topic Re: Help getting GRE IPsec tunnel setup in Network Security https://community.cisco.com/t5/network-security/help-getting-gre-ipsec-tunnel-setup/m-p/2183564#M351394 <HTML><HEAD></HEAD><BODY><P>Maykol - I believe you are correct on the GRE traffic is not getting back to the PIX in the main office.&nbsp; I did a packet capture on the PIX and not getting anything coming in regarding any of the Loopback or Tunnels.&nbsp; </P><P></P><P>The 2821 and 2921 routers use using HRST and use a standby IP of 10.10.10.1.&nbsp; The 2821 IP is 10.10.10.253 and the 2921 is 10.10.10.254.</P><P></P><P>10.2.60.1 &amp; 10.2.60.2 are the Loopback addresses</P><P></P><P>10.254.10.6 &amp; 10.254.60.6 are the Tunnel Addresses.&nbsp; </P><P></P><P>I have updated the PBR on the 2821 &amp; 2921 to send any traffic for the 10.60.x.x network, 10.2.60.2, and 10.254.60.6 to the PIX but I'm wondering if that is wrong.&nbsp; </P></BODY></HTML> Mon, 22 Apr 2013 15:53:51 GMT dctaylorit 2013-04-22T15:53:51Z Help getting GRE IPsec tunnel setup https://community.cisco.com/t5/network-security/help-getting-gre-ipsec-tunnel-setup/m-p/2183562#M351392 <P>We are setting up an old office building as an offsite data center. The network cosists on a PIX 501 firewall and a 2811 router.&nbsp; I am attempting to setup a GRE tunnel over IPsec back to the main office.&nbsp; The main office consists of a PIX515, a 2821 router, and a 2921 router.&nbsp;&nbsp; </P><P></P><P>There is also an ASA5510 in our main office that is used as our primary connection for all of our external services and as a GRE endpoint for our other offices.&nbsp; The PIX515 is used to connect our main office clients to the internet and we would like traffic between it and our offsite data center to go across it as well.&nbsp;&nbsp; The default route is to use the ASA.&nbsp;&nbsp; We used policy based routing on the 2821 and 2921 routers to direct the appropriate traffic to the PIX515.&nbsp;&nbsp;&nbsp; </P><P></P><P>I have attached a PDF that shows a general overview.&nbsp; </P><P></P><P>Right now I am not able to get the tunnel setup.&nbsp; It appears that the offsite datacenter is sending packets but is not receiving any when I issue the “show crypto ipsec sa” commands on both firewalls.&nbsp; I will show the output of that command below.&nbsp; </P><P></P><P>Main Office<BR /> The external address&nbsp;&nbsp;&nbsp;&nbsp; 198.40.227.50.<BR /> The loopback address&nbsp;&nbsp; 10.254.10.6<BR /> The tunnel address&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.2.60.1</P><P></P><P>Offsite Datacenter<BR /> The external address&nbsp;&nbsp;&nbsp;&nbsp; 198.40.254.178<BR /> The loopback address&nbsp;&nbsp; 10.254.60.6<BR /> The tunnel address&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.2.60.2</P><P></P><P>The main office PIX515 Config (Edited – if I am missing something that you need please let me know).</P><P></P><P style="padding-left: 30px;"><BR /> PIX Version 7.2(2)</P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">!</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">interface Ethernet0</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">mac-address 5475.d0ba.5012</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">nameif outside</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">security-level 0</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">ip address 198.40.227.50 255.255.255.240</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">!</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">interface Ethernet1</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">nameif inside</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">security-level 100</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">ip address 10.10.10.3 255.255.0.0</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">!