We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 581 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


295 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , , , ,

Forum Replies

  1. Hi Mithun,

    These are not the same. Take a look at this picture from my IPsec lesson:

    Ipsec Encapsulation

    When we use IPsec tunnel mode, we encapsulate the original IP packet and put an AH or ESP header and new IP header in front of it. IPsec only supports unicast packets.

    GRE also encapsulates IP packets and it supports multicast traffic. It adds a GRE header in front of the original IP packet and then a new IP header. You can see this in this capture file:

    GRE Encapsulated ICMP Capture

    GRE and IPsec tunnel mode both encapsulate IP packets. GRE doesn't offer any encryption though.

    When we combine GRE and IPsec, normally we use IPsec transport mode. GRE has already added a new IP header so there's no need for IPsec to do it again. That's why you can use transport mode.

    Hope this helps :slight_smile:


  2. Hello again LER-SAK.

    Keep in mind that even if you manually set up the transport mode, it will only function as transport mode when the traffic to be encrypted is to or from the endpoints of the tunnel, such as routing updates from one router, destined to the other router.

    However, traffic that is being transferred between PCs behind the routers will still end up using tunnel mode even if we configure transport mode.

    More specifically:

    Host A ----------------Router1----------Internet-------------Router2----------------Host B

    If we have transport mode configured between Router1 and Router2, communication between Router1 and Router2 should be transport mode. However, if host A pings to host B for example, Router1 converts the packet to tunnel mode EVEN IF you have configured transport mode.

    I hope this has been helpful!


  3. Hi Rene,

    Thank you for your excellent explanation!!! Can you add IKEv2 configuration? That will be great to learn since it was out in 2005.

  4. Dear Rene,
    Thanks for your nice article as always.
    I am little bit confused about your two article "Encrypted GRE Tunnel with IPSEC" and GRE over IPSEC . What is the basic/ main difference between two ?? Pls help me to understand it clearly .Thanks

  5. Hello Mohammad.

    What exactly is meant by each of the two phrases depends on the context. Encrypted GRE Tunnel with IPSec refers to the encryption of the information sent over a GRE tunnel using the functionalities of IPSec. GRE over IPSec is not that specific and it depends on what the person speaking really means.

    IPSec used in combination with GRE can function in two ways, either in tunnel mode, or transport mode.

    Tunnel mode, which is the default, which is also what Rene has configured in the lesson, the whole GRE packet is encapsulated and encrypted within the IPSec packet.

    Transport mode on the other hand, involves the encapsulation of only the GRE payload. The GRE header in this case is not encrypted.

    Take a look at this post by Rene for more details.

    I hope this has been helpful!


39 more replies! Ask a question or join the discussion by visiting our Community Forum