IPSec vs GRE in Detail: What Actually Matters and When
IPSec encrypts. GRE encapsulates. That's the one-liner version. But if you're designing a real network, you need to understand what each protocol actually does under the hood — because choosing the wrong one can break routing, blow through your CPU budget, or leave your traffic wide open.
1. What Is IPSec?
IPSec — Internet Protocol Security — is a suite of protocols designed to authenticate and encrypt IP packets. It operates at Layer 3 of the OSI model, and it was built specifically to secure communications. That's its job, and it does it well.
It's not a single protocol, though. IPSec is a framework made up of several components that work together:
IPSec runs in two modes. Transport mode encrypts only the payload of the original packet, leaving the IP header intact. Tunnel mode encrypts the entire original packet and wraps it in a new IP header. For VPN tunnels between sites or devices, tunnel mode is nearly always what you want.
One thing worth knowing: IPSec only handles unicast traffic natively. Multicast and broadcast don't pass through an IPSec tunnel without some additional help — which is where GRE often enters the picture.
2. What Is GRE?
GRE — Generic Routing Encapsulation — is a tunneling protocol developed by Cisco in the early 1990s. It was designed to do one specific thing: wrap any network layer protocol inside IP packets so they can travel across an IP network. No encryption, no authentication, no security whatsoever. Just encapsulation.
The appeal of GRE is its flexibility. It supports multicast. It supports routing protocols like OSPF and EIGRP. It can carry non-IP traffic. You can build Point-to-Point or multipoint tunnels with it. IPSec can't do most of that on its own.
⚠ Important
GRE by itself sends your data in plaintext. Anyone who can intercept the traffic can read it. For anything crossing a public or untrusted network, GRE alone is not enough.
GRE adds a 24-byte header overhead to every packet. That's not a huge deal on modern networks, but it's worth accounting for — especially on links with low MTU. You'll need to set an appropriate MTU on your GRE tunnel interface to avoid fragmentation issues.
The protocol number for GRE is 47. Unlike UDP or TCP tunnels, it has no port number, which can complicate things with stateful firewalls that don't know how to handle it.
3. How Each Protocol Works at the Packet Level
Seeing what actually happens to a packet helps clarify why these protocols behave so differently in practice.
IPSec (ESP, Tunnel Mode) Packet Structure
IP Header
Header
IP Header
Payload
Trailer & Auth
The original IP header and entire payload are encrypted inside ESP. The new outer IP header routes the packet.
GRE Packet Structure
IP Header
Header
IP Header
(Plaintext)
GRE wraps the entire original packet — including inner header — but encrypts nothing. It's visible plaintext inside.
The diagrams make the difference obvious. IPSec hides and protects the inner content. GRE just moves it. If you need both routing flexibility and security, you'll need to combine them — which we'll get to shortly.
4. Key Differences: The Side-by-Side
Here's where IPSec and GRE actually diverge in ways that matter for network design:
| Feature | IPSec | GRE |
|---|---|---|
| Primary Function | Encryption & authentication | Protocol encapsulation |
| Encryption | Yes (AES, 3DES, ChaCha20) | No |
| Authentication | Yes (HMAC-SHA, RSA, PSK) | Optional (weak checksum only) |
| Multicast Support | No (natively) | Yes |
| Routing Protocol Support | No (can't run OSPF/EIGRP alone) | Yes (OSPF, EIGRP, BGP) |
| Non-IP Traffic | No | Yes (IPX, AppleTalk, etc.) |
| Overhead | Higher (crypto processing) | Lower (24-byte GRE header) |
| OSI Layer | Layer 3 | Layer 3 |
| IP Protocol Number | 50 (ESP), 51 (AH) | 47 |
| Firewall Friendliness | Good (NAT-T helps with NAT) | Fair (no ports, stateful firewalls struggle) |
| QoS / Traffic Marking | Limited (encrypted headers) | Better (unencrypted outer header) |
5. IPSec: Where It Shines and Where It Struggles
IPSec is the right choice when your primary concern is security. Site-to-site VPNs, remote access, compliance-driven environments — IPSec was built for this. It gives you real encryption, integrity checking, and replay protection. That's not nothing.
Where it gets painful is routing. If you need OSPF adjacencies across a tunnel, or if your applications rely on multicast, IPSec alone can't help. It also adds CPU overhead on devices that don't have hardware crypto acceleration — something to keep in mind if you're running IPSec on a router without an AIM or ISM module.
✅ IPSec Advantages
- Strong encryption (AES-256, ChaCha20)
- Mutual authentication
- Replay attack protection
- Widely supported across vendors
- Works well with NAT-T for NAT traversal
- Standardized (RFC 4301–4309)
❌ IPSec Limitations
- No multicast or broadcast support
- Can't run dynamic routing protocols alone
- Unicast IP only (natively)
- CPU-intensive without hardware support
- Complex configuration and troubleshooting
6. GRE: What It Does Well and What It Can't Do
GRE's biggest advantage is how simple and flexible it is. You can tunnel almost anything through it. Routing protocols that rely on multicast — OSPF, EIGRP — work fine over a GRE tunnel. IPv6 traffic over an IPv4 backbone? GRE handles that. Legacy non-IP protocols that still exist in some enterprise environments? Also GRE.
But it's a point-to-point protocol by default, and that 24-byte header has to go somewhere. In environments with tight MTU constraints, GRE can cause fragmentation that kills performance and causes subtle bugs that take hours to diagnose.
