Explanation/Reference:
Section: Enterprise Network Design Explanation
Explanation:
IP Security (IPSec) can provide data confidentiality, data integrity, and data origin authentication. IPSec is an open standard protocol that uses Encapsulating Security Payload (ESP) to provide data confidentiality.
ESP encrypts an entire IP packet and encapsulates it as the payload of a new IP packet. Because the entire IP packet is encrypted, the data payload and header information remain confidential. In addition, IPSec uses Authentication Header (AH) to ensure the integrity of a packet and to authenticate the origin of a packet. AH does not authenticate the identity of an IPSec peer; instead, AH verifies only that the source address in the packet has not been modified during transit. IPSec is commonly used in virtual private networks (VPNs).
Generic Routing Encapsulation (GRE), not IPSec, provides broadcast and multicast packet encapsulation.
GRE is a Cisco-proprietary protocol that can tunnel traffic from one network to another without requiring the transport network to support the network protocols in use at the tunnel source or tunnel destination. For example, a GRE tunnel can be used to connect two AppleTalk networks through an IP-only network.
Because the focus of GRE is to transport many different protocols, it has very limited security features. By contrast, IPSec has strong data confidentiality and data integrity features but it can transport only IP traffic.
GRE over IPSec combines the best features of both protocols to securely transport any protocol over an IP network.
Reference:
Cisco: Configuring Security for VPNs with IPsec: IPsec Functionality Overview