Cisco GRE and IPSec - GRE over IPSec - Selecting and Configuring GR...

1 of 6

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/872-...

(http://www.firewall.cx)

FIREWALL.CX TEAM

NEWS

ALTERNATIVE MENU

RECOMMENDED SITES

CONTACT US - FEEDBACK

(/MEET-THE-TEAM.HTML)

(/NEWS.HTML)

(/SITE-MAP.HTML)

(/RECOMMENDED-SITES.HTML)

(/CONTACT-US.HTML)

Home (/)

Cisco (/cisco-technical-knowledgebase.html)

THURSDAY, 16 APRIL 2015

Cisco Routers (/cisco-technical-knowledgebase/cisco-routers.html)

Cisco GRE and IPSec - GRE over IPSec - Selecting and Configuring GRE IPSec Tunnel or Transport Mode

HOT DOWNLOADS
(http://clixtrac.com/goto/?99230)

WEB APPLICATION
SECURITY SCANNER
(HTTP://CLIXTRAC.COM

(/component/banners/click/2.html)

CISCO GRE AND IPSEC - GRE OVER IPSEC - SELECTING AND

CONFIGURING GRE IPSEC TUNNEL OR TRANSPORT MODE
WRITTEN BY ADMINISTRATOR. POSTED IN CISCO ROUTERS - CONFIGURING CISCO ROUTERS (/CISCO-TECHNICAL-KNOWLEDGEBASE/CISCOROUTERS.HTML)
Rating 4.68 (19 Votes)

Share

Tweet

Like

Share 41 people like this. Sign Up to

see what your friends like.

GRE Tunnels are very common amongst VPN implementations thanks to their simplicity and ease of configuration. With broadcasting and
multicasting support, as opposed to pure IPSec VPNs, they tend to be the number one engineers' choice, especially when routing protocols
are used amongst sites.
The problem with GRE is that it is an encapsulation protocol, which means that while it does a terrific job providing connectivity between
sites, it does a terrible job encrypting the data being transferred between them. GRE is stateless, offering no flow control mechanisms (think
of UDP). This is where the IPSec protocol comes into the picture.
IPSecs objective is to provide security services for IP packets such as encrypting sensitive data, authentication, protection against replay
and data confidentiality. IPSec is extensively covered in our IPSec protocol (/networking-topics/protocols/127-ip-security-protocol.html)
article.
IPSec can be used in conjunction with GRE to provide top-notch security encryption for our data, thereby providing a complete secure and
flexible VPN solution. IPSec can operate in two different modes, Tunnel mode and Transport mode. Both of these modes are covered
extensively in our Understanding VPN IPSec Tunnel Mode and IPSec Transport Mode (/networking-topics/protocols/870-ipsec-modes.html)
article. Additionally, Cisco GRE Tunnel configuration is covered in our Configuring Cisco Point-to-Point GRE Tunnels (/cisco-technicalknowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html). We highly recommend reading these articles before proceeding as it is a
prerequisite for understanding the information covered here.
As with IPSec, when configuring GRE with IPSec there are two modes in which GRE IPSec can be configured, GRE IPSec Tunnel mode
and GRE IPSec Transport mode.
This article examines the difference between GRE IPSec Tunnel and GRE IPSec Transport mode, and explains the packet structure
differences along with the advantages and disadvantages of each mode.

GRE IPSEC TUNNEL MODE

4/16/2015 10:52 AM

Cisco GRE and IPSec - GRE over IPSec - Selecting and Configuring GR...

2 of 6

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/872-...

With GRE IPSec tunnel mode, the whole GRE packet (which includes the original IP header packet), is encapsulated, encrypted and
protected inside an IPSec packet. GRE over IPSec Tunnel mode provides additional security because no part of the GRE tunnel is
exposed, however, there is a significant overhead added to the packet. This additional overhead decreases the usable free space for our

NETWORK SECURITY
SCANNER

payload (Original IP packet), that means possibly more fragmentation will occur when transmitting data over a GRE IPSec Tunnel VPN.
IPSec Tunnel mode is the default configuration option for both GRE and non-GRE IPSec VPNs. When configuring the IPSec transform set,
no other configuration commands are required to enable tunnel mode:
R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac

(http://clixtrac.com
/goto/?99232)

CALCULATING GRE IPSEC TUNNEL MODE OVERHEAD

Calculating the overhead will help us understand how much additional space GRE over IPSec in Tunnel mode requires and our effective

HYPER-V BACKUP

usable space.
The packet structure below shows an example of a GRE over IPSec in Tunnel mode:

(http://clixtrac.com
/goto/?181631)

RECOMMENDED
DOWNLOADS
Web Security

Two important points to keep in mind when calculating the overhead:

(http://clixtrac.com
/goto/?99233)
Depending on the encryption algorithm used in the crypto transform set, the Initialization Vector (IV) shown could be 8 or 16 bytes
long. For example DES or 3DES introduces an 8-byte IV field, where as AES introduces a 16-byte IV field. In our example, we are
using 3DES encryption, therefore producing a 8-byte IV field.

