Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network, and it can also be used to build Virtual Private Networks (VPN) between sites. However do note that, unlike IPSec tunnels, GRE tunnel only encapsulates data, and it doesn't encrypt data. So GRE is typically used in conjunction with IPsec tunnel. Because IPSec tunnel doesn't support multicast traffic (therefore not support routing protocols), we usually use GRE tunnel to encapsulate first, then use IPSec to encrypt GRE, usually call "GRE over IPSec".

Both CMG and HSA support GRE tunnels. This section only focuses on configuring GRE tunnel on CMG. Please refer to later section on HSA GRE tunnel configuration.