Edelweiss - Fotolia

What's the difference between GRE and IPsec tunnels?

IPsec provides more comprehensive security for IP tunneling, while GRE tunnels work well when network teams need to tunnel with multiple protocols or multicast.

Generic Routing Encapsulation, or GRE, and IPsec both encase packets, but the two protocols have different requirements when it comes to security, data privacy and encryption.

Let's explore each protocol and discuss the best use cases for each method of tunneling.

Generic Routing Encapsulation (GRE)

GRE, defined by RFC (Request for Comments) 2784 and updated by RFC 2890, creates an unencrypted tunnel that encapsulates an arbitrary protocol over another arbitrary network layer protocol. It can encapsulate any Layer 3 protocol that uses a valid Ethertype, enabling it to transport a variety of protocols, including IP multicast packets. GRE is best used over a trusted network path because the packets aren't encrypted, but it can be combined with an IPsec tunnel if encryption is required.

GRE headers are added to the packet that is being forwarded. The outer and inner headers are frequently IP headers but may be other Layer 3 protocols.

A GRE header can be between 4 bytes and 16 bytes long, depending on which options are enabled, with a default of 4 bytes. When used over IP, the minimum additional overhead is 24 bytes -- 20 bytes of IP outer header and 4 bytes of GRE header.

GRE packet

IP in IP, a similar protocol, only tunnels IP packets over IP networks and adds 20 bytes of encapsulating IP header.


IPsec, summarized in RFC 6071, is a suite of protocols that creates an encrypted tunnel over an IP network. Its encryption and authentication mechanisms prevent eavesdropping and data modification, which explains the term virtual private network (VPN). IPsec tunnels are frequently used to provide a secure data path between an organization's branches or mobile users and the home office or data center. VPN tunnel terminations can be network gateways at branches or home devices.

IPsec packet

The IPsec encapsulation header size depends on the mode; it's typically 50 bytes to 57 bytes, depending on the padding that is needed to create packets that are a multiple of 8 bytes.

Common characteristics between GRE and IPsec

GRE and IPsec protocols share some similar characteristics, including the following:

Teams can combine GRE on top of IPsec when they need GRE's multiprotocol functionality combined with IPsec's data protection.
  • Single virtual hop. A GRE tunnel and IPsec tunnel each appears as a single virtual hop, even though it may traverse many links between the tunnel endpoints.
  • Increased packet size. The additional headers for both protocols increase the packet size, which can cause packet fragmentation that degrades network performance. Modern OSes use TCP Path Maximum Transmission Unit Discovery (PMTUD) to automatically determine the largest packet. However, PMTUD doesn't work for User Datagram Protocol. The alternative is to manually configure the MTU on the network so IP fragmentation occurs outside the tunnel.
  • Increased overhead when combined. IT teams can securely tunnel non-IP or multicast packets by configuring a GRE tunnel over an IPsec tunnel. The overhead increases when both protocols are used in combination.

When to use GRE vs. IPsec

IT teams should use IPsec when they require secure IP tunneling. They should use GRE when they require tunneling without privacy and when they need to tunnel multiple protocols or multicast. Teams can combine GRE on top of IPsec when they need GRE's multiprotocol functionality combined with IPsec's data protection. Finally, keep in mind MTU issues when using tunnels.

Dig Deeper on Network infrastructure

Unified Communications
Mobile Computing
Data Center