Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec in GRE

Alright, I've been banging my head against the wall trying to figure this out.

When configuring the IPsec ISAKMP peers, why do I need to use the ip addresses the peers physical interface instead of the IP address of the peer GRE tunnel?

For example:

crypto isakmp policy 10

authentication pre-share

crypto isakmp key CISCO address


crypto ipsec transform-set MyTransSet  esp-3des esp-sha-hmac

mode transport

crypto ipsec profile MyProfile

set transform-set MyTransSet


interface Tunnel0

ip address

tunnel source

tunnel destination

tunnel mode ipsec ipv4

tunnel protection ipsec profile  MyProfile

For the ISAKMP peer, I'm using the physical interface address of the destination router. Why?

Huge thanks in advance.

  • VPN
Everyone's tags (2)
Cisco Employee

Re: IPSec in GRE

Tunnel interface is virtual interface, and IPSec is on top of the GRE tunnel, ie: GRE tunnel is encapsulated inside the IPSec tunnel, therefore you would need to set the physical ip address as the peer address.

Hall of Fame Super Gold

Re: IPSec in GRE

It boils down to the age-old question:  Which comes first, the chicken or the egg?

In IPSec using VTI the three phases of IPsec comes first.  Once they've agreed on the security principle, the tunnel follows next followed by your routing protocols.  Once these are agreed then data traffic starts to traverse the network.

Does this help?

New Member

Re: IPSec in GRE

  • A little. Because when set through the tunnel via transport mode, the payload down't have an IPSec IP header ( atleast I think so. I'll have to check my notes) and just the payload is encrypted down the GRE tunnel.  I'm also assuming that it's the crypto ACL that defines which interesting traffic is encrypted through IPsec and thus the GRE tunnel.
This widget could not be displayed.