Which IPsec configuration mode is used for implementing GRE-over-IPsec VPNs?

The use of route-based configuration mode is essential for implementing GRE-over-IPsec VPNs due to the nature of how GRE (Generic Routing Encapsulation) tunnels operate. In a route-based setup, a virtual tunnel interface (VTI) is created, which allows for GRE packets to be encapsulated and routed through the IPsec tunnel seamlessly. This mode supports dynamic routing protocols and can manage multiple traffic types through the same tunnel interface.

Route-based configurations allow for more flexibility, supporting complex networking scenarios, including multipoint-to-multipoint or hub-and-spoke topologies, which are common in scenarios that require GRE tunneling. The encapsulation style of GRE that adds its header to packets means that the standard policy-based VPNs, which rely on specific traffic to trigger the tunnel, wouldn't effectively work in scenarios where GRE encapsulation is needed.

In contrast, policy-based configurations define specific policies that match traffic for encryption, which can be limiting when dealing with the dynamic nature of GRE tunnels, making route-based configurations the preferred choice for implementing GRE-over-IPsec VPNs.