Cannot establish LAN-to-LAN IPSec/GRE tunnel - Added GRE to existing IPSec tunnel


Case Number K13112422
Title Cannot establish LAN-to-LAN IPSec/GRE tunnel - Added GRE to existing IPSec tunnel
Core issue

No crypto debugs appear when trying to initiate the tunnel. IPSec worked before adding generic routing encapsulation (GRE) to the configuration.

Resolution

To add GRE to a working IPSec configuration, follow these steps.

  1. Remove the crypto map from the interface.
  2. Create the tunnel interfaces. 
int tunnel ip address private_ip subnet_mask tunnel source outside_interface_name tunnel destination peer_address
  1. Modify the crypto access list as shown below. 
access-list acl_name permit gre host tunnel_source_ip host peer_address
  1. Use routing protocol or configure a static route for the remote LAN with the next hop pointing to the tunnel interface.
  2. Reapply the crypto map to the physical interface and the tunnel interface.

For more information, including a sample configuration, see Configuring Router-to-Router IPSec (Pre-shared Keys) on GRE Tunnel with CBAC and NAT.

Problem Type Connectivity
Product Family Routers
Cisco IOS Software Version 12.0, 12.1, 12.2
VPN Tunnel End Points Router
Protocol / Ports Generic routing encapsulation (GRE)
VPN Protocols IPSec
VPN Tunnel Initialization IPSec session is not established
Labels: