๐ GRE over IPsec (Cisco ASA 9.7) – Old vs New Way Explained
This guide explains how GRE over IPsec evolved in Cisco ASA environments. We will break down the old complex method and the new simplified ASA 9.7 method in a structured, beginner-friendly way.
๐ Table of Contents
- Introduction
- What is GRE?
- What is IPsec?
- Simple Networking Math (Encapsulation Model)
- Old Way (Pre-ASA 9.7)
- New Way (ASA 9.7+)
- Comparison Table
- CLI Output Examples
- Key Takeaways
- Related Articles
๐ Introduction
GRE over IPsec is used to securely connect remote networks over the internet.
It combines:
- GRE → for encapsulating multiple protocols
- IPsec → for encryption and security
Together, they create a secure tunnel between sites.
๐ฆ What is GRE?
Generic Routing Encapsulation (GRE) is a tunneling protocol.
Example:
Original Packet → [IP Packet] GRE Tunnel → [GRE Header + IP Packet]
๐ What is IPsec?
IPsec encrypts traffic so it cannot be read during transmission.
It ensures:
- Confidentiality ๐
- Integrity ๐งพ
- Authentication ✔️
๐ Simple Math Behind GRE + IPsec Encapsulation
Let’s understand overhead in simple form.
Original Packet Size:
\[ P = 1500 \text{ bytes} \]
GRE adds overhead:
\[ G = 24 \text{ bytes} \]
IPsec adds overhead:
\[ I = 50 \text{ bytes} \]
Total Packet Size:
\[ T = P + G + I \]
\[ T = 1500 + 24 + 50 = 1574 \text{ bytes} \]
⚠️ Old Way (Pre-ASA 9.7)
This method was complex and required multiple devices.
Key Problems
- GRE handled by routers
- IPsec handled by ASA
- More configuration effort
- Higher latency
Configuration Example
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
tunnel source 10.1.1.1
tunnel destination 10.2.2.2
access-list GRE_ACL permit gre host 10.1.1.1 host 10.2.2.2
crypto map GRE_MAP 10 match address GRE_ACL
crypto map GRE_MAP 10 set peer 10.2.2.2
crypto map GRE_MAP interface outside
CLI Output
Show Output
Tunnel Status: UP Crypto Map Applied: YES Routing: STATIC
๐ New Way (ASA 9.7+)
Cisco introduced native GRE support in ASA 9.7.
Benefits
- Less configuration
- No external router required
- Better performance
- Supports dynamic routing
Configuration Example
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
tunnel source interface outside
tunnel destination 10.2.2.2
tunnel protection ipsec profile GRE_IPSEC_PROFILE
๐ Old vs New Comparison
| Feature | Old Way | New Way (ASA 9.7+) |
|---|---|---|
| GRE Handling | Router | ASA |
| IPsec Handling | ASA | ASA |
| Complexity | High | Low |
| Routing Support | Static mostly | Dynamic (OSPF/BGP) |
| Performance | Lower | Higher |
๐ฅ️ CLI Output Simulation
New ASA Output
Tunnel0 is UP IPsec SA Established GRE encapsulation active Dynamic Routing: OSPF Enabled
Old Setup Output
Tunnel0 is UP Crypto Map Applied External Router Required Routing: STATIC ONLY
๐ก Key Takeaways
- GRE = packet encapsulation
- IPsec = encryption layer
- Old method = complex multi-device setup
- New method = unified ASA solution
- Performance improves with ASA 9.7+
๐ฏ Final Conclusion
The transition from the old GRE-over-IPsec method to ASA 9.7’s integrated approach significantly reduces complexity and improves performance.
For modern enterprise networks, the new method is clearly the recommended design.
