Unanswered Question

Hello all! I have a strange prolem, during I try to put IPSEC in GRE.

[IPSEC-PIX]---[GW]---[cisco 851], between PIX and 851 IPSEC, between GW and 851 - GRE. Now I try to put all IPSEC in GRE. Create tunnel, on 851 set following settings:

ip route tun0

inter fast4

crypto map IPSEC

I can ping remote end of GRE tunnel, remote end of IPSEC tunnel, BUT, no IPSEC session created (access-list is right). What to do? )

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sundar.palaniappan Fri, 03/23/2007 - 16:18
User Badges:
  • Green, 3000 points or more

Did you check your IKE parameters and IPSEC transform set to see if they match. If you are still having issues then can you post the configuration of both devices.



Danilo Dy Sun, 03/25/2007 - 05:45
User Badges:
  • Blue, 1500 points or more

Can you post your config and the "show ver" output?

For a while, turn off the don't defragment bit with a route-map or using the crypto command 'crypto ipsec df-bit clear'.

Thanks your guys!

My config:


inter tunn0

ip address

tunnel src fast4

tunnel dest

tunnel mode ipip

inter fast4

ip address dhcp client-id fast4

ip mtu 1492

ip route-cache flow

crypto map MAP

On the PIX peer address for IPSEC is the address of fast4, not tunnel.

Important: GRE between 851 and ISP router, not between 851 and PIX.

koontzuap Sat, 03/24/2007 - 17:04
User Badges:

Without seeing your configs it is hard to troubleshoot. Perhaps the config snippets of GRE over IPSEC that I have provided below will help. This config was used on an ISR router connecting to another ISR router. It will work for a router to PIX or VPN3K as well. If using a PIX or VPN3K you will need a router behind it to anchor the GRE tunnel. Also, with the GRE & IPSEC overhead, you may need to adjust the MTU on the Tunnel interface. I found that adjusting the MTU to 1400 and the MSS to 1360 works the best.


interface Loopback0

description *** Loopback 0 ***

ip address X.X.X.X


interface Loopback2

description *** Anchor for GRE Tunnels ***

ip address X.X.X.X


crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key address


crypto ipsec transform-set secure esp-3des esp-md5-hmac


crypto map IOSVPN 105 ipsec-isakmp

description *** Crypto Map to ?????? ***

set peer

set transform-set secure

match address 105


interface Tunnel105

description *** GRE Tunnel to ????? ***

bandwidth 1024

ip address X.X.X.X

ip mtu 1400

ip route-cache flow

ip tcp adjust-mss 1360

keepalive 3 3

tunnel source

tunnel destination


interface FastEthernet0/0

description *** Public Interface ***

ip address X.X.X.X 255.255.255.X

crypto map IOSVPN


router eigrp 100

passive-interface FastEthernet0/0

network X.X.0.0

no auto-summary

eigrp stub connected summary


ip route X.X.X.X ISP Next Hop name ?-GRE (Route to far-end Lo2)

ip route ISP Next Hop name ?? (Route to far end VPN)


access-list 105 remark --- loopback 2 for GRE Tunnel ---

access-list 105 permit gre host host


This Discussion