Cannot establish LAN-to-LAN IPSec/GRE tunnel - Added GRE to existing IPSec tunnel

Document

Wed, 07/22/2009 - 19:35
Jun 18th, 2009

Core issue

No crypto debugs appear when trying to initiate the tunnel. IPSec worked before adding generic routing encapsulation (GRE) to the configuration.

Resolution

To add GRE to a working IPSec configuration, follow these steps.

  1. Remove the crypto map from the interface.
  2. Create the tunnel interfaces.

    int tunnel

    ip address private_ip subnet_mask

    tunnel source outside_interface_name

    tunnel destination peer_address

  3. Modify the crypto access list as shown below.

    access-list acl_name permit gre host tunnel_source_ip host peer_address

  4. Use routing protocol or configure a static route for the remote LAN with the next hop pointing to the tunnel interface.
  5. Reapply the crypto map to the physical interface and the tunnel interface.

For more information, including a sample configuration, see Configuring Router-to-Router IPSec (Pre-shared Keys) on GRE Tunnel with CBAC and NAT.

Cisco IOS Software Version

12.2

12.0

12.1

VPN Tunnel End Points

Router

Loading.

Actions

This Document