Cannot establish LAN-to-LAN IPSec/GRE tunnel - Added GRE to existing IPSec tunnel


Wed, 07/22/2009 - 19:35
Jun 18th, 2009
User Badges:
  • Gold, 750 points or more

Core issue

No crypto debugs appear when trying to initiate the tunnel. IPSec worked before adding generic routing encapsulation (GRE) to the configuration.


To add GRE to a working IPSec configuration, follow these steps.

  1. Remove the crypto map from the interface.
  2. Create the tunnel interfaces.

    int tunnel

    ip address private_ip subnet_mask

    tunnel source outside_interface_name

    tunnel destination peer_address

  3. Modify the crypto access list as shown below.

    access-list acl_name permit gre host tunnel_source_ip host peer_address

  4. Use routing protocol or configure a static route for the remote LAN with the next hop pointing to the tunnel interface.
  5. Reapply the crypto map to the physical interface and the tunnel interface.

For more information, including a sample configuration, see Configuring Router-to-Router IPSec (Pre-shared Keys) on GRE Tunnel with CBAC and NAT.

Cisco IOS Software Version




VPN Tunnel End Points




This Document

Related Content