Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec over GRE with Cat6503 and SPA IPSec

Hi all,

I trying to test a solution using IPSEC-SPA to encrypt traffic and put it over a tunnel interface ( mode ipip or GRE ).

The tunnel encapsulation should be done by Cat65XX itself.From documentation and from my first test results that is not permitted to configured the crypto map under the tunnel interface as wanted.

Thera are no solution for this?



Cisco Employee

Re: IPSec over GRE with Cat6503 and SPA IPSec

Sure it's possible.......

You don't need to apply the Crypto Map to the Tunnel interface.

Apply the Crypto Map to the "Inside" port (VLAN as usual) from VPN-SPA's perspective.

Connect the "Outside" port from VPN-SPA's perspective to the "Inside" port (VLAN).

Use the "Inside" port (VLAN) as the Tunnel Source.

interface vlan 1000

description - VPNSPA Inside VLAN

ip address

crypto map MAP_STATIC

crypto engine slot 1/0

interface vlan 1001

description - VPNSPA Outside VLAN

crypto connect vlan 1000

crypto engine slot 1/0

interface tunnel 1000

bandwidth 1000

ip address

tunnel source vlan 1000

tunnel destination

access-list 100 permit gre host host

***This is of course assuming that the peer's Tunnel ip is 9.9.9.x/24 and it's global IP is***

Also (this is for VPNSM but config is relatively the same. Note 'Switch #1, Tunnel intf #1' should read "tunnel source vlan 2")

Good Luck,