No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
How Do I Configure GRE over IPSec/IPSec over GRE?

How Do I Configure GRE over IPSec/IPSec over GRE?

IPSec tunnels only support encapsulation and encryption of unicast packets, whereas GRE tunnels support encapsulation and encryption of both unicast and multicast packets. However, GRE tunnels are insecure. Huawei AR series routers leverage the advantages of IPSec and GRE and communicate with each other using IPSec over GRE or GRE over IPSec. GRE over IPSec is supported by all AR models and versions, whereas IPSec over GRE is supported only by AR models that run V200R005C10 or later versions.

  • IPSec over GRE

    IPSec over GRE technology uses GRE to encapsulate packets that have been encapsulated using IPSec. IPSec over GRE implements IPSec encryption on tunnel interfaces. The system detects data flows that need to be encrypted on tunnel interfaces (an ACL is configured to match data flows between two user network segments). Any packets that match the ACL are encapsulated into IPSec packets and then into GRE packets before they are transmitted over the tunnel. Packets that do not match the ACL are directly transmitted over the GRE tunnel without being encapsulated using IPSec, which means these packets are not transmitted in a secure manner. In addition, a GRE tunnel is not protected by IPSec while it is set up.

    For the configuration procedure, see:

    • Example for Establishing IPSec over GRE Using a Tunnel Interface
    • Example for Configuring IPSec over GRE to Implement Secure Communication Between the Headquarters and Branch
  • GRE over IPSec

    GRE over IPSec technology uses IPSec to encapsulate packets that have been encapsulated by GRE. GRE over IPSec implements IPSec encryption on physical interfaces. The system detects GRE data flows that need to be encrypted on physical interfaces (an ACL is configured to match GRE data flows between two gateways). In this way, all data flows that are transmitted over the GRE tunnel are protected by IPSec. The GRE tunnel is also protected by IPSec while it is set up.

    GRE over IPSec supports encapsulation in both tunnel and transport modes. In tunnel mode, an IPSec packet header is inserted to packets. As a result, packets are longer and tend to be fragmented. GRE over IPSec is recommended to prevent unnecessary fragmentation. For the detailed configuration, see:
    • Example for Configuring GRE Over IPSec to Implement Communication Between Devices
    • Example for Configuring OSPF and GRE Over IPSec to Implement Communication Between the Branch and Headquarters
    • Example for Configuring GRE Over IPSec to Implement Communication Between the Branches and Headquarters and NAT to Implement Communication Between Branches (Running OSPF)
Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 449110

Downloads: 4305

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next