10.3. IPsec over GRE

When GRE and IPsec are used together, two types of connection can be created: IPsec over GRE or GRE over IPsec.

In case of an IPsec over GRE connection, encrypted traffic is transmitted over an unencrypted GRE tunnel, meaning that GRE encapsulation follows IPsec encapsulation.

To configure IPsec over GRE, follow these steps:

Task

Description

Step 1. Configure a GRE tunnel.

For more details on configuring a GRE tunnel interface, see the section Tunnel Interface.

Important! When configuring a GRE tunnel interface, make sure to specify the external IP addresses of the device's interfaces as the source (local) and destination (remote) IP addresses.

Step 2. Configure a site‑to‑site VPN connection.

For more details on configuring a site-to-site VPN connection, see the section Site-to-Site VPN connections.

Important! When configuring a VPN client rule, specify the IP address of the GRE tunnel interface as the server address.

A downside of IPsec over GRE is that multicast and broadcast packets are not supported. This problem does not exist when a GRE over IPsec connection is used.