</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">access-list outside_cryptomap_60 extended permit gre host 10.254.10.6 host 10.254.60.6</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">access-list outside_cryptomap_60 extended permit ip host 10.254.10.6 host 10.254.60.6</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">global (outside) 1 interface</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">nat (outside) 1 10.60.0.0 255.255.0.0</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">nat (inside) 0 access-list noNat</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">route outside 0.0.0.0 0.0.0.0 198.40.227.49 1</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">route inside 10.60.0.0 255.255.0.0 10.10.10.1 1</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">route inside 10.254.10.6 255.255.255.255 10.10.10.253 1</SPAN></P><P></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">crypto dynamic-map ClientVPN_dyn_map 10 set transform-set ESP-3DES-SHA</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">crypto map cr-lakeavemap 10 match address outside_cryptomap_60</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">crypto map cr-lakeavemap 10 set peer 198.40.254.178</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">crypto map cr-lakeavemap 10 set transform-set ESP-3DES-SHA</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">crypto map cr-lakeavemap 65535 ipsec-isakmp dynamic ClientVPN_dyn_map</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">crypto map cr-lakeavemap interface outside</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">crypto isakmp identity address</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">crypto isakmp enable outside</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">crypto isakmp policy 10</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">authentication pre-share</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">encryption 3des</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">hash sha</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">group 2</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">lifetime 86400</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">crypto isakmp nat-traversal&nbsp; 20</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">tunnel-group DefaultRAGroup ipsec-attributes</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">isakmp keepalive threshold 10 retry 2</SPAN></P><P></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">tunnel-group 198.40.254.178 type ipsec-l2l</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-size: 10pt;">tunnel-group 198.40.254.178 ipsec-attributes</SPAN></P><P></P><P></P><P>The offsite datacenter PIX501 config (again edited)</P><P></P><P style="padding-left: 30px;">PIX Version 6.3(5)</P><P style="padding-left: 30px;">interface ethernet0 auto</P><P style="padding-left: 30px;">interface ethernet1 100full</P><P style="padding-left: 30px;">nameif ethernet0 outside security0</P><P style="padding-left: 30px;">nameif ethernet1 inside security100</P><P style="padding-left: 30px;">access-list crvpn permit gre host 10.254.60.6 host 10.254.10.6</P><P style="padding-left: 30px;">access-list crvpn permit ip host 10.254.60.6 host 10.254.10.6</P><P style="padding-left: 30px;">mtu outside 1500</P><P style="padding-left: 30px;">mtu inside 1500</P><P style="padding-left: 30px;">ip address outside 198.40.254.178 255.255.255.240</P><P style="padding-left: 30px;">ip address inside 10.60.10.2 255.255.0.0</P><P style="padding-left: 30px;">route outside 0.0.0.0 0.0.0.0 198.40.254.177 1</P><P style="padding-left: 30px;">route inside 10.2.60.2 255.255.255.255 10.60.10.1 1</P><P style="padding-left: 30px;">route inside 10.254.60.6 255.255.255.255 10.60.10.1 1</P><P style="padding-left: 30px;">crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac</P><P style="padding-left: 30px;">crypto dynamic-map ClientVPN_dyn_map 10 match address ClientVPN</P><P style="padding-left: 30px;">crypto dynamic-map ClientVPN_dyn_map 10 set transform-set ESP-3DES-SHA</P><P style="padding-left: 30px;">crypto map cr-lakeavemap 10 ipsec-isakmp</P><P style="padding-left: 30px;">crypto map cr-lakeavemap 10 match address crvpn</P><P style="padding-left: 30px;">crypto map cr-lakeavemap 10 set peer 198.40.227.50</P><P style="padding-left: 30px;">crypto map cr-lakeavemap 10 set transform-set ESP-3DES-SHA</P><P style="padding-left: 30px;">crypto map cr-lakeavemap 65535 ipsec-isakmp dynamic ClientVPN_dyn_map</P><P style="padding-left: 30px;">crypto map cr-lakeavemap client authentication LOCAL</P><P style="padding-left: 30px;">crypto map cr-lakeavemap interface outside</P><P style="padding-left: 30px;">isakmp enable outside</P><P style="padding-left: 30px;">isakmp key ******** address 198.40.227.50 netmask 255.255.255.255</P><P style="padding-left: 30px;">isakmp identity address</P><P style="padding-left: 30px;">isakmp keepalive 10</P><P style="padding-left: 30px;">isakmp