GRE Tunnels Explained: Connecting Sites Over the Internet
A GRE (Generic Routing Encapsulation) tunnel creates a virtual point-to-point link between two routers over any network — making distant sites act as if directly connected. Crucially, GRE can carry multicast and routing protocols that plain IPsec cannot.
How it works
GRE wraps the original packet inside a new IP header addressed between the two tunnel endpoints. To the routing table, the tunnel is just another interface — you can run OSPF or EIGRP across it. That's its superpower: it makes the internet look like a private link that dynamic routing can traverse.
GRE alone isn't secure
GRE tunnels anything but encrypts nothing — anyone capturing the traffic reads it. The standard combination is GRE over IPsec: GRE carries the multicast/routing, IPsec provides the encryption. This pairing underlies enterprise WAN designs and DMVPN — core CCNP VPN material.
Frequently asked questions
What is a GRE tunnel used for?
Creating a virtual point-to-point link between routers over any network, able to carry multicast and routing protocols that IPsec alone cannot.
Does GRE encrypt traffic?
No — GRE only encapsulates. For security it's paired with IPsec (GRE over IPsec), which adds the encryption.
Why run routing protocols over GRE?
Because a GRE tunnel appears as a normal interface, OSPF/EIGRP can run across it — letting sites exchange routes over the internet as if privately linked.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.