I’ve been always using ipsec tunnels on cisco routers without any doubghts, but now I’ve read about:
gre tunnels without encryption.
ipsec tunnels with encryptions
ipsec over gre, when we encrypt packet with ipsec and send it via gre
gre over ipsec - i don’t know what for.
My situation, I have:
1.hardware server with soft-router on RouterOS in VM and 4 servers in VMs.
2.Two dedicated offices with Mikrotik hardware routers.
I need to make access from each office’s subnet to Datacenter subnet to access internal recources.
ipsec over gre - ipsec packet encapsulated into the GRE i.e. GRE outer header added to the ipsec packets
gre over ipsec - GRE packets encapsulated into ipsec i.e. GRE packets encrypted by ipsec (ipsec outer header added).
I prefer the second for office interconnection.
Why? You create GRE tunnel, encrypt it by single rules and can route any traffic inside encrypted GRE without any additional changes to ipsec config. You just encrypt all gre traffic between two global ip addresses (two offices).
Plus you will get all GRE functionality like automatic MTU adjusting.
In first case you have proper pairs of ipsec rules for all combinations of subnets on both ends of ipsec like ipsec without gre
I.e. I don’t see reason of sending ipsec packets inside gre - you will got only more payload and packets fragmentation.