Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
A tunneling method that wraps multiprotocol or multicast traffic in GRE, then encrypts it with IPsec—enabling secure routing protocols across the internet.
GRE over IPsec Definition: A tunneling method that wraps multiprotocol or multicast traffic in GRE, then encrypts it with IPsec—enabling secure routing protocols across the internet.
GRE over IPsec is a tunneling technique that encapsulates traffic in Generic Routing Encapsulation (GRE) and then secures that GRE tunnel with IPsec encryption. GRE provides flexible multiprotocol and multicast transport, while IPsec adds confidentiality, integrity, and authentication, producing a secure site-to-site channel across untrusted networks like the internet.
The combination addresses a key limitation of plain IPsec: standard IPsec (especially in tunnel mode) does not natively carry multicast or non-IP traffic, which dynamic routing protocols such as OSPF and EIGRP rely on. GRE encapsulates any of that traffic into unicast IP packets, and IPsec then encrypts the GRE-wrapped packets. Two designs exist: GRE-over-IPsec, where the entire GRE packet is protected by IPsec (often transport mode for efficiency), and the order matters because GRE encapsulates first, then IPsec secures. This is the foundation of Cisco DMVPN and many enterprise site-to-site VPNs.
For security, this approach lets organizations run interior routing protocols and multicast applications between sites while ensuring the data is encrypted and authenticated in transit. Without the IPsec layer, GRE alone offers no protection—it is cleartext and trivially intercepted or modified. Without GRE, IPsec alone cannot carry the routing adjacencies needed for resilient, dynamically routed WANs. Together they deliver both routing flexibility and strong cryptographic protection.
For example, a company connects its headquarters and a branch office over the public internet and wants OSPF to dynamically share routes between them. The engineers build a GRE tunnel between the two routers' public interfaces, run OSPF across it, and then apply an IPsec profile to encrypt the GRE tunnel with AES and authenticated key exchange. Routing updates and user traffic now flow between sites as if on a private link, fully encrypted, and routes reconverge automatically if a path fails.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →