IPsec tunnel mode encrypt a whole IP packet and sends it as the payload of another IP packet. I have always used GRE as the encapsulation layer when doing IPsec encryption. However, how could I have the same behavior with a router that supports IPsec but does not implements GRE ?
IPsec Tunnel Mode Without GRE – How It Works
greipsectunnel
Best Answer
In GRE+IPsec the original IP packet is encapsulated in a GRE tunnel packet. The GRE packet is then encapsulated in the IPSec packet.
The most common reason for doing this is to allow broadcast and multicast across the tunnel. Neither is supported by IPSec alone. GRE can also encapsulate non-IP traffic, which IPsec does not support.