IPSec in GRE

Unanswered Question
Apr 6th, 2010
User Badges:

Alright, I've been banging my head against the wall trying to figure this out.

When configuring the IPsec ISAKMP peers, why do I need to use the ip addresses the peers physical interface instead of the IP address of the peer GRE tunnel?

For example:

crypto isakmp policy 10

authentication pre-share

crypto isakmp key CISCO address


crypto ipsec transform-set MyTransSet  esp-3des esp-sha-hmac

mode transport

crypto ipsec profile MyProfile

set transform-set MyTransSet


interface Tunnel0

ip address

tunnel source

tunnel destination

tunnel mode ipsec ipv4

tunnel protection ipsec profile  MyProfile

For the ISAKMP peer, I'm using the physical interface address of the destination router. Why?

Huge thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Tue, 04/06/2010 - 16:30
User Badges:
  • Cisco Employee,

Tunnel interface is virtual interface, and IPSec is on top of the GRE tunnel, ie: GRE tunnel is encapsulated inside the IPSec tunnel, therefore you would need to set the physical ip address as the peer address.

Leo Laohoo Tue, 04/06/2010 - 16:37
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

It boils down to the age-old question:  Which comes first, the chicken or the egg?

In IPSec using VTI the three phases of IPsec comes first.  Once they've agreed on the security principle, the tunnel follows next followed by your routing protocols.  Once these are agreed then data traffic starts to traverse the network.

Does this help?

bubblegumnex Tue, 04/06/2010 - 16:42
User Badges:
  • A little. Because when set through the tunnel via transport mode, the payload down't have an IPSec IP header ( atleast I think so. I'll have to check my notes) and just the payload is encrypted down the GRE tunnel.  I'm also assuming that it's the crypto ACL that defines which interesting traffic is encrypted through IPsec and thus the GRE tunnel.


This Discussion