Generic Routing Encapsulation (GRE) and IP Security (IPSec) are two fundamental tunneling technologies you must understand for the CCNA 200-301 exam. While GRE provides a simple, flexible tunnel for multiprotocol traffic, IPSec offers robust encryption and authentication. Real-world networks often combine both in a 'GRE over IPSec' design. This chapter dissects each technology, compares them head-to-head, and reveals the exam traps that catch candidates off guard. Exam objective: 5.4 Compare Cisco IOS tunnel types.
Jump to a section
Imagine you need to send a delicate item from New York to Los Angeles. GRE is like an armored truck: it can carry anything—a painting, a computer, a live snake—because it doesn't care about the contents. The truck is big, fast, and simple. It just wraps your item in a protective shell and drives it across the country. But the shell is transparent: anyone can see what's inside if they peek. GRE alone provides no security. Now, IPSec is like a secure parcel service: it takes your item, locks it in a tamper-proof box, and encrypts the address label so no one knows where it's coming from or going. However, the secure parcel service can only handle certain types of items—usually documents or small packages. It's picky about what it carries and requires more processing. In networking, GRE tunnels can encapsulate any Layer 3 protocol (IPv4, IPv6, IPX, etc.) and even broadcast traffic, making them ideal for connecting remote sites with diverse protocols. IPSec, on the other hand, only protects IP packets and is typically used for site-to-site VPNs. The real magic happens when you combine them: you put your item into the armored truck (GRE) and then have the secure parcel service escort the entire truck (GRE over IPSec). This gives you the flexibility of GRE and the security of IPSec. Cisco routers commonly use this combination for DMVPN and FlexVPN deployments. On the CCNA exam, you need to know that GRE is protocol 47 and is unencrypted, while IPSec can operate in transport or tunnel mode and uses protocols like ESP (protocol 50) and AH (protocol 51).
What is GRE?
Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco that encapsulates a wide variety of network layer protocols inside IP tunnels. It is defined in RFC 2784 and uses IP protocol number 47. GRE creates a virtual point-to-point link between two routers, allowing them to exchange traffic as if they were directly connected. The key advantage of GRE is its ability to carry multicast and broadcast traffic, as well as non-IP protocols (e.g., IPX, AppleTalk), over an IP-only network. This makes GRE essential for routing protocols like OSPF and EIGRP that rely on multicast or broadcast for neighbor discovery.
How GRE Works
When a router sends a packet through a GRE tunnel, it performs the following steps: 1. The router receives an original packet (e.g., an IP packet destined for a remote network). 2. It adds a GRE header (typically 4 bytes: 2 bytes for flags/version, 2 bytes for protocol type). Optionally, GRE can include a key (4 bytes) for authentication, a sequence number (4 bytes), or checksum (2 bytes). 3. The router encapsulates the entire original packet (including its header) inside a new IP header. The source IP is the tunnel source (local router's physical interface), and the destination IP is the tunnel destination (remote router's physical interface). The protocol field in the new IP header is set to 47 (GRE). 4. The resulting packet is forwarded over the physical network to the remote router. 5. The remote router strips the outer IP header and GRE header, recovers the original packet, and forwards it to the destination.
GRE Configuration and Verification
Configuring a GRE tunnel on Cisco IOS involves creating a tunnel interface and specifying the source, destination, and IP address for the tunnel itself. Here is a basic example:
interface Tunnel0
ip address 10.0.0.1 255.255.255.252
tunnel source GigabitEthernet0/0
tunnel destination 192.168.1.1This creates a tunnel between two routers. The tunnel interface gets an IP address (usually from a private subnet), and the tunnel source/destination are the actual physical interfaces. To verify the tunnel:
show interface tunnel0Look for "Tunnel0 is up, line protocol is up". The line protocol stays up only if the tunnel destination is reachable (i.e., there is a route to the destination IP).
What is IPSec?
IP Security (IPSec) is a suite of protocols that provides confidentiality, integrity, and authentication for IP packets. It operates at the network layer (Layer 3) and can protect traffic between two hosts (transport mode) or between two gateways (tunnel mode). IPSec uses two main protocols: Authentication Header (AH, protocol 51) for integrity and authentication, and Encapsulating Security Payload (ESP, protocol 50) for confidentiality (encryption) plus optional integrity. In tunnel mode, IPSec encrypts the entire original IP packet and adds a new IP header, creating a secure tunnel.
