Richardvoyageur   40 pts.  |   May 15 2009  4:38PM GMT

Hey, great answer Jfernatt, thanks.

A few questions though: would it be ok to make a loopback on each router as the endpoint for the GRE?

Would I only have to add the endpoints as interesting traffic for the ipsec tunnel on each side or all traffic? Still a little fuzzy on this stuff as I find it fairly complex.

Do you have any detailed URLs with this kind of setup by any chance? I’d like to study it more in depth. Thanks alot

Jfernatt   605 pts.  |   May 15 2009  5:09PM GMT

Hi there. Yes just the GRE endpoints will be classified as interesting traffic as all of your traffic over the GRE will be encapsulated with those endpoints as source and destination addresses.

Here is an example related to OSPF but it is the same concept.

 <a href="http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml" title="http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml" target="_blank">http://www.cisco.com/en/US/tech/tk583/tk…</a>

I could also give you some real life examples and comment them if needed.

Good luck

Jfernatt   605 pts.  |   May 15 2009  5:10PM GMT

Oh and loopbacks will work perfectly.

Richardvoyageur   40 pts.  |   May 15 2009  5:34PM GMT

Excellent advice and I really appreciate it.

Csablock   10 pts.  |   Oct 1 2009  4:38PM GMT

This seems a great solution to an annoying problem - no GRE support on the ASA.

Im in a similar situation and this looks to fit the bill.

Any further adjustment of MTU between GRE endpoints required to pull this off?

Did you find it better to place the GRE endpoint in a DMZ vlan behind the ASA, or terminate it on the inside network.

Did you make any adjustment to hello timers, or hold time on eigrp neighbors through the ASA.

How did outbound inspection traffic work for GRE payloads on the ASA, or is it simply IPSEC to IPSEC with GRE being completely arbitrary to the ASA.

Thanks - I’m curious to try this.