1841 and IPSec configuration

Unanswered Question

Hi All,

Would like to connect Site A to Site B using IPSec/GRE tunnel. I came up with a template to use and wondering if my sample configuration will work.

Thanks in advance,


crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key <key> address <public interface ip>



crypto ipsec transform-set ESP_SHA esp-3des esp-sha-hmac


crypto map ENCRYPT 10 ipsec-isakmp

description VPN to BIS

set peer <public interface ip>

set transform-set ESP_SHA

set pfs group2

match address GRE_TUNNEL0



interface Tunnel0

description Tunnel to

ip address <private interface ip>

ip mtu 1400

ip tcp adjust-mss 1300

tunnel source Loopback1

tunnel destination <remote loopback ip>


interface Null0

no ip unreachables


interface Loopback1

description GRE endpoint

ip address <private interface ip>

no ip redirects

no ip unreachables

no ip proxy-arp



interface fa-x/x ====================================>(Public-facing Interface)

ip address <public interface ip>

no cdp enable

crypto map ENCRYPT



ip classless


ip route (Internet Next-Hop) 254

ip route <LAN IP> Null0 254

ip route <local loopback> (Internet Next-Hop)

ip route <remote-public-interface> (Internet Next-Hop)


no ip http server


ip access-list extended GRE_TUNNEL0

permit ip host <remote loopback> host <local-loopback>

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
spremkumar Mon, 05/28/2007 - 20:00
User Badges:
  • Red, 2250 points or more


You have created a GRE as well as an IPSEC tunnel but through which tunnel you are going to pass the traffic out to the remote location ?

Also the routes which you have defined for internet next hop and lan ip with some admin distance is not required.

Instead you need to have a static route pointing via either the fax/x followed by the default ip/gateway provided by your isp and a backup route pointing towards your gre tunnel..


jaffer_sathik2010 Tue, 05/29/2007 - 04:47
User Badges:


It is better idea to keep the tunnel souce loopback having pubuc ip to ensure that it is reachable from the tunnel destination.


Hi All,

I'm trying to get the IPSec tunnel up and running but running into some troubles

The far end device is a Netscreen 5gt.

This is the error message i'm getting

000035: Jun 1 17:00:31.369 PCTime: No peer struct to get peer description

000036: Jun 1 17:00:31.373 PCTime: No peer struct to get peer description

any help would be appreciated


This Discussion