Answer the question
In order to leave comments, you need to log in
How is IPSec over GRE or GRE over IPSec correct?
There was a need to create an IPSec + GRE tunnel between CISCO and Mikrotik, where CISCO is the central office, and Mikrotik is all branches, of which there are N number.
I read on the Internet that the "IPSec over GRE" principle allows encrypted IPSec data to be transmitted in an unencrypted GRE tunnel, and "GRE over IPSec" allows GRE data to be encapsulated with ESP or AH headers (in fact, unencrypted GRE in encrypted IPSec).
Question...
Under which of these two configurations, the subnets of all branches will be able to see each other? For example, let the central office have a subnet 10.10.10.0/24 , and two branches A and B subnets 192.168.1.0/24 and 192.168.2.0/24respectively. In which of the two configurations above would these two subnets (A and B) be able to see each other and the central office subnet?
As far as I know, "pure" IPSec cannot be routed. That is, NAT and firewall rules do not apply to IPSec packets.
Answer the question
In order to leave comments, you need to log in
Driving in an IPSec secret when setting up a GRE tunnel just gives GRE over IPsec. I think this is a more correct approach, because the provider does not need to know what tunnels we are building (although, who needs us)). With this approach, pure ESP flies. With any of the configurations you describe, the networks will see each other with properly configured routing. I consider IPsec with an interface much more convenient and understandable than IPsec in tunnel mode.
I see a lot of incorrect answers here. Just the right advice from Igorjan .
Yes, you need exactly GRE over IPSec, the only way you will have a free hand in terms of routing through tunnels. And a pledge for the future - today you are on static routing, and tomorrow you may need dynamics so that branches can see each other, fault tolerance or something else ... It is better to be ready for any expansion than to urgently drop everything and reconfigure again all tunnels.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question