Free Hyper-V Backup

(http://clixtrac.com
/goto/?163765)

The ESP Trailer will usually vary in size. Its job is to ensure that the Pad Length, Next Header fields (both 1-byte long and
contained within the ESP Trailer) & ESP Auth.Trailer are aligned on a 4-byte boundary. This means the total number of bytes,
when adding the three fields together, must be a multiple of 4.

Server AntiSpam
(http://clixtrac.com
/goto/?99234)
Network Scanner

Following is the calculated overhead:

(http://clixtrac.com
ESP Overhead: 20 (IP Hdr) + 8 (ESP Hdr) + 8 (IV) + 4 (ESP Trailer) + 12 (ESP Auth) = 52 Bytes

/goto/?99235)
IDS Security Manager

Note: ESP Trailer has been calculated as 4 bytes as per above note.

(http://clixtrac.com
/goto/?99236)

GRE Overhead: 20 (GRE IP Hdr) + 4 (GRE) = 24 Bytes

Web-Proxy Monitor
Total Overhead: 52 + 24 = 76 Bytes

(http://clixtrac.com
/goto/?99237)
Network Analyzer - Sniffer
(http://clixtrac.com
/goto/?195370)
Cisco VPN Client

GRE IPSEC TRANSPORT MODE

(/downloads/cisco-toolsWith GRE IPSec transport mode, the GRE packet is encapsulated and encrypted inside the IPSec packet, however, the GRE IP Header is

a-applications.html)

placed at the front. This effectively exposes the GRE IP Header as it is not encrypted the same way it is in Tunnel mode.

Network Fax Server

IPSec Transport mode is not used by default configuration and must be configured using the following command under the IPSec transform
set:

(http://clixtrac.com
/goto/?100607)
Forensic Security Analysis

R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac

R1(cfg-crypto-trans)# mode transport

(http://clixtrac.com
/goto/?195375)
Web Vulnerability Scanner
(http://clixtrac.com
/goto/?191594)

GRE IPSec transport mode does have a few implementation restrictions. It is not possible to use GRE IPSec transport mode if the crypto
tunnel

transits

device

using

Network

Address

Translation

WEBSITE SCANNER

(/cisco-technical-knowledgebase/cisco-routers/260-cisco-router-

nat-overload.html) (NAT) or Port Address Translation (PAT). In such cases, Tunnel mode must be used.
Finally, if the GRE tunnel endpoints and Crypto tunnel endpoints are different, GRE IPSec transport mode cannot be used.
These limitations seriously restrict the use and implementation of the transport mode in a WAN network environment.

4/16/2015 10:52 AM

Cisco GRE and IPSec - GRE over IPSec - Selecting and Configuring GR...

3 of 6

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/872-...

CALCULATING GRE IPSEC TRANSPORT MODE OVERHEAD

Calculating the overhead will help us understand how much space GRE over IPSec in Transport mode uses and our effective usable

(http://clixtrac.com
/goto/?191960)

space.

NETWORK ANALYZER
The packet structure below shows an example of GRE over IPSec in transport mode:

(http://clixtrac.com
/goto/?195373)

(http://feeds.feedb
(http://www.linkedin.com
(https://www.facebook.com
(http://twitter.com
Again, two important points that must kept in mind when calculating the overhead:

CONNECT: /groups?home=&
/firewallcx)
/firewallcx)
/firewallcx)

gid=1037867)
Depending on the encryption algorithm used in the crypto transform set, the Initialization Vector (IV) shown could be 8 or 16 bytes
long. For example DES or 3DES introduces an 8-byte IV field, where as AES introduces a 16-byte IV field. In our example, we are
using 3DES encryption, therefore producing a 8-byte IV field.

FACEBOOK - LIKE US!

Firewall.cx

The ESP Trailer will usually vary in size. Its job is to ensure that the Pad Length, Next Header fields (both 1-byte long and
contained within the ESP Trailer) & ESP Auth.Trailer are aligned on a 4-byte boundary. This means the total number of bytes,
when adding the three fields together, must be a multiple of 4.

