Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
706
Views
1
Helpful
6
Replies

GRE over GRE over IPSec

patrick-m-hogan
Level 1
Level 1

‎05-20-2025 11:22 AM

I have an ASR 1006 (16.12.8) connecting to a C8500L (17.09.04a). We put a crypto map on the circuit to encrypt everything between devices. I then have a GRE tunnel using the circuit IPs as the tunnels source and destination IP's. The tunnels is using loopbacks as the tunnel IP's (ip unnumbered). This GRE tunnel is working fine and OSPF comes up no problem. Then I have a GRE in a VRF using the same loopbacks that the tunnel is using as its tunnel source and destination (ip unnumbered again) and that tunnel wont come up. One side (ASR 1006) gets stuck in INIT and the other side has nothing for a neighbor (8500). I have another router (ASR 1006) with the same configuration connecting to the same ASR 1006 and this same configuration works great with no problems. 1 more thing is this is a new install and it worked fine until I put the crypto map on the circuit and that is when the VRF tunnel went down. I tested this by removing crypto and it came right back up and when I applied crypto again it went down again. I have tried everything I can think of and a few other Eng. have tried as well and I can't find any way to make it work. The GRE tunnel is UP UP but still not working.

Screenshot 2025-05-20 103741.png

Labels:
0 Helpful
6 Replies 6

M02@rt37
VIP
VIP

‎05-20-2025 09:44 PM

Hello @patrick-m-hogan 

If you can, switch to IPSEC profiles with vti instead of crypto maps. VTI handles VRF and IPSEC cleanly.

If you must use crpto map, assign IP addresses directly (not unumbered) to simplify resolution...

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

patrick-m-hogan
Level 1
Level 1
In response to M02@rt37

‎05-21-2025 07:27 AM

Thanks, I will look into it. I hope the old IOS on the ASR will support it.
0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to patrick-m-hogan

‎05-31-2025 07:06 AM

I hope the old IOS on the ASR will support it.

Good chance your ASR IOS may support VTI.

BTW, I recall another advantage of VTI, less bandwidth overhead.

Oh, and also on the subject of overhead, for these kinds of tunnels, don't overlook fragmentation avoidence.

0 Helpful

paul driver
VIP
VIP

‎05-22-2025 11:40 PM

Hello
Just to clarify- you have ipsec on the transit between the rtrs then you run GRE/ISPEC over that encrypted transit correct?
Where does the vrf fit into this, as I would expect the vrf not to be able to see anything from the global rib table by default ?

Maybe share your cfg if applicable ?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

patrick-m-hogan
Level 1
Level 1
In response to paul driver

‎05-24-2025 08:19 AM

I only have IPSec on the circuit. The GRE tunnel does not have IPSec on it. I do not have a tunnel protection IPsec profile on the tunnel just a crypto map on the circuit interface.

0 Helpful

MHM Cisco World
VIP
VIP
In response to patrick-m-hogan

‎05-31-2025 03:45 AM

Tunnel protection command not available' if Yes then try add crypto map under tunnel source interface.

MHM

0 Helpful
Customers Also Viewed These Support Documents