✅ GRE Advantages
- Multicast and broadcast support
- Carries routing protocols (OSPF, EIGRP, BGP)
- Low protocol overhead
- Supports non-IP payloads
- Simple to configure
- Good QoS marking (unencrypted outer header)
❌ GRE Limitations
- Zero encryption — traffic is plaintext
- No authentication (beyond optional checksum)
- MTU issues and fragmentation risks
- Point-to-point by default
- Protocol 47 issues with stateful firewalls
7. GRE over IPSec: Why Engineers Combine Them
This is the combination that most enterprise network engineers end up using for site-to-site connectivity. You build a GRE tunnel first, then encrypt the whole thing with IPSec. GRE handles the routing flexibility. IPSec handles the security. Together they cover each other's weaknesses.
The way it works: the original packet gets encapsulated in a GRE header, and then the resulting GRE packet is encrypted and carried inside an IPSec tunnel. At the remote end, IPSec decrypts the outer layer and GRE de-encapsulates the inner packet.
GRE over IPSec — Packet Structure
IP Hdr
Hdr
Hdr
IP Hdr
& Auth
This setup lets you run OSPF or EIGRP across the GRE tunnel, carry multicast traffic, and still have all of it protected by IPSec encryption. It's the standard approach for enterprise WAN connectivity.
💡 Engineer's Tip
When configuring GRE over IPSec on Cisco IOS, apply the IPSec crypto map to the physical interface, not the tunnel interface. The GRE tunnel interface gets its own IP addressing and routing configuration. The crypto map on the physical interface then encrypts the GRE-encapsulated traffic as it leaves.
8. Which One Should You Use?
The honest answer is that the right choice depends on what you're actually trying to do. Here's a practical breakdown:
Use IPSec alone when...
You need remote access VPN for end users, or a simple site-to-site link where only unicast IP traffic runs and you have no need for dynamic routing. Compliance environments that require encryption at rest and in transit. IPSec is the right tool here.
Use GRE alone when...
You're on a trusted internal network and need to carry routing protocol traffic or multicast across a segment that doesn't natively support it. Lab environments, MPLS overlays with already-encrypted MPLS circuits, or legacy protocol transport are common examples.
Use GRE over IPSec when...
You're connecting enterprise sites across the public internet, need dynamic routing (OSPF, EIGRP) across the tunnel, AND need security. This is the most common real-world enterprise WAN design. Expect to see this on CCNP and CCIE exams for good reason.
Consider alternatives when...
Modern deployments increasingly use DMVPN (which uses GRE + IPSec + NHRP), SD-WAN solutions, or WireGuard. If you're building something new and the requirements aren't pulling you toward IPSec or GRE specifically, it's worth evaluating those options too.
9. Frequently Asked Questions
Can GRE carry IPv6 traffic over an IPv4 network?
Yes. This is one of the more practical uses of GRE — tunneling IPv6 packets through an IPv4 infrastructure that doesn't support dual-stack or native IPv6 routing. The IPv6 packet is treated as the payload, and the outer IPv4 header handles the transit.
Does IPSec work through NAT?
Not natively, because NAT modifies the IP header, which breaks IPSec's integrity checks. NAT-T (NAT Traversal, defined in RFC 3947) solves this by encapsulating IPSec packets inside UDP/4500. Most modern IPSec implementations support NAT-T automatically.
Is GRE over IPSec the same as IPSec over GRE?
No, and the order matters. With GRE over IPSec, the packet is GRE-encapsulated first, then IPSec encrypts the whole thing. With IPSec over GRE, the packet is IPSec-encrypted first, then placed inside a GRE tunnel. The first approach (GRE over IPSec) is far more common and is what most documentation refers to.
What MTU should I configure on a GRE tunnel?
A common starting point: if your physical interface MTU is 1500 bytes, subtract the GRE header (24 bytes) and set your tunnel MTU to 1476. If you're also running IPSec, subtract additional bytes for ESP overhead — a safe value in that case is typically 1400 bytes. Test with large pings and adjust based on your environment.
Which is better for a home or small business VPN?
IPSec (or WireGuard, which is simpler to configure and often faster). GRE doesn't make much sense in small-scale scenarios because the routing flexibility it offers isn't needed, and the lack of encryption is a liability. Most consumer VPN routers implement IPSec with IKEv2 or L2TP/IPSec.
10. Final Thoughts
IPSec and GRE aren't really competing protocols. They solve different problems, and in practice, they're often used together precisely because one covers what the other can't.
IPSec handles security. It encrypts, authenticates, and protects against replay attacks. If you're sending traffic across anything you don't control, you want IPSec involved.
GRE handles flexibility. It carries routing protocols, multicast, and non-IP traffic that IPSec simply can't move on its own. If your network design requires dynamic routing across a tunnel, GRE is usually in the picture.
The combination of GRE over IPSec is the go-to for enterprise site-to-site connectivity — and if you're moving into technologies like DMVPN or SD-WAN, you'll find those same building blocks underneath. Understanding both protocols well is time well spent.
Quick Summary
| IPSec alone | Simple site-to-site VPNs, remote access, compliance-heavy environments |
| GRE alone | Trusted internal networks, routing protocol transport, legacy protocols |
| GRE over IPSec | Enterprise WAN over public internet with dynamic routing — the most common real-world choice |