Like 3,608

Following is the calculated overhead:

ESP Overhead: 20 (IP Hrd) + 8 (ESP Hdr) + 8 (IV) + 4 (ESP Trailer) + 12 (ESP Auth) = 52 Bytes

CISCO PRESS REVIEW

PARTNER

Note: ESP Trailer has been calculated as 4 bytes as per above note.
GRE Overhead: 4 (GRE) = 4 Bytes
Total Overhead: 52 + 4 = 56 Bytes

(/site-news/316-firewallciscopress.html)

It is evident that GRE IPSec Transport mode saves approximately 20 bytes per packet overhead. This might save a moderate amount of
bandwidth on a WAN link, however, there is no significant increase in CPU performance by using this mode.
Notify me of new articles

CONCLUSION
When comparing GRE over IPSec tunnel and GRE over IPSec transport mode, there are significant differences that cannot be ignored.
If the GRE tunnels and crypto endpoints are not the same (IP address wise), transport mode in definitely not an option.

Subscribe

If packets traverse a device (router) where NAT or PAT is used then again, transport mode cannot be used.
On the other hand, tunnel mode seems to pay-off its 20-byte additional overhead by being flexible enough to be used in any type of WAN
environment and offering increased protection by encrypting the GRE IP Header inside the ESP packet.
Taking in consideration the small additional CPU load the tunnel mode produces and advantages it offers, we dont believe its a
coincidence Cisco has selected this mode in IPSecs default configuration.

CISCO MENU
CISCO ROUTERS
(/cisco-technicalknowledgebase/ciscorouters.html)

Back to Cisco Routers Section (/cisco-technical-knowledgebase/cisco-routers.html)

CISCO SWITCHES
(/cisco-technicalknowledgebase/ciscoswitches.html)
CISCO VOIP/CCME CALLMANAGER
(/cisco-technicalknowledgebase/ciscovoice.html)
CISCO FIREWALLS
(/cisco-technicalknowledgebase/ciscofirewalls.html)
CISCO WIRELESS
(/cisco-technicalknowledgebase/cisco-

4/16/2015 10:52 AM

Cisco GRE and IPSec - GRE over IPSec - Selecting and Configuring GR...

4 of 6

12 comments

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/872-...
wireless.html)

Add a comment

CISCO SERVICES &

Marrie Muts Utrecht University

TECHNOLOGIES

gre over ipsec offers a terrible throughput

performance on most platforms due to lack of
gre processing acceleration.. , so the next
article is about vti approach?
Reply Like

(/cisco-technicalknowledgebase/ciscoservices-tech.html)

1 14 May 2012 at 08:33

CISCO AUTHORS & CCIE

INTERVIEWS

Chris Partsenidis
Top
commenter Founder, Editor-in-Chief
at Firewall.cx

(/cisco-technicalknowledgebase/ccie-

Marrie, I've actually benchmarked

gre over ipsec with crypto ipsec
tunnels and to be honest, the
throughput on a DSL wan line was
the same. Figures might be
different on a T1 or greater
connection and there might be a
big impact as you say. VTI is on
the list, however mGRE and
DMVPN is next :) Hope you enjoy
and share!
Reply Like
11:54

experts.html)

POPULAR CISCO
ARTICLES
DMVPN Configuration (/ciscotechnical-knowledgebase
/cisco-routers/901-cisco-

2 14 May 2012 at

router-dmvpnconfiguration.html)

Khensani Gregory Baloyi

Cisco IP SLA (/cisco-technical-

Great article!

knowledgebase/cisco-routers

Reply Like 30 October 2012 at 08:47

/813-cisco-router-ipslabasic.html)

Mohan Raj GISOCC Infrastructure Engineer at

Valeo

VLAN Security (/ciscotechnical-knowledgebase

Very good article, really useful information.

Reply Like

/cisco-switches/818-cisco-

1 19 December 2012 at 09:29

switches-vlan-security.html)
4507R-E Installation (/cisco-

Elias Mulenga

technical-knowledgebase

great stuff
Reply Like

/cisco-switches/948-cisco-

3 1 February 2013 at 02:09

switches-4507re-ws-x45Abuty Mofya Works at

Self-employed

sup7l-e-installation.html)

good staff

(/cisco-technical-

Reply Like 1 February 2013 at 05:53

knowledgebase/cisco-

CallManager Express Intro

voice/371-cisco-ccme-partObinabo Ken Northumbria University

1.html)

Wonderful article

Secure CME - SRTP & TLS

Reply Like

(/cisco-technical-

1 22 August 2013 at 04:13

knowledgebase/cisco-

View 3 more

voice/956-cisco-voicecme-secure-voip.html)

Facebook social plugin

Cisco Password Crack (/ciscotechnical-knowledgebase

/cisco-routers/358-cisco-type7-

ARTICLES TO READ NEXT:

password-crack.html)
Site-to-Site VPN (/cisco-

CISCO ROUTER PPP MULTILINK

SETUP AND CONFIGURATION (/CISCOTECHNICAL-KNOWLEDGEBASE
/CISCO-ROUTERS/822-CISCO-ROUTERPPP-MULTILINK.HTML)

