VPLS over GRE over IPSEC

Question

I need to connect to L2 networks over the internet, which means I'll need some form of security as well. The first obvious idea is IPSec, but what I'm not sure whether I need GRE over IPSec or simply IPSec? As far as I remember GRE is combined with IPSec because IPSec cannot handle multicast and non-IP messages. But VPLS can handle this, or am I wrong here?

Answer 1

As far as I remember GRE is combined with IPSec because IPSec cannot handle multicast and non-IP messages. But VPLS can handle this, or am I wrong here?

IPSec cannot handle MPLS labeled packets, so if MPLS needs to be IPSec encrypted, you'll need to add GRE in between (at the cost of another 24bytes of MTU). Lacking experience with VPLS, I could no say for certain, but chances are this restriction will very probably apply to VPLS, too. It's just MPLS-tagged Ethernet Frames instead of MPLS-Tagged IP packets, after all.

IPSec can handle multicast, in two ways: a) by adding GRE or b) if you run it with "real" tunnels ("sVTI/dVTI", "routed mode", "interface mode"; the terms vary by vendor). In either mode, you can even have a PIM neighborship through an IPSec tunnel between to PIM routers, and you can run dynamic routing protocols through such a tunnel (OSPF, EIGRP, RIP), even if they base their neighbor discovery on multicast.

That being said, L2 extension over a routed network not under your own full control is not for the faint of heart. You really need to know what you're doing.