dslreports logo
    All Forums Hot Topics Gallery


how-to block ads

Search Topic:
share rss forum feed

reply to GM85

Re: Need a Little help with Easy VPN

said by GM85:
I do have a quick question, When I was looking through the example configurations on the Cisco site, it seemed that GRE was what I wanted to try to configure, since it supported routing protocols. Does this type of IPSEC tunnel also support routing protocols? (basically, what's the difference between a GRE tunnel, and this type of tunnel?)
In a nutshell, the VPN tunnel never forwards the routing broadcasts through the tunnels. Neither do they send the routing updates. To send the routing updates (so that the remote location can learn the network on the local side) you must use IPSec over GRE. With this feature,the routing updates are first encapsulated over a new GRE packet and then forwarded through the VPN tunnel. This is useful and required if you are using OSPF, RIP, EIGRP in your internal network and need to build a routing tunnel.

Here's some more detail and links/differences between a pure IPSec vpn tunnel and a GRE over IPSec tunnel:

Pure IPSec vpn tunnel

In a pure IPSec vpn tunnel, only ip traffic is encrypted/decrypted.

If you have non ip traffic, example, ipx, then it is not able to go into the vpn tunnel.

OSPF, EIGRP, are not transferred in the tunnel.

The urls below might be helpful for you about IPSec,




GRE over IPSec vpn tunnel

In a GRE over IPSec vpn tunnel, the original packet whether ip, ipx, etc... is first going to be GRE encapsulated and then this packet is then subjected to IPSec encapsulation.

Therefore, in a GRE over IPSec tunnel, all routing traffic (ip and non ip) can be routed through because when the original packet (ip/non ip) is GRE encapsulated, then it will have an ip header (as defined by the GRE tunnel (normally the tunnel interface ip addresses)) then the IPSec protocol can understand the ip packet and and can therefore be able to encapsulate the GRE packet to make it GRE over IPSec.

please visit the urls below for more info.,



Last but not least, here's another link for a sample config. which uses GRE/IPSEC, CBAC and NAT but I am sure that you will be able to remove the CBAC if you do not want it.

Hope that helps.

When you post a question, you expect a reply. When I post a reply, I expect a response. Not only if the problem still exists, but also when it works. Its nice to know that the reply I gave works AND it also helps others with that problem to solve it.

Eschew Obfuscation
Premium,MVM,ExMod 2003-06
The post above was added to the FAQ here: http://www.dslreports.com/faq/8228.