To understand this example and to apply it to your environment it would be important to understand that Cisco made changes in IOS starting in 12.2(13)T which change the way that the crypto map is used. The example you post is configured for the earlier usage of the crypto map. Unless you are running code 12.2(13)T and earlier your implementation would work differently than the example.
The earlier implementation puts the crypto map on both the physical outbound interface and also on the tunnel interface. And the access list identifies the LAN traffic as interesting. The later implementation put the cyrpto map only on the physical outbound interface and identifies the gre host to gre host and not the LAN traffic as interesting.
I have implemented many IPSec with GRE sites where our access list for interesting traffic has permit only for host gre to host gre and it works very well.
I saw this posting earlier today and I was about to respond the CCO document listed in the original posting was incorrect. Good to know the older code requires LAN traffic to be considered interesting rather than the traffic between GRE peers. I guess all the GRE setup I had done must have been with IOS version 12.2(13)T and later.
Thanks for the response and for the rating. I remember the first set of IPSec/GRE tunnels I tried to do and how frustrated I got until I realized that the map had to be configured on both the tunnel and the physical interface. I never was clear why that was the case but learned clearly that was what was required to get the tunnel to work.
I am surprised that your LAN to LAN needs the crypto map on the tunnel interface. Perhaps it is something about how you are defining interesting traffic?
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...