Hello Manish, To add to Tyson, AFAIK If you want to configure *GRE over IPSec*, then
1) Either configure tunnel protection on the tunnel interface 2) Or configure a crypto map on the Physical interface , with the interesting traffic specified as the GRE encapsulated traffic If you want to configure* IPSec over GRE* , then 1) Configure the Crypto map on the tunnel-interface. This will encrypt the un-tunnelled clear-text packet. And when the encrypted traffic is to be sent out of a physical interface, it just encapsulates this encrypted packet in a GRE header and shoots it over to the other peer. Remember, traffic in the tunnels can be treated as the original traffic prior to tunnelling . So whatever configuration that you do inside the GRE tunnel (ex: QOS , encryption) will apply to the traffic prior to tunneling. It's only when the traffic is heading out through an interface, will it be tunnelled (based on the tunnel mode configured in the tunnel interface ) and conditionally encrypted( if you have applied a crypto map or configure tunnel protection configured on the interface). You could check this out ( VTI ) -> http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_ipsec_virt_tunnl_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1072476 Cheers, TacACK
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
