Cisco IOS Site-to-Site IPsec VPN with GRE: Full Configuration Walkthrough
Working reference for a GRE-over-IPsec site-to-site VPN on Cisco IOS. Why GRE-inside-IPsec instead of plain IPsec (multicast and routing-protocol support), the two-phase IKE/IPsec negotiation (Phase 1 ISAKMP - authentication / encryption / hash / DH group / lifetime; Phase 2 - transform-set / interesting traffic / lifetime), full symmetric configuration on both endpoints (isakmp policy, pre-shared key, transform-set, ACL for interesting traffic that matches GRE between tunnel endpoints, crypto map applied to physical interface NOT tunnel, GRE Tunnel0 with MTU and TCP-MSS clamping), running EIGRP through the tunnel, and the verification order (show crypto isakmp sa, show crypto ipsec sa, show crypto map, tunnel ping, routes). Pitfalls: crypto map on wrong interface, ACL points at LANs instead of GRE, MTU not lowered, NAT-T not allowed, asymmetric configuration.