Cisco Support Community
Community Member

VRF, GRE and IPSec together

We manage de WAN for several customers. The branch offices are connected through a no secure network with GRE tunnels. The GRE tunnels are protected with IPSec. The tunnels are terminated on a Cisco 7206 VXR.

Now I have to the integrated firewall between the branch offices and corporate resources. The corporate resources are used by all customers. I have to install one firewall by customer.

I try to use VRF-lite (Multi-VRF) on the 7206 for separate each customer on a VRF instance and forward the branch offices flow on the right firewall.

With VRF-lite configured, the GRE tunnels go down when I put IPSec. But GRE and VRF works fine without IPSec. And GRE and IPSEc works fine without VRF.

Is somebody used successfully VRF-lite, GRE and IPSec together?

Thanks for your help.


! ### Cisco 7206 VXR Configuration Resume ###


ip vrf bc1

rd 1:1


crypto isakmp policy 10

encr 3des

group 5

lifetime 14400

crypto isakmp keepalive 15


crypto ipsec transform-set uni_set esp-3des esp-sha-hmac

mode transport


crypto map unicible_lab 10 ipsec-isakmp

set peer

set transform-set uni_set

match address gre_unicible_lab


interface Loopback2

ip vrf forwarding bc1

ip address


interface Tunnel201

bandwidth 2048

ip vrf forwarding bc1

ip unnumbered Loopback2

ip mtu 1420

keepalive 2 3

tunnel source GigabitEthernet0/2.2

tunnel destination

tunnel vrf bc1

crypto map unicible_lab


interface GigabitEthernet0/2.2

encapsulation dot1Q 601

ip vrf forwarding bc1

ip address


ip route

ip route vrf bc1


ip access-list extended gre_unicible_lab

permit gre host host


CreatePlease to create content