I have finally got this working, and yes, you can encapsulate ipsec inside of a gre tunnel. Here is the details: Isakmp actually happens outside of the tunnel, but the ESP packets are indeed inside of the tunnel. I have verified this with wireshark, and esp is encapsulated inside of the gre packets. The benefit if this would be to only encrypt sensitive traffic while passing other traffic unencrypted inside of a gre tunnel. Here is a partial config to setup the ipsec inside of gre: crypto map map1 local-address fa0/1 ! this is required to setup isakmp outside of the tunnel ! ipsec sa's will not work if it tries to go through the gre tunnel crypto map map1 10 ipsec-isakmp set peer 1.1.1.2 ! make sure to set the peer as the physical interface and not the tunnel interface ! otherwise ipsec sa's will fail to establish cry int fa0/1 !outside interface ip address 1.1.1.1 255.255.255.0 int tun 0 ip address 192.168.0.1 255.255.255.0 tunnel source fa0/1 tunnel destination 1.1.1.2 crypto map map1
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
