What are the differences between GRE and IPSec

9

IPSec encrypts only unicast packets, but not multicast packets. GRE can encapsulate multicast packets into unicast packets, but cannot encrypt packets.
The major function of GRE is to encapsulate IPv6 packets and multicast packets, such as routing protocol, voice, and video packets.

Other related questions:
Difference between the L2TP and the IPSec on the USG2000 and USG5000
The L2TP provides tunnel transmission support to data frames on the PPP link layer and allows L2 link terminations and PPP session points reside on different devices, thereby expanding the PPP model. That is, the L2TP establish a PPP link between a cross-LAC user and the LNS. The IPSec is an open network-layer security framework protocol, stipulated by the Internet Engineering Task Force (IETF). It is a series of protocols and services that provide IP network security. The IPSec mainly includes the Authentication Header (AH), Encapsulating Security Payload (ESP), Internet Key Exchange (IKE), and algorithms used for network authentication and encryption. The L2TP over IPSec mechanism encapsulates packets based on the L2TP and then the IPSec. In this way, the L2TP over IPSec mechanism integrates advantages of two types of VPNs, implements user authentication and address allocation based on the L2TP, and makes up the disadvantages of the IPSec in terms of user authentication and authorization.

GRE over IPSec configuration on the USG6000
GRE over IPSec VPN configuration on the USG6000 Configuration procedure: 1. Complete basic interface configuration, for example, configuring the IP address and adding the physical port to the related zone. 2. Enable the inter-zone security policy. 2. Configure the IPSec tunnel. Set the source and destination addresses of the sensitive traffic carried by the IPSec tunnel to the source and destination addresses of the GRE tunnel. 2. Configure the GRE tunnel. Set the source and destination addresses of the GRE tunnel to the source and destination addresses of the sensitive traffic carried by the IPSec tunnel. Configuration example: Topology: Network A-----(10.1.1.1) NGFW_A-----INTERNET-----NGFW_B (10.1.2.1)------Network B Note: a. Network A (10.1.1.0/24) and network B (10.1.2.0/24) can mutually access each other. b. The public IP address of NGFW_A is 1.1.3.1, the public IP address of NGFW_B is 1.1.5.1, and the public route is accessible. c. The GRE over IPSec tunnel established between NGFW_A and NGFW_B can satisfy the IPSec security requirements and also transmit broadcast or multicast packets based on GRE. 1. Complete basic interface configuration, for example, configuring the IP address and adding the interface to the related zone. 2. Configure the IPSec. //Configure IPSec sensitive traffic.// [USG_A]acl 3000 [USG_A-acl-adv-3000]rule 5 permit ip source 1.1.3.1 0.0.0.0 destination 1.1.5.1 0.0.0.0 [USG_B]acl 3000 [USG_B-acl-adv-3000]rule 5 permit ip source 1.1.5.1 0.0.0.0 destination 1.1.3.1 0.0.0.0 //Configure the IKE proposal and IPSec proposal. Adopt the default parameters.// [USG_A-1]ike proposal 1 [USG_A-1-ike-proposal-1]quit [USG_A-1]ipsec proposal 1 [USG_A-1-ipsec-proposal-1]quit [USG_B-1]ike proposal 1 [USG_B-1-ike-proposal-1]quit [USG_B-1]ipsec proposal 1 [USG_B-1-ipsec-proposal-1]quit //Configure the IKE peer.// [USG_A-1]ike peer 1 [USG_A-1-ike-peer-1]pre-shared-key 123456 [USG_A-1-ike-peer-1]ike-proposal 1 [USG_A-1-ike-peer-1]remote-address 1.1.5.1 [USG_B-1]ike peer 1 [USG_B-1-ike-peer-1]pre-shared-key 123456 [USG_B-1-ike-peer-1]ike-proposal 1 [USG_B-1-ike-peer-1]remote-address 1.1.3.1 //Configure IPSec policies.// [USG_A-1]ipsec policy p1 1 isakmp [USG_A-1-ipsec-policy-isakmp-1-1] security acl 3000 [USG_A-1-ipsec-policy-isakmp-1-1]Ike peer 1 [USG_A-1-ipsec-policy-isakmp-1-1]proposal 1 [USG_A-1-ipsec-policy-isakmp-1-1]local-address 1.1.3.1 [USG_A-1-ipsec-policy-isakmp-1-1] interface GigabitEthernet1/0/1 [USG_A-1-GigabitEthernet1/0/1] ipsec policy p1 auto-neg [USG_B-1]ipsec policy p1 1 isakmp [USG_B-1-ipsec-policy-isakmp-1-1]security acl 3000 [USG_B-1-ipsec-policy-isakmp-1-1]Ike peer 1 [USG_B-1-ipsec-policy-isakmp-1-1]proposal 1 [USG_B-1-ipsec-policy-isakmp-1-1]local-address 1.1.5.1 [USG_B-1-ipsec-policy-isakmp-1-1] interface GigabitEthernet1/0/1 [USG_B-1-GigabitEthernet1/0/1] ipsec policy p1 auto-neg 3. Configure the GRE tunnel. [USG_A-1]interface Tunnel 0 [USG_A-1-Tunnel0] ip address 10.3.1.1 255.255.255.0 [USG_A-1-Tunnel0]tunnel-protocol gre [USG_A-1-Tunnel0] source 1.1.3.1 [USG_A-1-Tunnel0] destination 1.1.5.1 [USG_B-1]interface Tunnel 0 [USG_B-1-Tunnel0] ip address 10.3.1.2 255.255.255.0 [USG_B-1-Tunnel0]tunnel-protocol gre [USG_B-1-Tunnel0] source 1.1.5.1 [USG_B-1-Tunnel0] destination 1.1.3.1 4. Add the GRE tunnel to the security zone and configure a tunnel route. [USG_A-1]firewall zone untrust [USG_A-1-zone-untrust]add interface Tunnel 0 [USG_A-1]ip route-static ip route-static 10.1.2.0 255.255.255.0 Tunnel0 [USG_B-1]firewall zone untrust [USG_B-1-zone-untrust]add interface Tunnel 0 [USG_B-1]ip route-static ip route-static 10.1.1.0 255.255.255.0 Tunnel0

Method used to configure GRE over IPSec on the AR
Huawei AR routers support interworking between devices through GRE over IPSec and IPSec over GRE. GRE over IPSec is supported by all AR models and versions, whereas IPSec over GRE is supported only by AR models that run V200R005C10 or later versions. For details on how to configure IPSec over GRE, see "Example for Configuring L2TP Over IPSec to Implement Secure Communication Between the Branch and Headquarters" of "Using VPN to Implement WAN Interconnection-GRE" in Product Documentation. For details on how to configure GRE over IPSec, see "Example for Configuring GRE Over IPSec to Implement Communication Between Devices", "Example for Configuring OSPF and GRE Over IPSec to Implement Communication Between the Branch and Headquarters", and "Example for Configuring GRE Over IPSec to Implement Communication Between the Branches and Headquarters and NAT to Implement Communication Between Branches (Running OSPF)" of "Using VPN to Implement WAN Interconnection" in Typical Configuration Examples.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top