
  • GRE over IPSec: outer header is IPSec. This means that the whole packet including both GRE header and payload will be encrypted.