A table below details on how GRE and IPSEC differ in their approach and parameters though both are leveraged for used for point to point communication across locations.
Generic Routing Encapsulation (GRE) is a protocol that encapsulates packets in order to route other protocols over IP networks. GRE is defined by RFC 2784.
Generic Routing Encapsulation (GRE), defined by RFC 2784, is a simple IP packet encapsulation protocol. GRE is used when IP packets need to be sent from one network to another, without being parsed or treated like IP packets by any intervening routers.
GRE works by encapsulating a payload — that is, an inner packet that needs to be delivered to a destination network — inside an outer IP packet. GRE tunnel endpoints send payloads through GRE tunnels by routing encapsulated packets through intervening IP networks.
In contrast to IP-to-IP tunneling, GRE tunneling can transport multicast and IPv6 traffic between networks. Advantages of GRE tunnels include the following:
- GRE tunnels encase multiple protocols (IPX) over a single-protocol backbone.
- GRE tunnels provide workarounds for networks with limited hops.
- GRE tunnels connect discontinuous sub-networks.
- GRE tunnels allow VPNs across wide area networks (WANs).
The IP Security (IPsec) Encapsulating Security Payload (ESP), defined by RFC 2406, also encapsulates IP packets. However, it does so for a different reason: To secure the encapsulated payload using encryption. IPsec ESP is used when IP packets need to be exchanged between two systems while being protected against eavesdropping or modification along the way.
The IP Security (IPsec) Protocol is a standards-based method of providing privacy, integrity, and authenticity to information transferred across IP networks. IPsec provides IP network-layer encryption. IPsec lengthens the IP packet by adding at least one IP header (tunnel mode). The added header(s) varies in length depending the IPsec configuration mode but they do not exceed ~58 bytes (Encapsulating Security Payload (ESP) and ESP authentication (ESPauth)) per packet.
IPsec has two modes, tunnel mode and transport mode.
- Tunnel mode is the default mode. With tunnel mode, the entire original IP packet is protected (encrypted, authenticated, or both) and encapsulated by the IPsec headers and trailers. Then a new IP header is prepended to the packet, specifying the IPsec endpoints (peers) as the source and destination. Tunnel mode can be used with any unicast IP traffic and must be used if IPsec is protecting traffic from hosts behind the IPsec peers. For example, tunnel mode is used with Virtual Private Networks (VPNs) where hosts on one protected network send packets to hosts on a different protected network via a pair of IPsec peers. With VPNs, the IPsec “tunnel” protects the IP traffic between hosts by encrypting this traffic between the IPsec peer routers.
- Transport mode (configured with the subcommand, mode transport, on the transform definition), only the payload of the original IP packet is protected (encrypted, authenticated, or both). The payload is encapsulated by the IPsec headers and trailers. The original IP headers remain intact, except that the IP protocol field is changed to be ESP (50), and the original protocol value is saved in the IPsec trailer to be restored when the packet is decrypted. Transport mode is used only when the IP traffic to be protected is between the IPsec peers themselves, the source and destination IP addresses on the packet are the same as the IPsec peer addresses. Normally IPsec transport mode is only used when another tunnelling protocol (like GRE) is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE tunnel packets.