IPSec over GRE

Hi,

 

I read 'IPSec over GRE' is a bad design.

Is that true?please explain 

I think IPSec over DMVPN is conceptually same as IPSec over GRE.

Thanks,

rs

Comments

  • If it was bad design it would not have been invented; it may be cases where other technologies scale or work better than IPsec ove GRE. If you show up the exact statement we may comment on that.

  • Thanks Cristian.

    In one of the CCIE videos,Brian mentioned it.

    Please see the screenshot.

    image

  • JoeMJoeM ✭✭✭

    Here is the reference video:


        CCIE-RSv5-ATC-108    @ 3 min 40 sec

     BrianM explains that,    "GRE-over-IPSec vs IPSec-over-GRE....technically they (are not the same)....it has to do with the order-of-operations of how you are doing the encryption. And if you do the second one (ipsec over gre), it is generally a bad design. You would generally have less throughput, because of the way the packet is encapsulated..............(begins talking about the encapsulation, header size, and fragmentation)."

    image

     

  • IPSec over GRE with crypto-map is bad, but you still need it 
    In some cases. IPSec over GRE with profiles is good and if you use
    Transport mode is similar to SVTI tunnel mode in overhead with just 4 more 
    Bytes of overhead.

    Sent from my iPhone

    On May 28, 2015, at 05:52, JoeM <[email protected]> wrote:

    Here is the reference video:


        CCIE-RSv5-ATC-108    @ 3 min 40 sec

     BrianM explains that,    "....technically they (are not the same)....it has to do with the order-of-operations of how you are doing the encryption. And if you do the second one (ipsec over gre), it is generally a bad design. You would generally have less throughput, because of the way the packet is encapsulated..............(begins talking about the encapsulation and headers)."

    imagersie2015:

     




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • Thanks for the inputs,made my understanding better.

Sign In or Register to comment.