How IPSec Works
IPSec uses a two-phase process defined by Internet Key Exchange (IKE): 1. IKE Phase 1: The two peers establish a secure, authenticated channel (ISAKMP SA). This can be done in Main Mode (6 messages, more secure) or Aggressive Mode (3 messages, faster but less secure). Default: Main Mode. The peers authenticate using pre-shared keys, digital certificates, or other methods. They also negotiate encryption algorithms (e.g., AES-256, 3DES), hash algorithms (e.g., SHA-256), Diffie-Hellman groups (e.g., Group 14), and lifetime (default 86400 seconds). 2. IKE Phase 2: The peers negotiate the IPSec Security Association (SA) parameters for the actual data encryption. This uses Quick Mode (3 messages). They agree on transform sets (e.g., esp-aes 256 esp-sha-hmac), and create two unidirectional SAs (one inbound, one outbound). The default lifetime for IPSec SAs is 3600 seconds (1 hour) or 4608000 kilobytes.
Once the SAs are established, traffic is encrypted. For example, if ESP is used in tunnel mode, the original packet is encrypted and placed inside a new IP packet with protocol 50. The receiving peer decrypts and forwards the original packet.
IPSec Configuration Example
Here is a minimal IPSec site-to-site VPN configuration on Cisco IOS:
crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha256
group 14
lifetime 86400
crypto isakmp key cisco123 address 192.168.1.1
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set TSET
match address 100
!
interface GigabitEthernet0/0
crypto map CMAP
!
access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255This protects traffic between two private networks. The ACL defines interesting traffic that triggers IPSec.
GRE over IPSec
GRE over IPSec combines the flexibility of GRE with the security of IPSec. The GRE tunnel is created first, then the entire GRE tunnel traffic is encrypted by IPSec. This is commonly used for DMVPN and FlexVPN. The configuration involves setting up a GRE tunnel and then applying a crypto map to the tunnel interface or the physical interface. A simpler approach is to use IPsec VTI (Virtual Tunnel Interface), which integrates IPSec directly on the tunnel interface without a separate crypto map.
Configure GRE Tunnel Interface
On each router, create a tunnel interface. For example, on Router1: ``` interface Tunnel0 ip address 10.0.0.1 255.255.255.252 tunnel source GigabitEthernet0/0 tunnel destination 192.168.1.1 ``` On Router2: ``` interface Tunnel0 ip address 10.0.0.2 255.255.255.252 tunnel source GigabitEthernet0/0 tunnel destination 192.168.1.2 ``` The tunnel source must be an interface with an IP address, and the tunnel destination must be the remote router's IP. Ensure IP connectivity between the tunnel endpoints (e.g., via static routes or a routing protocol).
Verify GRE Tunnel Status
Use `show interface tunnel0` to check if the tunnel is up/up. Example output: ``` Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 10.0.0.1/30 MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 10.0.0.1 (GigabitEthernet0/0), destination 192.168.1.1 Tunnel protocol/transport GRE/IP ``` If the line protocol is down, check reachability to the tunnel destination and ensure the tunnel source is correct.
Configure IKE Phase 1 (ISAKMP)
Define an ISAKMP policy for IPSec. Example: ``` crypto isakmp policy 10 authentication pre-share encryption aes 256 hash sha256 group 14 lifetime 86400 crypto isakmp key cisco123 address 192.168.1.1 ``` The policy number (10) is just a priority; lower numbers are preferred. The pre-shared key must match on both peers. Use `show crypto isakmp policy` to verify.
Configure IKE Phase 2 (Transform Set and Crypto Map)
Create a transform set and a crypto map: ``` crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.1 set transform-set TSET match address 100 ! interface GigabitEthernet0/0 crypto map CMAP ! access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255 ``` The ACL defines which traffic to protect. Apply the crypto map to the outgoing interface. Use `show crypto map` to verify.
Verify IPSec SAs and Tunnel
Use `show crypto isakmp sa` to see Phase 1 SAs. A state of MM_ACTIVE indicates successful Phase 1. For Phase 2, use `show crypto ipsec sa`. Example output: ``` interface: GigabitEthernet0/0 Crypto map tag: CMAP, local addr 192.168.1.2 protected vrf: (none) local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0) remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0) current_peer 192.168.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10 #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10 ``` Look for packet counts increasing. If no packets, check ACL matching and routing.
