Hello Wale, Here are the responses to your questions
1) In case of IPSec over GRE , if we have an ASA in between the ispec peers, then we need to permit gre on the outside interface for the tunnel to come up. 2) In case of IPSec over GRE, the proxy ACL that we will be using will be *permit ip x.x.x.x y.y.y.y *. That's because, we have placed a crypto map IN the tunnel. So it will encrypt the plain-text packets here, hence IP not GRE in the ACL . Only AFTER it gets encrypted, will the GRE header be slapped on top of it. 3) Transport mode works without any issues. I tested this out and i don't see any problems. Cheers, TacACK
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
