Difference between IPSec over GRE and GRE over IPSec and their limitations

IPsec over GRE (Generic Routing Encapsulation) and GRE over IPsec are two different approaches to secure communication in a network. Let’s explore each of them:

IPSec over GRE:

IPSec over GRE technology uses GRE to encapsulate packets that have been encapsulated using IPSec.

[Original IP Packet]
          ↓
          ↓
[IPSec Header + Original IP Packet]
          ↓
          ↓
[ GRE Header + IPsec Header + Original IP Packet]

Explanation:

IPSec over GRE implements IPSec encryption on tunnel interfaces. The system detects data flows that need to be encrypted on tunnel interfaces (an ACL is configured to match data flows between two user network segments).

Any packets that match the ACL are encapsulated into IPSec packets and then into GRE packets before they are transmitted over the tunnel. Packets that do not match the ACL are directly transmitted over the GRE tunnel without being encapsulated using IPSec, which means these packets are not transmitted in a secure manner. In addition, a GRE tunnel is not protected by IPSec while it is set up.

GRE over IPSec:

GRE over IPSec technology uses IPSec to encapsulate packets that have been encapsulated by GRE.

[Original IP Packet]
          ↓
          ↓
[GRE Header + Original IP Packet]
          ↓
          ↓
[IPsec Header + GRE Header + Original IP Packet]

Explanation:

GRE over IPSec implements IPSec encryption on physical interfaces. The system detects GRE data flows that need to be encrypted on physical interfaces (an ACL is configured to match GRE data flows between two gateways). In this way, all data flows that are transmitted over the GRE tunnel are protected by IPSec. The GRE tunnel is also protected by IPSec while it is set up.

GRE over IPSec supports encapsulation in both tunnel and transport modes. The tunnel mode uses an extra IPSec header, which increases the packet size and makes packets more likely to be fragmented. Therefore, the transport mode is recommended.

Comparison:

IPSec tunnels only support encapsulation and encryption of unicast packets, whereas GRE tunnels support encapsulation of both unicast and multicast packets. However, GRE tunnels are insecure. So, we have to leverage the advantages of IPSec and GRE and communicate with each other using IPSec over GRE or GRE over IPSec.