Both IPSec and GRE are standard Virtual Private Networking (VPN) tunneling protocols for site-to-site data communication. They are included by default in many enterprise grade Router/Firewall/VPN products, and usually are inter-operable between different brands. All RansNet mbox appliances (CMG, HSG, HSA) support these two protocols as well.

IPSec includes a suit of security protocols that provide data security, authenticity and integrity (see earlier post). However, IPSec has some limitations, eg. IPSec used to have problems when tunnels pass through NAT device (although can work around with NAT-T), and most importantly IPSec tunnel does not support dynamic routing protocols (eg. OSPF/BGP). This makes large sites deployment difficult, because large scale deployment usually relies on dynamic routing to auto learn networks between sites and auto fail-over between redundant paths etc.

GRE is a very commonly used encapsulation protocol and it's very easy to implement. In addition, GRE tunnel supports dynamic routing protocols across the tunnel. However, GRE tunnel does not encrypt data across the WAN/Internet so it's not ideal for security.

"IPSec over GRE" combines the best of both worlds. So the idea is to build GRE tunnel between site-to-site, run dynamic routing protocols within GRE tunnel, so that we can auto learn routes and pass data between sites within GRE tunnels and fast fail-over between redundant tunnels/paths if any; then use IPSec to encrypt GRE tunnel, therefore all data transmitted within GRE tunnel is also encrypted.

There're two main drivers for using "IPSec over GRE":

1. Encrypt multiple networks between sites. Usually if we use IPSec only, we have to specify all the networks in the encryption domains (local and remote LANs), which can easily prompt configuration errors. And there are also compatibility problems between different vendor products due to implementation differences. So building a single GRE tunnel and a simple IPSec tunnel to encrypt the GRE tunnel is very simple, then we just need to add routes (static or dynamic) to forward traffic across the GRE tunnel.

2. Simplify deployment. In large scale deployment, with multiple remote sites, we will prefer to use dynamic routing protocols (eg. OSPF/BGP) to auto learn and advertise network routes among all sites. This makes configuration very simple and very easy to maintain. Many SD-WAN vendors use this combination as their underlying SD-WAN technologies, overlayed with some other advanced features.

There're a few things we need to take note when implementing "IPSec over GRE"

1. Since we're talking about static tunnels here, both peers must have publicly reachable static IP addresses (SD-WAN implementation will be a separate discussion).

2. GRE and IPSec tunnels add overheads (headers) to original packets, so we need to decrease the GRE tunnel mtu size to "shrink" a bit of the data payload size. The recommended GRE tunnel mtu size is 1400.

3. Note L3 GRE tunnel requires IP address assignment, usually a private/unused network, and the peer tunnel IP addresses must be in the same network/subnet.

4. If you're running OSPF between sites, then just follow OSPF configuration to advertise routes; if you're not, just add static routes to reach each other via the GRE tunnel (use peer GRE tunnel IP as next hope).

5. If you have firewall SNAT rules, please make sure to have "exempt" rule to supersede the SNAT rules, so that the tunnel source/destination is not being mistakenly overwritten by firewall.

6. Configure other firewall-access rules necessary to allow traffic to pass through each other.

CONFIGURATION EXAMPLE