I have set up a VPN with IOS routers using GRE tunnels over IPSec. It seems to be working, but I am very surprised that
1) incoming on the Internet interface I can see a few GRE packets as well as many IPSec packets
2) outgoing on the Internet interface I can see only GRE packets (no IPSec).
Previously I had expected to see only IPSec packets on the Internet interface (because GRE is encapsulated within IPSec). But I remember that every packet is evaluated twice by access-lists on interfaces with applied crypto maps (once before en- or de-cryption and once after). So in that case I expect to see to see equally GRE and IPSec packets.
Please have a look at the attached configuration fragment of my central router (of course with changed IP addresses). Am I doing something wrong, or is the behaviour I've noticed absolutely normal ?
My reply might not be a complete answer for your question.
Cisco has come up with Security Device Manager aka SDM, a GUI tool in access routers for configuring Security features like VPN., Firewall. You can take a look at it. It will help you in generating the correct GREoIPSec configuration that you need.
Your configuration is alright. The only thing that is missing in the above config is the "ip route ..." command which says to use the tunnel interface as the default route. Hope that's there in your configs.
In my lab setup with back to back connected peers, I see only IPSec packets going out and coming in through the tunnel. This I feel is the normal behavior. Did you check whether the GRE and IPSec packets incoming on your Internet interface is from the same peer or not. It could be that plain GRE packets might be coming to your internet interface. Let us know.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :