Ipsec gre tunnel explanation

Similar Messages

• Windows Replication RPC Problems with IPSec GRE Tunnel

  We have been having significant issue in troubleshooting random RPC errors with our directory controllers (MS AD 2008R2) and our distributed file shares.  Both services will randomly stop working, throwing RPC errors as the resulting cause.  We have been all over both Cisco and Microsoft forums in trying to troubleshoot this problem.  I'm trying to the Cisco forums first to see if anyone has any network layer thoughts as to best practices or ways to configure the tunnel.
  Our network is simple: two small branch offices connected to each other with two Cisco 2901 ISRs.  An IPSec GRE tunnel exists between both offices.  Interoffice bandwidth is approximately 10mbps.  Pings between offices work, remote desktop works most of the time, file transfers work, and DNS lookups work across both locations.  We really don't have a complicated environment, I'd think it wouldn't be too hard to set up.  But this just seems to be escaping me.  I can't think of anything at the network layer that would be causing problems but I was curious whether anyone else out there with knowledge of small office VPNs might be able to render some thoughts on the matter.
  Please let me know if there is anything further people need to see.  My next step is MS forums but I wanted to eliminate layer 3 first.
  Tunnel Config:
  crypto map outside_crypto 10 ipsec-isakmp
  set peer x.x.x.x
  set transform-set ESP-AES-SHA
  match address 102
  crypto ipsec df-bit clear
  interface Tunnel0
  bandwidth 10240
  ip address x.x.x.x x.x.x.x
  no ip redirects
  ip mtu 1420
  ip virtual-reassembly in
  zone-member security in-zone
  ip tcp adjust-mss 1375
  tunnel source GigabitEthernet0/0
  tunnel destination x.x.x.x
  crypto ipsec df-bit clear
  end

  Hi,
  Based on the third-party article below, you can setup VPN connection between Windows VPN client and Cisco firewall:
  Step By Step Guide To Setup Windows 7/Vista VPN Client to Remote Access Cisco ASA5500 Firewall
  What is the Windows server 2008 R2 for, a RADIUS server? If yes, maybe the links below would be helpful to you:
  RADIUS: Configuring Client VPN with Windows 2008 Network Policy Server (NPS) RADIUS Authentication
  Configuring RADIUS Server on Windows 2008 R2 for Cisco Device Logins
  RADIUS authentication for Cisco switches using w2k8R2 NPS
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Best regards,
  Susie

• Encrypted GRE Tunnel with RIP on a SRW527w??

  Hi All,
  Is it possible to configure an IPSEC GRE tunnel with RIP on an SRP527w? I see RIP, GRE & IPSEC are all possible.. But I'm not sure about them all together securing the GRE tunnel??
  See below. I basically want to do this with the SRW routers not native IOS. Single head end hub & spoke.
  http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008073a0c5.pdf
  Thanks a lot
  Matt                  

  On a much smaller scale of course!

• When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a gre tunnel

  i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

  Jose,
  It sounds like you currently have an IPsec Virtual Tunnel Interface (VTI) configured. By this, I mean that you have a Tunnel interface running in "tunnel mode ipsec ipv4" rather than having a crypto map applied to a physical interface. In the days before VTIs, it was necessary to configure GRE over IPsec in order to pass certain types of traffic across an encrypted channel. When using pure IPsec with crypto maps, you cannot pass multicast traffic without implementing GRE over IPsec. Today, IPsec VTIs and GRE over IPsec accomplish what is effectively the same thing with a few exceptions. For example, by using GRE over IPsec, you can configure multiple tunnels between two peers by means of tunnels keys, pass many more types of traffic rather than IP unicast and multicast (such as NHRP as utilized by DMVPN), and you can also configure multipoint GRE tunnels whereas VTIs are point to point.
  Here's a document which discusses VTIs in more depth: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-A568DA9D-56CF-47C4-A866-B605804179E1
  HTH,
  Frank

• GRE tunnel through asa no pptp, l2tp, ipsec

  Hello!
  can't understand how to configure GRE tunnel through ASA
  i have one router with public ip, connected to internet
  ASA 8.4 with public ip connected to internet
  router with private ip behind ASA.
  have only one public ip on ASA with /30 mask
  have no crypto
  have network behind ASA and PAT for internet users.
  can't nat GRE? cause only TCP/UDP nated(?)
  with packet-tracer i see flow already created but tunnel doesn't work

  A "clean" way would be to use a protocol that can be PATted. That could be GRE over IPSec. With that you have the additional benefit that your communication is protected through the internet.
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• IPsec over GRE tunnel's line protocol is down but able to ping the tunnel destination

