IPSec and GRE

tomchan · ‎05-14-2004

I have a 3745 router in central office running IPSEC to a remote office with PIX 506E. Below is the sceranio.

10.1.0.0 --- 3745 (F0/1) ----- IP Sec over Intenet ---- (Outside Internet) PIX 506E --- 10.10.0.0

I have added an incoming acl on 3745 F0/1 to allow only IPSEC traffic coming from PIX506E.

access-list 101 permit esp any any

access-list 101 permit udp any any eq isakmp

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit ip 10.10.0.0 0.0.255.255 10.1.0.0 0.0.255.255

access-list 101 deny ip any any log

However the above acl blocked the ipsec tunnel to be established, then I permitted GRE as below,

access-list 101 permit gre any any

access-list 101 permit esp any any

access-list 101 permit udp any any eq isakmp

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit ip 10.10.0.0 0.0.255.255 10.1.0.0 0.0.255.255

access-list 101 deny ip any any log

Everything works fine after permitting GRE, IPSEC was able to be established.

Why I need to permit GRE to estbalish IPSEC as we are not using any GRE at all? Thanks

gfullage · ‎05-16-2004

This doesn't make sense since the PIX won't do GRE anyway. Does a "sho access-list 101" actually show that ACL line getting hit? I'm inclined to think something else has changed in your network other than just adding this line. If you remove that line again can you no longer build a tunnel?

tomchan · ‎05-16-2004

Yes. it doesn't make sense to me either. One thing want to confirm. Do all the PIX models don't support GRE at all? Thanks.

r.fang · ‎08-10-2004

Take permit gre any any out list and try clear crypto isakmp sa and clear crypto ipsec sa at both cisco 3745 and PIX 506E sides. and see if the tunnel comes back?