GRE over IPsec
As mentioned at the beginning of this chapter, IPsec only encapsulates unicast IP traffic, which might be less than desirable in networks in which multicast or non-IP traffic needs to be transferred securely across the IPsec tunnel. With GRE over IPsec, this is possible. The following list outlines the reasons why GRE over IPsec is used:
-
To pass multicast and broadcast traffic across the tunnel securely.
-
To pass non-IP traffic (for instance, International Packet Exchange (IPX) across the tunnel securely.
-
To have resiliency (high availability). For more details on this, refer to the section entitled, "Best Practices."
-
To help in saving memory and CPU of the router. This is because, for every ACL entry, two IPsec SAs are created. Hence, if regular IPsec is configured, the number of ACLs to include the interesting traffic becomes high, which increases the number of IPsec SAs on the router. These ACEs can be replaced by a single ACL for GRE traffic, which ends up creating only two IPsec SAs. This saves memory on the router.
Configuration Steps
To integrate GRE over IPsec, you need to configure the tunnel interface on both sides, and force the private network to go through the tunnel using dynamic routing protocol (you also can use static routing if you desire). When the actual packet arrives at the router, the router forwards the packet to the tunnel interface, and then encapsulates the packet with a GRE header and tries to send the packet to the outgoing interface where a crypto map is configured. So, the crypto map is triggered and encapsulates the packet with an IPsec header, as the interesting traffic ACL includes the GRE source and destination addresses.
Example 6-19 shows a basic GRE over IPsec configuration on the Dhaka router, based on Figure 6-6. Basic LAN-to-LAN tunnel configuration on the Dhaka router as shown in Example 6-7 is replaced by the GRE over IPsec configuration as shown in the following example.