Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN on GRE tunnels causing problems...


I have made a setup of point to multipoint vpn connections on routers. There are GRE tunnels on the routers. Pls find in attachment configuration of two routers, where LHR is the hub and RYK is one of the several spokes. Problem I am facing is that once I apply the crypto map on the tunnel interfaces, encryption begans (I verified through show crypto ipsec sa interface tunnel command) but after few days people in my organization complain that they are unable to fetch data from the branch (RYK). As soon as I remove the crypto map commands from both end, problem resolves. But let me add that I don't see any problem while I ping from the LAN of both routers (means end to end ping). Even Damewere sessions makes no problem. Please if anyone can help to resolve this issue.

Also I want to know that does extra load on the links cause problem to encryption or do I have to check the hardware for the said problem, like router RAM? Thanks.


Re: VPN on GRE tunnels causing problems...


try and configure:

ip tcp adjust-mss 1436

on your tunnel interfaces, or, if that doesn't make a difference:

ip mtu 1524


ip mtu 1500

on your tunnel interfaces.



New Member

Re: VPN on GRE tunnels causing problems...

try this:

RYK-City.Centre Router- create a loopback interface (lo0) addressed with a /32 address (I.E.

hub router - create a loopback interface (lo0) addressed with a /32 address (I.E.

add the above network to your OSPF config on both routers (I.E. network area X)

RYK router:

change your tunnel ip address to lo0

change your tunnel0 source to lo0

remove the "tunnel mode ipip" command from the tunnel0 interface

remove the "crypto map" command from the tunnel0 interface

change tunnel0 destination to hub router lo0 address

change default route to point to lo0 address of hub router

add a static route for the lo0 address of hub router via

hub router

create a new tunnel1 interface

set address to lo0

source it to lo0

set dest to lo0 address of RYK router

above creates a GRE tunnel, but it won't pass traffic until we encap with IPSEC to get it accross the DSL link:

RYK router:

crypto isakmp policy 100

authentication pre-share

crypto isakmp key 6 xxxxxxxx address

crypto ipsec transform-set MYSET esp-des

crypto map RYKHMAP 110 ipsec-isakmp

set peer

set transform-set MYSET

match address 120

access-list 120 permit gre host host

appply the crypto map to your outbound interface

apply the same commands to your hub router, adding an ISAKMP key and a new crypto map for each remote device, and of course changing the ISAKMP key, peer, and access-list addresses as appropriate.

you should create seperate tunnel interfaces on your hub router fo each remote site... you should also have a mgt subnet configured on all loopback interfaces anyway, so this is a good way to get that project started...

I had this type of setup running between 60+ 2811's at one point.