HOW TO FIX CISCO CONFIGURATION

PROFESSIONAL (CCP) DISPL...
(/CISCO-TECHNICALKNOWLEDGEBASE/CISCO-ROUTERS
/980-CISCO-CONFIGURATIONPROFESSIONAL-DISPLAYPROBLEM.HTML)

CONFIGURING POINT-TO-POINT GRE

VPN TUNNELS - UNPROTECTE...
(/CISCO-TECHNICALKNOWLEDGEBASE/CISCO-ROUTERS
/868-CISCO-ROUTERGRE-IPSEC.HTML)

technical-knowledgebase
/cisco-routers/867-ciscorouter-site-to-site-ipsecvpn.html)

FREE CISCO LAB

PARTNER

(http://clixtrac.com
/goto/?99238)

POPULAR LINUX
ARTICLES
Linux Init & RunLevels (/linuxknowledgebase-tutorials/linuxadministration/845-linuxadministration-runlevels.html)
Linux Groups & Users (/linux-

4/16/2015 10:52 AM

Cisco GRE and IPSec - GRE over IPSec - Selecting and Configuring GR...

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/872-...

knowledgebase-tutorials/linuxadministration/842-linuxgroups-user-accounts.html)
Linux Performance Monitoring
(/linux-knowledgebase-tutorials
/linux-administration/837-linuxsystem-resourcemonitoring.html)
Linux Vim Editor (/linuxknowledgebase-tutorials/linuxadministration/836-linuxvi.html)
Linux Samba (/linuxknowledgebase-tutorials
/system-and-network-services
/848-linux-servicessamba.html)
Linux DHCP Server (/linuxknowledgebase-tutorials
/system-and-network-services
/849-linux-servicesdhcp-server.html)
Linux Bind DNS (/generaltopics-reviews/linuxunixrelated/829-linuxbind-introduction.html)
Linux File & Folder
Permissions (/general-topicsreviews/linuxunix-related
/introduction-to-linux/299-linuxfile-folder-permissions.html)
Linux OpenMosix (/generaltopics-reviews/linuxunixrelated/openmosix-linuxsupercomputer.html)
Linux Network Config (/linuxknowledgebase-tutorials/linuxadministration/851-linuxservices-tcpip.html)

BANDWIDTH
MONITORING

(http://clixtrac.com
/goto/?99758)

RSS SUBSCRIPTION
Subscribe to Firewall.cx RSS
Feed by Email
(http://feedburner.google.com
/fb/a/mailverify?uri=firewallcx&
loc=en_US)

5 of 6

4/16/2015 10:52 AM

Cisco GRE and IPSec - GRE over IPSec - Selecting and Configuring GR...

6 of 6

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/872-...

CCENT/CCNA

CISCO ROUTERS

VPN SECURITY

CISCO HELP

WINDOWS 2012

LINUX

ROUTER BASICS (/CISCO-

SSL WEBVPN

UNDERSTAND DMVPN

VPN CLIENT WINDOWS 8

NEW FEATURES

FILE PERMISSIONS

TECHNICAL-

SECURING ROUTERS

GRE/IPSEC

VPN CLIENT WINDOWS 7

LICENSING

WEBMIN

KNOWLEDGEBASE/CISCO-

POLICY BASED ROUTING

CONFIGURATION

CCP DISPLAY PROBLEM

HYPER-V / VDI

GROUPS - USERS

ROUTERS/250-CISCO-

ROUTER ON-A-STICK

SITE-TO-SITE IPSEC VPN

CISCO SUPPORT APP.

INSTALL HYPER-V

SAMBA SETUP

ROUTER-BASICS.HTML)

IPSEC MODES

SUBNETTING
OSI MODEL
IP PROTOCOL

FIREWALL.CX TEAM
(/MEET-THE-TEAM.HTML)

NEWS
(/NEWS.HTML)

ALTERNATIVE MENU
(/SITE-MAP.HTML)

RECOMMENDED SITES
(/RECOMMENDED-SITES.HTML)

CONTACT US - FEEDBACK
(/CONTACT-US.HTML)

Copyright 2000-2015 Firewall.cx - All Rights Reserved

Information and images contained on this site is copyrighted material.
Firewall.cx - Cisco Networking, VPN - IPSec, Security, Cisco Switching, Cisco Routers, Cisco VoIP- CallManager Express & UC500, Windows Server, Virtualization, Hyper-V, Web Security, Linux Administration

4/16/2015 10:52 AM