Hi.Thanks.

I can apply the crypto map to the physical Interface.The document I was reading to apply GRE over IPSec was probably quite old.

Can I then Just create the GRE tunnels and the access-list that allows GRE through the VPN and this will encrypt the GRE tunnel.

I already have the vpn working between 3 routers but the access-lists are for the lan side of the routers.If I change the access-list to a host to host that allows GRE protocols will that be enough ?

Thanks

I have configured many site to site VPN tunnels with IPSec with GRE. I put the crypto map on the physical interface and the access list is a simple permit gre source host to destination host. This works quite well.

If you have configured a crypto map for the traditional IPSec tunnel, not with GRE, then the access list permits all the LAN addresses that will go through the tunnel. But the access list for the GRE/IPSec only needs to permt the GRE hosts.

HTH

Rick

If It's not too much trouble can you take a look at the pt file.I've created a GRE tunnel between the limassol , dubai routers but no luck.

I would be willing to look at configuration information. But unfortunately I do not have packet tracer software to read your file.

HTH

Rick

Thank you.I appreciate It.

I've attached the configs for the two routers.

Thanks for your help.I've basically put a router In the middle of the three vpn routers with static routes to eachother.The vpn was working without GRE but once I changed the access list It stopped.

I'll take a look again.At least It looks right to you so that's a step forward.

Thanks again.

I would suggest that you start testing by trying to ping with source of 2.0.0.1 to destination 4.0.0.5 and by pinging with source 4.0.0.5 to destination 2.0.0.1.

I see that you are running router RIP over the serial interface. Is that how the routers learn the path to their peer address?

And thinking about routing leads me to notice that I do not see anything that will send traffic through your tunnels. That may be the reason why it stopped working when you configured the GRE tunnels. With just IPSec with crypto map on the physical interface and the crypto access list identifying the end stations it would work as the traffic went out the serial interface. But with the tunnels you need some routing mechanism (could be static routes could be some routing protocol) to send traffic through the tunnels.

As a side note - I see that you are doing no service timestamps. I am curious why you are doing this and would observe that log messages with timestamps and debug messages with timestamps can be very helpful when you are trying to troubleshoot issues on the router.

HTH

Rick

I can ping from 2.0.0.1 to 4.0.0.5 and vice versa.Wouldn't RIP allow me to send traffic through the tunnels ?

As for not using service Timestamps that would be due to me being a noob!

Unfortunately packet tracer  has suddenly started crashing after using It for aroud 30 seconds.

  I'll hopefully get It working and see what I'm doing wrong with the routing protocol. Thanks!

If you can ping that is a good start and makes it more likely that the crypto tunnels will work.

It is certainly possible to have RIP send traffic through the tunnels. But the configs that you posted are not doing that. And I will mention that you need to be careful about the routing protocol running over the tunnel. If you run a dynamic routing protocol over the tunnel and that routing protocol also advertises the source and destination addresses of the tunnel then it can produce an error condition of recursive routing. If you just add a network statement for 192.169.16.0 to your router rip then you would encounter this problem.

HTH

Rick

Hi.I was reading this article about solutions to recursive routing http://fengnet.com/book/cisco.ios.cookbook.2nd/I_0596527225_CHP_12_SECT_4.html.  The second solution :

The second method simply excludes the tunnel's IP address range from the routing protocol. You can then run a different routing protocol for the addresses that you want to pass through the tunnel:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.35.6 255.255.255.252
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.22.1.2
Router1(config-if)#exit
Router1(config)#router eigrp 55
Router1(config-router)#network 172.22.0.0
Router1(config-router)#network 172.25.0.0
Router1(config-router)#end
Router1(config)#router rip
Router1(config-router)#network 192.168.35.0
Router1(config-router)#exit
Router1(config)#end
Router1#
 
 In this example I don't understand how 
 network 172.22.0.0 can be added to the 
 eigrp configuration If It doesn't belong 
 to any of the router's Interfaces.
 
  

I looked at this link and it does illustrate one of the good ways to avoid the problem with recursive routing, which is to run one routing protocol on the tunnel interface address and to run a different routing protocol on the physical interfaces. Since the tunnel source address is 172.25.1.5 we know that the network statement for 172.25.0.0 will match and put that interface into the routing protocol. It is not clear to me whether the 172.22 network is also on some interface of this router. If it is then it would be valid to have that network statement under router eigrp. And you are right that if that network is not on this router then it would not be effective to have that network statement.

HTH

Rick

Thanks again for all your help!