Cisco Support Community
Community Member

Help on Tunnel


I am building IPsec tunnels between two remote sites. I am creating just one of those tunnells to pass all traffic between two sync servers (two seperated subnet and Am I doing correct if I have a static route to the outbound interface; and have another static route just the server ip address to that tunnel? Here is an example:


interface tunnel 1

ip address


tunnel source

tunnel destination


ip route Fastethernet0 name tunnel1-to-tunnel2

ip route tunnel1 name tunnel1-to-tunnel2


ip access-list extended tunnel1-to-tunnel2

permit gre host host

thanks for any help,


Cisco Employee

Re: Help on Tunnel

Since you are doing IPSEC over GRE, your access-list to encrypt traffic should be your tunnel source and destination.

ip access-list extended tunnel1-to-tunnel2

permit gre host host

Please refer the below URL for details.

Let me know if it helps.



** Please rate all helpful posts **

Hall of Fame Super Gold

Re: Help on Tunnel


Your post talks about building an IPSec tunnel. But the configuration shows more GRE tunnel than IPSec tunnel. It is sometimes done to run IPSec with GRE but it is not always necessary. You have not indicated what if anything requires the GRE. And that makes it more difficult for us to answer your question.

The configuration of the GRE tunnel as shown seems ok - assuming that is a local connected address on some interface of the router. But in that case you certainly do not need the static route

ip route Fastethernet0 name tunnel1-to-tunnel2 (why would you need a static route for a locally connected address?).

Also the second static route (for indicates that you go through the tunnel to get to it. But if the tunnel source is (and that must be a locally connected interface) it is hard to see how some other address in that subnet is reached through the tunnel.

You show an access list but you do not show how the access list is to be used. If the access list is to be used by the crypto map to identify traffic for IPSec to protect then it should use the addresses of the tunnel end points. (permit gre host host

The one thing that the GRE tunnel needs to work is a route to the tunnel destination ( It is not clear from what you posted whether the router has a route such as this.



CreatePlease to create content