Routing protocol in IPSEC tunnel mode?

Q: Why can't you run a routing protocol in IPSEC tunnel mode? why do you need GRE to run a routing protocol?

A: Hi …,
You can run routing protocols in IPSEC tunnel mode. You don't have to have GRE all the time.

In the past we could not do this due to the limitation on the IPSEC termination gateways...The gateways could not participate in routing and tunnel mode encapsulated on IP headers. In order to eliminate the problems we were tunneling traffic in GRE

Today many of the modern IPSEC gateways (e.g. Check Point, Juniper, Cisco etc) do support route based VPNs via virtual tunnel interfaces (VTI). Implementation does not have a standard (most functions are proprietary) so intra device (e.g. Check Point to Juniper) route based VPNs are very difficult. But if you have a single brand of gateways, you can route in VPN tunnels easily. We have migrated proprietary TELCO MPLS networks to IPSEC VPNs with keeping the redundancy with dynamic route based VPNs.

On the other site Cisco is trying to reinvent the wheel by bringing the 10 year old transport VPNs (encrypting only the payload not the IP header) in order to make MPLS network more secure and scalable. This Cisco Group Encrypted Transport VPN is promising to address multicast VPN problems as well.

All vendors have several solutions for several scenarios so it would be best to run proof of concept before production deployment.

cheers,
- yinal