GRE over IPsec

NE Data Collection Ticket
NE Data Collection Ticket

In this article we will talk about GRE over IPsec, and in previous article we already discussed about Configuration Management Tools.

Generic Routing Encapsulation (GRE) is a non-secure site-to-site VPN tunneling protocol. It can encapsulate various network layer protocols. It also supports multicast and broadcast traffic which may be necessary if the organization requires routing protocols to operate over a VPN. However, GRE does not by default support encryption; and therefore, it does not provide a secure VPN tunnel.

GRE over IPsec

A standard IPsec VPN (non-GRE) can only create secure tunnels for unicast traffic. Therefore, routing protocols will not exchange routing information over an IPsec VPN.

To solve this problem, we can encapsulate routing protocol traffic using a GRE packet, and then encapsulate the GRE packet into an IPsec packet to forward it securely to the destination VPN gateway.

The terms used to describe the encapsulation of GRE over IPsec tunnel are passenger protocol, carrier protocol, and transport protocol, as shown in the figure.

The figure depicts the encapsulation of GRE over an IPsec tunnel. There are 5 fields in the IPSec packet are IP, GRE, IP, TCP and Data. IP is the Transport protocol. GRE is the Carrier protocol and IP, TCP and Data are the Passenger Protocol.

  • Passenger protocol – This is the original packet that is to be encapsulated by GRE. It could be an IPv4 or IPv6 packet, a routing update, and more.
  • Carrier protocol – GRE is the carrier protocol that encapsulates the original passenger packet.
  • Transport protocol – This is the protocol that will actually be used to forward the packet. This could be IPv4 or IPv6.

For example, in the figure displaying a topology, Branch and HQ would like to exchange OSPF routing information over an IPsec VPN. However, IPsec does not support multicast traffic. Therefore, GRE over IPsec is used to support the routing protocol traffic over the IPsec VPN. Specifically, the OSPF packets (i.e., passenger protocol) would be encapsulated by GRE (i.e., carrier protocol) and subsequently encapsulated in an IPsec VPN tunnel.

The figure depicts a topology, Branch router and HQ router are exchanging OSPF routing information over an IPsec VPN. A switch is connected to the Branch router. The Branch router is connected to the HQ router over the Internet using an IPsec VPN GRE tunnel. The HQ router is connected to a switch, the switch is connected to an email server.

The Wireshark screen capture in the figure displays an OSPF Hello packet that was sent using GRE over IPsec. In the example, the original OSPF Hello multicast packet (i.e., passenger protocol) was encapsulated with a GRE header (i.e., carrier protocol), which is subsequently encapsulated by another IP header (i.e., transport protocol). This IP header would then be forwarded over an IPsec tunnel.

The figure shows a Wireshark screen capture of an OSPF Hello packet sent using GRE over IPSec. The transport portion of the output is outlined in a rectangle and shows Internet Protocol Version 4, Source:, Destination: The Carrier protocol portion of the output is outlined in a rectangle and shows Generic Routing Encapsulation, Flag and version and Protocol type, IP. The Passenger protocol portion of the output is outlined in a rectangle and shows Internet protocol version 4 Source:, Destination: and states its Open Shortest Path First (OSPF).

1 Trackback / Pingback

  1. Mitigate VLAN Hopping Attacks - Cisco Education

Leave a Reply

Your email address will not be published.