GRE Tunnel doesn't work after protecting with IPSec

Unanswered Question
Nov 3rd, 2008

Hi all!

I have a problem puzzling me up for a long time now. I have a 800 series router connected to Internet through ADSL. This line is used as a backup link to our data center from our main office. To accomplish this in a secure and transparent way I builded up a GRE tunnel between the 800 and the edge router in the DC, with the intention of protecting it with IPSec.

So the tunnel is up and I can connect with every device and server in the DC from office, but at the very moment I put the protection in the tunnel, I can only reach the border router, but no any other downstream device anymore.

A diagram to illustrate:

GRE w/o IPSec

(Office):870:Tu0---->GRE through Internet----->Tu0:BorderRouter----->DistributionL3switch---->Servers; It works all the path long

GRE w IPSec (using tunnel protection ipsec)

(Office):870:Tu0---->GRE through Internet----->BorderRouter--X-->DistributionL3switch---->Servers; It works to the border router interfaces, but I get no responses from downstream devices. If I test from the servers upstream, I can only reach to the L3switch interfaces, but no further away.

I've checked configs, routing, changed to crypto maps... Nothing. Any idea?

Thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (4 ratings)
dhananjoy chowdhury Mon, 11/03/2008 - 04:01


Please post the sanitized configs of both sides.

Also I would suggest to check the adrees and subnet masks in your crpto ACL.

laloperez Mon, 11/03/2008 - 05:09

Here they are. Of course, there's much more in the configs, so I just post what I consider the relevant parts. As you can see, I'm not using crypto ACL, just protecting the tunnel directly with tunnel protection ipsec.

As I said, the tunnel is perfectly working without the IPSec protection.

dhananjoy chowdhury Mon, 11/03/2008 - 06:56

Your config seems ok.

Try switching to "mode tunnel" on both sides, instead of "mode transport".

One more thing, when you try to ping the servers in the DC, do you see packets getting encrypted / decrypted.

laloperez Mon, 11/03/2008 - 07:04

I've tried in mode tunnel yet, without success. How can I verify if packets are crypted/decrypted? sh crypto ipsec sa?

Thank you.

laloperez Mon, 11/03/2008 - 07:39

I've done it. I can see things like the attached to this post. It seems the counters increase according to the traffic issued. But I discovered one thing I don't know if it's important at all: on one side the path mtu is 1400, while on the other side is 1500. May I have a fragmentation problem here?

dhananjoy chowdhury Mon, 11/03/2008 - 09:31

yes, put mtu as 1416 on the tunnel interfaces on both sides.

interface Tunnel0

ip mtu 1416

And also use tunnel mode instead of transport mode.

laloperez Mon, 11/03/2008 - 09:48

done, but I can't connect anyway. What I don't understand is that the sh crypto ipsec sa says that in the border router the tunnel mtu remains 1500, even after shutting down and up the tunnel interface. The 870 router shows the proper 1416 mtu in the tunnel interface after shutting it down and up. I cleared the crypto sa and se as well.

By the way, the border router is a 7604 with a Sup7203BXL, IOS 12.2(18)SXF11.

laloperez Tue, 11/04/2008 - 00:23

Yes, I did, but nothing changes. I'm very confused with this situation. Can't be a routing issue, cause without IPSec everything works. Can't be an ACL issue, cause (I think) all the relevant ACL entries are made, IPSec as well as GRe and tunnel peers.

Daniel Laden Sun, 11/09/2008 - 11:32

I recall running into a very similiar issue. For me it was resolved by running 'clear local-host' on the ASA. It had something to do with the GRE tunnel already in the ASA connection table.

laloperez Mon, 11/10/2008 - 04:15

Thank you for the info, but unfortunately I'm not using an ASA; just two routers, one 870 and one 7600.

laloperez Tue, 11/11/2008 - 01:58

Well, I think the 7600 has some limited VPN capabilities without the VPN SPA. I can't use the mode ipsec in the tunnel. It can do ipip, AppleTalk, ipv6ip, eon and mpls, but no ipsec.

I need a simple VPN between my office and the Central site, and buying a full VPN SPA just for that seems a bit excessive for me.

laloperez Mon, 11/17/2008 - 07:46

Well, finally I've got an answer from myself :) Diving into the Cisco docs about IOS 12.2(18)SXF11, I've found that ipsec crypto commands are run in software in a 7600 unless it's filled with a VPN hardware services module. Worst, that commands only work for administrative traffic destined to the own router, but is not routed further away.

So, the only options remaining are buying a VPN card (too expensive for just one session), or get rid of the IPSec in the GRE tunnel and trust in the security of SSH and HTTPS.

All in all, thank you guys who tried to help.


This Discussion