nat-traversal 20</P><P style="padding-left: 30px;">isakmp policy 10 authentication pre-share</P><P style="padding-left: 30px;">isakmp policy 10 encryption 3des</P><P style="padding-left: 30px;">isakmp policy 10 hash sha</P><P style="padding-left: 30px;">isakmp policy 10 group 2</P><P style="padding-left: 30px;">isakmp policy 10 lifetime 86400</P><P></P><P></P><P>Output of the “show crypto ipsec sa” command<BR /> From the main office</P><P></P><P style="padding-left: 30px;">Crypto map tag: cr-lakeavemap, seq num: 10, local addr: 198.40.227.50</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list outside_cryptomap_60 permit gre host 10.254.10.6 host 10.254.60.6</P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; local ident (addr/mask/prot/port): (10.254.10.6/255.255.255.255/47/0)</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; remote ident (addr/mask/prot/port): (10.254.60.6/255.255.255.255/47/0)</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; current_peer: 198.40.254.178</SPAN></P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0</P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; #pkts decaps: 18867, #pkts decrypt: 18867, #pkts verify: 18867</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; #pkts compressed: 0, #pkts decompressed: 0</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; #send errors: 0, #recv errors: 0</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; local crypto endpt.: 198.40.227.50, remote crypto endpt.: 198.40.254.178</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; path mtu 1500, ipsec overhead 58, media mtu 1500</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; current outbound spi: D78E63C9</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; inbound esp sas:</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; spi: 0x5D63434C (1566786380)</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; transform: esp-3des esp-sha-hmac none</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; in use settings ={L2L, Tunnel, }</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; slot: 0, conn_id: 2, crypto-map: cr-lakeavemap</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sa timing: remaining key lifetime (kB/sec): (4274801/7527)</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IV size: 8 bytes</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; replay detection support: Y</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp; outbound esp sas:</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; spi: 0xD78E63C9 (3616433097)</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; transform: esp-3des esp-sha-hmac none</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; in use settings ={L2L, Tunnel, }</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; slot: 0, conn_id: 2, crypto-map: cr-lakeavemap</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sa timing: remaining key lifetime (kB/sec): (4275000/7527)</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IV size: 8 bytes</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; replay detection support: Y</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">From the offsite datacenter</SPAN></P><P></P><P>&nbsp;&nbsp; local&nbsp; ident (addr/mask/prot/port): (10.254.60.6/255.255.255.255/47/0)</P><P>&nbsp;&nbsp; remote ident (addr/mask/prot/port): (10.254.10.6/255.255.255.255/47/0)</P><P>&nbsp;&nbsp; current_peer: 198.40.227.50:500</P><P>&nbsp;&nbsp; dynamic allocated peer ip: 0.0.0.0</P><P><SPAN style="font-size: 10pt;"> </SPAN></P><P>&nbsp;&nbsp;&nbsp;&nbsp; PERMIT, flags={origin_is_acl,}</P><P>&nbsp;&nbsp;&nbsp; #pkts encaps: 22360, #pkts encrypt: 22360, #pkts digest 22360</P><P>&nbsp;&nbsp;&nbsp; #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0</P><P>&nbsp;&nbsp;&nbsp; #pkts compressed: 0, #pkts decompressed: 0</P><P>&nbsp;&nbsp;&nbsp; #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0</P><P>&nbsp;&nbsp;&nbsp; #send errors 1156, #recv errors 0</P><P></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp; local crypto endpt.: 198.40.254.178, remote crypto endpt.: 198.40.227.50</SPAN></P><P>&nbsp;&nbsp;&nbsp;&nbsp; path mtu 1500, ipsec overhead 56, media mtu 1500</P><P>&nbsp;&nbsp;&nbsp;&nbsp; current outbound spi: 5d63434c</P><P></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp; inbound esp sas:</SPAN></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; spi: 