GRE over IPSec
Integrating the advantages of both GRE and IPSec, GRE over IPSec uses GRE to encapsulate multicast, broadcast, and non-IP packets into common IP packets, and uses IPSec to provide secure communication for encapsulated IP packets. Therefore, broadcast and multicast services such as video conferencing or dynamic routing protocols, can be securely transmitted between the headquarters and branches.
GRE over IPSec encapsulates packets using GRE and then IPSec. The encapsulation can be implemented in tunnel mode or transport mode. The tunnel mode adds an extra IPSec header, which makes the packet longer and more likely to be fragmented. Therefore, the transport mode is recommended.
In the IP header added during IPSec encapsulation, the source IP address is the IP address of the interface to which the IPSec policy is applied, and the destination IP address is the IP address of the peer interface to which the IPSec policy on the remote peer is applied.
IPSec protects the data flows from the GRE source address to the GRE destination address. In the IP header added during GRE encapsulation, the source address is the source address of the GRE tunnel, and the destination address is the destination address of the GRE tunnel.
In GRE over IPsec scenarios, if NAT needs to be configured on the device, you need to configure an ACL rule in which the source IP address is the IP address before NAT and the action is permit.