3 Replies Latest reply: Apr 13, 2019 9:51 AM by Sergey RSS


    Richard H

      Hello all,


      I am currently studying for the CCNA using the Netacad course "CCNA Routing and Switching: Connecting Networks" and I had a question regarding tunneling using GRE. I suppose it is a more fundamental question; why encapsulate private addresses (using GRE), rather than simply routing the traffic to the destination? What benefit does that offer? Also, if you want to encrypt your traffic (I know GRE doesn't encrypt), why not only encrypt the payload and not touch the rest of the packet? Just trying to see what "need" GRE is supposed to fulfill.





        • 1. Re: VPN's



          One application of GRE: Transition from IPv4 to IPv6


          Another application: In IPsec over GRE


          More details: https://networkology.net/2013/07/16/ipsec-over-gre-configuration-and-explanation-ccie-notes/


          Best regards!

          • 2. Re: VPN's

            Benefits of IPSec Virtual Private networks are: Confidentiality, Integrity, Authentication, Anti-Replay attacks protection.  VPN is a tunnel carrying data that is invisible to others over Public or Private networks.  obvious use is VPN over the Internet.  Anyone in the middle, yours and mine ISPs, do not see traffic, not able to read it or capture it.

            Government, Banks, other Companies will lease Private lines from ISP but still use VPNs for secure transactions and data  communications.  ISP is unable to intercept traffic. Trace traffic shows me 2 hops away when we are on 2 different continents.  you work in IT/IS firm where anyone and everyone knows how to use Wireshark.  you have something that needs to be hidden from other people, u can use VPN.


            There are 2 modes: GRE over IPSec (recommended) or IPSec over GRE (not so much).  One application of those 2 modes is Crypto Maps. Crypto maps are used in legacy IPsec Site to Site VPN (which was replaced by modern VTI IPSec site to site VPN technology).

            DMVPN uses GRE tunnels as of multi-point GRE tunnels plus IPSec to encrypt traffic.

            GRE can carry any type of traffic (IPv6 or mulitcast); and can replace OSPF virtual-links  by GRE tunnel.

            Major but considered as legacy IPsec Site to Site VPN was replaced by modern VTI IPSec site to site VPN technology.

            • 3. Re: VPN's



              The main reason to encapsulate the VPN packets into GRE is that private addresses are not routable in the Internet. If you have two hosts in private networks separated by Internet, you can't send traffic directly, because routers in the Internet won't have the routes to either of them. They will only have routes to reach the VPN endpoints, so traffic can go between them. But you don't just need to send data from one VPN router to another. You need communication beyond them inside the private network. That's where encapsulation comes in play. Traffic between the target host and VPN router goes directly, as they both reside on the same private network. VPN router has route to reach sending host. It then knows that receiving host is behind another VPN router reachable over  Internet. It then encapsulates original packet with IP header into GRE and sends it over the Internet to the remote VPN router. That router upon receiving the packet decapsulates it and as original IP header was preserved inside, it knows the original destination IP that resides on the local private network. And the reason to encrypt the entire packet is security. You don't want any entity in the Internet to be able to see any information in the packets you send.