About GRE Tunnels

GRE Generic Routing Encapsulation creates GRE packets by encapsulating packets that are created by other protocols. The GRE packets, in turn, are encapsulated within IP packets. In this way, GRE is similar to the IPsec protocols AH Authentication Header and ESP Encapsulating Security Protocol. However, unlike AH and ESP, GRE does not ensure data integrity and confidentiality.

On the Threat Management Services (TMS) zl Module, GRE encapsulates HTTP and FTP packets. Because GRE encapsulates packets and repackages them with a delivery IP header, it renders the original IP header transparent. GRE establishes a point-to-point link between two non-directly connected gateways; these gateways can then tunnel packets from hosts on private networks through another network.

For example, on the TMS zl Module, a GRE tunnel can transit traffic through a network that uses the same IP addresses, which is useful for integrating sites that use overlapping addresses.

GRE is often used in conjunction with IPsec to create a secure tunnel.

You can also use GRE to establish a virtual point-to-point tunnel between two gateways that are separated by an intervening network. For example, you can create a VPN connection through the Internet between two remote sites. You would create a tunnel whose address is on the private network, but whose source and destination endpoints are on the public network.

Advantages of GRE

  • GRE connects far-flung private gateways together as if the intervening hops did not exist.

  • Because traffic is not encrypted, GRE consumes fewer resources than IPsec.

Disadvantages of GRE

  • GRE tunnels are not as secure as a tunnel that is established with IPsec. The GRE tunnel does not authenticate or encrypt traffic. When you use IPsec with IKE to establish a VPN tunnel, IKE negotiates dynamic, robust keys that define that tunnel. When you use GRE, you must define the tunnel yourself, which renders a GRE tunnel less secure than an IPsec tunnel.

  • Because you manually define the tunnel, GRE tunneling is less scalable than IPsec tunneling. You must create a new tunnel for every point-to-point connection that you want to establish.