Using GRE with IPsec
GRE is a tunneling protocol that can support multiple Layer 3 protocols,
such as IP, IPX, and AppleTalk. It also allows the use of multicast routing
protocols across the tunnel. It adds a 20-byte IP header and a
4-byte GRE header, hiding the existing packet headers. The GRE header
contains a Flag field, and a Protocol Type field to identify the Layer 3 protocol
being transported. It may optionally contain a tunnel checksum, tunnel
key, and tunnel sequence number. GRE does not encrypt traffic or use any
strong security measures to protect the traffic.
GRE can be used along with IPsec to provide data source authentication,
data confidentiality, and assurance of data integrity. GRE over IPsec tunnels
are typically configured in a hub-and-spoke topology over an untrusted
WAN to minimize the number of tunnels that each router must maintain.
Figure 4-2 shows how the GRE and IPsec headers work together.
Figure 4-2 GRE over IPsec Headers
Original Packet
Transport Mode GRE
over IPsec
Tunnel Mode
GRE over
IPsec
Encrypted
Encrypted
IP
IP ESP
IP ESP IP GRE IP TCP Data ESP