No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
GRE over IPsec

GRE over IPsec

IPsec cannot encapsulate multicast, broadcast, or non-IP packets, and GRE cannot authenticate and encrypt packets. By means of the GRE over IPsec technology, multicast and broadcast packets can be encapsulated using GRE and then encrypted using IPsec. At the same time, a GRE-capable interface collects statistics about the volume of the traffic that has been encrypted and decrypted. When gateways are interconnected in GRE over IPsec mode, the gateways encapsulate packets using GRE and then IPsec. Figure 13-35 shows the packet encapsulation format using ESP as an example.
Figure 13-35 GRE over IPsec encapsulation mode (tunnel mode)

IPsec adds an IP header, in which the source address is the address of the IPsec gateway interface to which an IPsec policy is applied and the destination address is the address of the IPsec peer interface to which an IPsec policy is applied, when encapsulating an IP packet.

The data flow protected by IPsec is from the GRE startpoint to the GRE endpoint. In the IP header added by GRE during encapsulation, the source address is the source address of the GRE tunnel, and the destination address is the destination address of the GRE tunnel.

Various applications are based on GRE over IPsec, for example, Border Gateway Protocol (BGP), Label Distribution Protocol (LDP), Open Shortest Path First (OSPF), Intermediate System to Intermediate System (IS-IS), and IPv6. Based on the same principle, these applications encapsulate packets as IP packets using GRE and then transmit the packets over IPsec tunnels.

Intra-board GRE over IPsec and inter-board GRE over IPsec are supported.
  • When inter-board GRE over IPsec is deployed, the GRE tunnel board encapsulates packets using GRE, and the IPsec service board encrypts or decrypts the packets using IPsec. The packets entering a tunnel are encapsulated as GRE packets on a GRE tunnel board and sent to an IPsec service board for IPsec encryption. After that, packets are sent to the destination through the tunnel. After being received from the tunnel, packets are sent to the IPsec service board for decryption and decapsulated on the GRE tunnel board. After that, packets are sent to the destination. This deployment mode is applicable to multicast, broadcast, LDP, and IPv6 packets.
  • When intra-board GRE over IPsec is deployed, the IPsec service board encapsulates packets using GRE and also encrypts or decrypts the packets using IPsec. This deployment mode is applicable only to IPv4 unicast packets.

IPsec over GRE is also an application scheme of IPsec and GRE combination. IPsec over GRE encapsulates packets using IPsec and then GRE. However, this encapsulation mode does not fully play advantages of IPsec and GRE and does not support multicast, broadcast, and non-IP packets. Therefore, it is not recommended.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12553

Downloads: 29

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next