0xd78e63c9(3616433097)</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; transform: esp-3des esp-sha-hmac ,</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; in use settings ={Tunnel, }</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; slot: 0, conn id: 1, crypto map: cr-lakeavemap</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sa timing: remaining key lifetime (k/sec): (4608000/6604)</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IV size: 8 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; replay detection support: Y</P><P></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp; inbound ah sas:</SPAN></P><P><SPAN style="font-size: 10pt;"> </SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp; inbound pcp sas:</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp; outbound esp sas:</SPAN></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; spi: 0x5d63434c(1566786380)</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; transform: esp-3des esp-sha-hmac ,</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; in use settings ={Tunnel, }</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; slot: 0, conn id: 2, crypto map: cr-lakeavemap</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sa timing: remaining key lifetime (k/sec): (4607792/6596)</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IV size: 8 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; replay detection support: Y</P><P></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp; outbound ah sas:</SPAN></P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; outbound pcp sas:</P><P></P><P></P><P>I'm not sure where the issue lies and have beat my head on this for awhile so any help/insight is greatly appreciated.&nbsp; If there is anything else you'd like to see please let me know.&nbsp; </P> Tue, 12 Mar 2019 01:31:58 GMT https://community.cisco.com/t5/network-security/help-getting-gre-ipsec-tunnel-setup/m-p/2183562#M351392 dctaylorit 2019-03-12T01:31:58Z Help getting GRE IPsec tunnel setup https://community.cisco.com/t5/network-security/help-getting-gre-ipsec-tunnel-setup/m-p/2183563#M351393 <HTML><HEAD></HEAD><BODY><P>Hi Joe, </P><P></P><P>This should be moved to a VPN forum, however, something comes up Really quickly from the problem. Here: </P><P></P><P>&nbsp;&nbsp; #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0</P><P></P><P>Thats from the Pix on the Main office, so I think the GRE traffic is not either getting or being encrypted. I am assuming this is the IP address of the router behind the main office 10.254.10.6 is that correct? </P><P></P><P>If so, I would put a capture on the Pix to see if the GRE traffic is getting to that PIX on the inside (Unencrupted but Encapsulated on GRE) and make sure that it is not being dropped. To ensure that, you can see the logs on the PIX and see if the firewall is dropping the GRE previous being encrypted. </P><P></P><P>Also, a packet tracer can be run to ensure that the Traffic has a VPN phase which would indicate that it is following the correct phases and it would be encrypted. </P><P></P><P>Let me know. </P><P></P><P>Mike Rojas.</P></BODY></HTML> Mon, 22 Apr 2013 03:27:38 GMT https://community.cisco.com/t5/network-security/help-getting-gre-ipsec-tunnel-setup/m-p/2183563#M351393 Maykol Rojas 2013-04-22T03:27:38Z Re: Help getting GRE IPsec tunnel setup https://community.cisco.com/t5/network-security/help-getting-gre-ipsec-tunnel-setup/m-p/2183564#M351394 <HTML><HEAD></HEAD><BODY><P>Maykol - I believe you are correct on the GRE traffic is not getting back to the PIX in the main office.&nbsp; I did a packet capture on the PIX and not getting anything coming in regarding any of the Loopback or Tunnels.&nbsp; </P><P></P><P>The 2821 and 2921 routers use using HRST and use a standby IP of 10.10.10.1.&nbsp; The 2821 IP is 10.10.10.253 and the 2921 is 10.10.10.254.</P><P></P><P>10.2.60.1 &amp; 10.2.60.2 are the Loopback addresses</P><P></P><P>10.254.10.6 &amp; 10.254.60.6 are the Tunnel Addresses.&nbsp; </P><P></P><P>I have updated the PBR on the 2821 &amp; 2921 to send any traffic for the 10.60.x.x network, 10.2.60.2, and 10.254.60.6 to the PIX but I'm wondering if that is wrong.&nbsp; </P></BODY></HTML> Mon, 22 Apr 2013 15:53:51 GMT https://community.cisco.com/t5/network-security/help-getting-gre-ipsec-tunnel-setup/m-p/2183564#M351394 dctaylorit 2013-04-22T15:53:51Z