Combine GRE and IPSec (Optional)
For GRE over IPSec, configure the GRE tunnel as in Step 1, then apply the crypto map to the tunnel interface or use a physical interface. Alternatively, use IPsec VTI: ``` interface Tunnel0 ip address 10.0.0.1 255.255.255.252 tunnel source GigabitEthernet0/0 tunnel destination 192.168.1.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile PROFILE ``` This simplifies configuration. Verify with `show crypto ipsec sa` and `show interface tunnel0`.
In enterprise networks, GRE tunnels are often used to connect remote branches that run routing protocols like OSPF or EIGRP over a WAN. For example, a company with multiple sites might use GRE tunnels to form a full mesh of virtual point-to-point links, allowing dynamic routing across the MPLS cloud. However, since GRE provides no encryption, traffic is sent in clear text—a major security risk. This is where IPSec comes in. A common design is 'GRE over IPSec': the GRE tunnel carries routing protocol updates and multicast traffic, and IPSec encrypts the entire GRE stream. Cisco's Dynamic Multipoint VPN (DMVPN) is a classic implementation: it uses mGRE (multipoint GRE) for dynamic tunnel establishment and IPSec for encryption. Network engineers deploy this when they need scalable, secure site-to-site connectivity without a full mesh of static tunnels. Performance considerations: GRE adds 24 bytes of overhead (20 IP + 4 GRE), and IPSec adds more (typically 50-60 bytes for ESP in tunnel mode). This can impact MTU, so engineers often lower the tunnel MTU or enable TCP MSS clamping. Misconfiguration is common: forgetting to add routes for the tunnel destination, mismatched pre-shared keys, or ACLs that don't match the correct traffic. In production, you might see 'show crypto isakmp sa' showing MM_NO_STATE, indicating Phase 1 failure. Another scenario: using IPSec alone without GRE—this works for unicast IP traffic but breaks routing protocols that rely on multicast (e.g., OSPF hello packets are dropped). Therefore, for dynamic routing over VPNs, GRE over IPSec or VTI is essential. On the CCNA exam, you may be asked to identify why OSPF neighbors fail over an IPSec-only VPN—the answer is that IPSec does not forward multicast traffic.
The CCNA 200-301 exam tests your ability to compare GRE and IPSec, specifically under objective 5.4 'Compare Cisco IOS tunnel types'. You need to know the characteristics, use cases, and limitations of each. Common exam traps: 1) Candidates assume GRE provides encryption—it does not. 2) They think IPSec can carry multicast traffic—in transport mode, no; in tunnel mode, only if using GRE over IPSec. 3) They confuse the IP protocol numbers: GRE is 47, ESP is 50, AH is 51. 4) They forget that GRE tunnels require a route to the tunnel destination; otherwise, the tunnel line protocol stays down. 5) They mix up IKE Phase 1 and Phase 2: Phase 1 establishes ISAKMP SA (MM_ACTIVE), Phase 2 establishes IPSec SA (encrypted data). 6) Default values: IKE Phase 1 lifetime is 86400 seconds (24 hours), IPSec SA lifetime is 3600 seconds (1 hour) or 4608000 KB. 7) For scenario questions: if a question asks for a solution that supports multicast and encryption, the answer is GRE over IPSec (or IPsec VTI). If it asks for simple, unencrypted multiprotocol support, GRE alone is sufficient. Elimination strategy: if the question mentions 'security' or 'encryption', eliminate any answer that uses GRE alone. If it mentions 'multicast' or 'routing protocol', IPSec alone is insufficient unless combined with GRE. Also, remember that GRE is Cisco proprietary? No, it's an open standard (RFC 2784). However, Cisco's implementation includes optional features like GRE keepalives. Exam questions may ask: 'Which tunnel type is used for DMVPN?' Answer: mGRE (multipoint GRE) with IPSec.
GRE uses IP protocol 47; ESP uses 50; AH uses 51.
GRE is unencrypted and can carry multicast, broadcast, and non-IP protocols.
IPSec provides encryption and authentication but cannot carry multicast traffic natively.
