I have 3 routers (2 x 2811, 1 x 1841 all with hardware encryption) on 12.4(17) code. Customer was using GRE tunnels inside IPSec tunnels (using crypto maps) for the purpose of enabling dynamic routing between the sites. The DR router was moved to a new location with a different Internet IP address. Since then we have had issues with the IPSec tunnels (which makes me suspect there were issues before, even though the customer claims it was working ok). IOS code was 12.4(4)T, we have upgraded due to the issues we had. Also configured PSK instead of certs to eliminate that as an issue. Will go back to using certs once we get it all working.
Now HO to DR and HO to MSt works fine. DR to MSt is a one way tunnel. Traffic from MSt is never received on the DR router. "Sh crypto ipsec sa" on the MSt router shows packets being encrypted and decrypted. On the DR router it only shows packets being encrypted, but zero packets being decrypted.
All services are DSL. On HO and MSt the DSL service is terminated on the router. At DR it is terminated on an ISP device and connected to the DR router via ethernet.
I reconfigured DR and MSt routers to use a GRE tunnel with the 'tunnel protection ipsec profile' feature and we have the same issue. The GRE tunnel works fine unencrypted, but is only one way when encrypted.
I have tried disabling NAT and access lists, though with these enabled the GRE tunnel works ok unencrypted. I have also tried disabling the hardware encryption.
I have done a lot of IOS IPSec work and never been unable to get things working so this one has me stumped.
Any suggestions would be appreciated.