GRE over IPSEC

saimbt · ‎01-03-2007

We are running GRE over IPSEC between location A and B. It has been observed that after some time the tunnels go in a hang state and the traffic does not pass through these tunnels.

It has been observed that the tunnels at this time are shown up. After rebooting the router; tunnels come out of a hang state and traffic continues to flow. Reinitialization of tunnel is of no help.

The routers in question is Cisco 3825 with location A c3825-advsecurityk9-mz.124-3e.bin IOS and location B c3825-advsecurityk9-mz.124-3d.bin

lxcollin1 · ‎01-04-2007

You can try setting a keepalive on the tunnel interface. I have seen a similar problem on VTI interfaces.

srdjanluzajic · ‎02-05-2007

It sounds like a problem we had on several VPN tunnels. The solution for us was to add

ip mtu 1400

ip tcp adjust-mss 1360

to the tunnel interface.

Danilo Dy · ‎02-05-2007

I never experienced this with my configuration which I use internet as primary link using IP GRE over IPSEC and MPLS as backup link using IP GRE over IPSEC.

The important configuration for IP GRE interface are;

ip mtu 1500 << don't make this lower than 1500 else you will have DF problem.

keepalive 5 4 << this is important in floating static route configuration.

However I do experienced a lot of problem with IPSEC alone without IP GRE.

The important things to take note in IPSEC are;

- RouterA and RouterB configurations should be symmetric.

- RouterA and RouterB should have the same IOS version up to the "letter".