GRE was developed as a tunneling tool meant to carry any OSI Layer 3 protocol over an IP network. In essence, GRE creates a private point-to-point connection like that of a virtual private network (VPN).
GRE works by encapsulating a payload -- that is, an inner packet that needs to be delivered to a destination network -- inside an outer IP packet. GRE tunnel endpoints send payloads through GRE tunnels by routing encapsulated packets through intervening IP networks. Other IP routers along the way do not parse the payload (the inner packet); they only parse the outer IP packet as they forward it towards the GRE tunnel endpoint. Upon reaching the tunnel endpoint, GRE encapsulation is removed and the payload is forwarded along to its ultimate destination.
- GRE tunnels encase multiple protocols over a single-protocol backbone.
- GRE tunnels provide workarounds for networks with limited hops.
- GRE tunnels connect discontinuous sub-networks.
- GRE tunnels allow VPNs across wide area networks (WANs).
While GRE provides a stateless, private connection, it is not considered a secure protocol because it does not use encryption like the IP Security (IPsec) Encapsulating Security Payload (ESP), defined by RFC 2406.