Hi everyone,

I'm sure this topic has been beaten to death already on these forums.  Nevertheless I have yet to find the exact solution I need.  I have three devices, Two routers and one ASA.  One of the routers sits behind the ASA and I have a GRE VTI setup between the two routers with ASA NATting one of the routers to a public IP.  I can secure the tunnel using transport mode IPsec but as soon as I switch to tunnel mode, communication fails even though the SA gets established.

Please see the configuration below and tell me what I'm missing please.  I've changed IP addresses for security.

The following config works when transform-set is set to transport mode

Note: Router 2 sits behind the ASA and is NATed to the public ip 200.1.1.2

Router 1:

crypto ipsec transform-set SEC esp-aes 256 esp-md5-hmac

mode tunnel

!

crypto ipsec profile IPSEC

set transform-set SEC

!

!

interface Tunnel2

ip address 172.16.1.1 255.255.255.252

tunnel source 200.1.1.1

tunnel destination 200.1.1.2

tunnel protection ipsec profile IPSEC

!

crypto isakmp key SECURITYKEY address 200.1.1.2

!

crypto isakmp policy 1

encr aes 256

hash md5

authentication pre-share

group 2

ASA:

static (inside,outside) 200.1.1.2 10.1.1.1 netmask 255.255.255.255

Router 2:

interface Tunnel121

ip address 172.16.1.2 255.255.255.252

ip nat inside

ip virtual-reassembly

tunnel source 10.1.1.1

tunnel destination 200.1.1.1

tunnel protection ipsec profile IPSEC

!

crypto ipsec transform-set SEC esp-aes 256 esp-md5-hmac

mode tunnel

!

crypto ipsec profile IPSEC

set transform-set SEC

!

crypto isakmp key SECURITYKEY address 200.1.1.1

!

crypto isakmp policy 2

encr aes 256

hash md5

authentication pre-share

group 2

There are no access-lists on the ASA except to allow ICMP any any

I greatly appreciate any guidance you guys can provide in advance.