IKE Phase 1 default lifetime: 86400 seconds; IPSec SA default lifetime: 3600 seconds.
GRE over IPSec (or IPsec VTI) is used when both multicast support and encryption are needed.
The GRE tunnel line protocol is up only if the tunnel destination is reachable via a route.
Crypto map is applied to the outgoing interface; match address ACL defines interesting traffic for IPSec.
These come up on the exam all the time. Here's how to tell them apart.
GRE
IP Protocol 47
No encryption (clear text)
Supports multicast, broadcast, and non-IP protocols
Simple configuration (tunnel interface)
Overhead: 24 bytes (20 IP + 4 GRE)
IPSec (Tunnel Mode)
IP Protocol 50 (ESP) or 51 (AH)
Provides encryption (ESP) and authentication (AH)
Only unicast IP traffic; no multicast or broadcast
Complex configuration (IKE policies, crypto maps)
Overhead: ~50-60 bytes (ESP tunnel mode)
Mistake
GRE provides encryption for the tunnel traffic.
Correct
GRE only encapsulates packets; it does not encrypt. GRE headers are sent in clear text. Encryption requires IPSec or other VPN technologies.
Many candidates think 'tunnel' implies security, but GRE is just encapsulation, not encryption.
Mistake
IPSec tunnel mode can carry multicast traffic like OSPF hellos.
Correct
IPSec tunnel mode encrypts IP packets but does not forward multicast. Multicast packets are dropped because IPSec SAs are unicast. To carry multicast, you must use GRE over IPSec.
Candidates confuse 'tunnel' with 'multicast capability'; IPSec tunnel mode is still unicast-only.
Mistake
GRE tunnels require a keepalive mechanism to detect failures.
Correct
GRE keepalives are optional and not part of the RFC. Cisco IOS supports GRE keepalives, but they are not enabled by default. The tunnel line protocol goes down if the destination becomes unreachable via routing.
Candidates assume keepalives are mandatory because they are common on other interfaces (e.g., serial).
Mistake
IPSec can be used to encrypt any Layer 3 protocol, including IPX.
Correct
IPSec only protects IP packets. It cannot encapsulate non-IP protocols. GRE is needed to carry non-IP traffic.
Candidates think IPSec is a generic encryption tool, but it is IP-specific.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
GRE is a tunneling protocol that encapsulates packets but does not encrypt them. It can carry multicast, broadcast, and non-IP traffic. IPSec provides encryption and authentication but only for IP unicast traffic. GRE is like a clear envelope; IPSec is like a locked box. They are often combined: GRE over IPSec for secure multiprotocol tunnels.
No, IPSec alone cannot carry multicast traffic because IPSec security associations (SAs) are unicast. To transport multicast (e.g., OSPF hellos, EIGRP updates), you need to encapsulate the multicast packets inside a GRE tunnel, then encrypt the GRE tunnel with IPSec. This is called GRE over IPSec.
IKE Phase 1 SA lifetime defaults to 86400 seconds (24 hours). IPSec Phase 2 SA lifetime defaults to 3600 seconds (1 hour) or 4608000 kilobytes, whichever comes first. You can change these with the 'lifetime' command under crypto isakmp policy and crypto ipsec security-association lifetime.
GRE uses IP protocol 47. ESP (Encapsulating Security Payload) uses IP protocol 50. AH (Authentication Header) uses IP protocol 51. These numbers appear in the Protocol field of the outer IP header. Know them for the exam.
Use 'show interface tunnel0'. Look for 'Tunnel0 is up, line protocol is up'. Also use 'ping' from the tunnel IP to the remote tunnel IP. If the line protocol is down, check routing to the tunnel destination. Use 'show ip route' to confirm a route exists.
In transport mode, only the payload (data) of the IP packet is encrypted; the original IP header is preserved. This is used for host-to-host connections. In tunnel mode, the entire original IP packet is encrypted and encapsulated in a new IP header. This is used for site-to-site VPNs. The exam expects you to know that tunnel mode is more common for VPNs.
A crypto map associates IPSec policies with a specific interface. It defines which traffic to protect (via ACL), the remote peer, the transform set, and other parameters. The crypto map is applied to the outgoing interface (e.g., GigabitEthernet0/0). Without it, IPSec will not encrypt traffic.
You've just covered GRE vs IPSec — Tunnel Comparison — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?