  >>both routers are located in different countries and connected with ISP
  >>IPsec over GRE tunnel is configured on both the routers 
  >>tunnel's line protocol is down for both the ends but able to reach the tunnel destination with tunnel source
  >>Packet is not receiving on the router_1 and but could see packets are getting encrypting on the Router_2
  >>ISP is not finding any issue with their end 
  >>Please guide me how i can fix this issue and what need to be check on this ????
  ========================
  Router_1#sh run int Tunnel20
  Building configuration...
  Current configuration : 272 bytes
  interface Tunnel20
   bandwidth 2048
   ip address 3.85.129.141 255.255.255.252
   ip mtu 1412
   ip flow ingress
   delay 1
   cdp enable
   tunnel source GigabitEthernet0/0/3
   tunnel destination 109.224.62.26
  end
  ===================
  Router_1#sh int Tunnel20
  Tunnel20 is up, line protocol is up>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Keepalive is not set
    Hardware is Tunnel
    Description: *To CRPrgEIQbaghd01 - 2Mb GRE over Shared ISP Gateway*
    Internet address is 3.85.129.141/30
    MTU 17916 bytes, BW 2048 Kbit/sec, DLY 10 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation TUNNEL, loopback not set
    Keepalive not set
    Tunnel source 195.27.20.14 (GigabitEthernet0/0/3), destination 109.224.62.26
     Tunnel Subblocks:
        src-track:
           Tunnel20 source tracking subblock associated with GigabitEthernet0/0/3
            Set of tunnels with source GigabitEthernet0/0/3, 32 members (includes iterators), on interface <OK>
    Tunnel protocol/transport GRE/IP
      Key disabled, sequencing disabled
      Checksumming of packets disabled
    Tunnel TTL 255, Fast tunneling enabled
    Tunnel transport MTU 1476 bytes
    Tunnel transmit bandwidth 8000 (kbps)
    Tunnel receive bandwidth 8000 (kbps)
    Last input 1w6d, output 14w4d, output hang never
    Last clearing of "show interface" counters 2y5w
    Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/0 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       1565172427 packets input, 363833090294 bytes, 0 no buffer
       Received 0 broadcasts (0 IP multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       1778491917 packets output, 1555959948508 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out
  =============================
  Router_1#ping 109.224.62.26 re 100 sou 195.27.20.14
  Type escape sequence to abort.
  Sending 100, 100-byte ICMP Echos to 109.224.62.26, timeout is 2 seconds:
  Packet sent with a source address of 195.27.20.14
  Success rate is 92 percent (92/100), round-trip min/avg/max = 139/142/162 ms
  Router_1#
  ============================================
  Router_1#sh cry ip sa pe 109.224.62.26 | in caps
      #pkts encaps: 831987306, #pkts encrypt: 831987306, #pkts digest: 831987306
      #pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611
  Router_1#sh clock
  15:09:45.421 UTC Thu Dec 25 2014
  Router_1#
  ===================
  Router_1#sh cry ip sa pe 109.224.62.26 | in caps
      #pkts encaps: 831987339, #pkts encrypt: 831987339, #pkts digest: 831987339
      #pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611>>>>>>>>>>>>>>>>>>>>Traffic is not receiving from Router 2 
  Router_1#sh clock
  15:11:36.476 UTC Thu Dec 25 2014
  Router_1#
  ===================
  Router_2#sh run int Tu1
  Building configuration...
  Current configuration : 269 bytes
  interface Tunnel1
   bandwidth 2000
   ip address 3.85.129.142 255.255.255.252
   ip mtu 1412
   ip flow ingress
   load-interval 30
   keepalive 10 3
   cdp enable
   tunnel source GigabitEthernet0/0
   tunnel destination 195.27.20.14
  end
  Router_2#
  =======================
  Router_2#sh run | sec cry
  crypto isakmp policy 10
   authentication pre-share
  crypto isakmp key Router_2 address 195.27.20.14
  crypto isakmp key Router_2 address 194.9.241.8
  crypto ipsec transform-set ge3vpn esp-3des esp-sha-hmac
   mode transport
  crypto map <Deleted> 10 ipsec-isakmp
   set peer 195.27.20.14
   set transform-set ge3vpn
   match address Router_2
  crypto map <Deleted> 20 ipsec-isakmp
   set peer 194.9.241.8
   set transform-set ge3vpn
   match address Router_1
   crypto map <Deleted>
  Router_2#
  ====================================
  Router_2#sh cry ip sa pe 195.27.20.14 | in caps
      #pkts encaps: 737092521, #pkts encrypt: 737092521, #pkts digest: 737092521
      #pkts decaps: 828154572, #pkts decrypt: 828154572, #pkts verify: 828154572>>>>>>>>>>>>Traffic is getting encrypting from router 2 
  Router_2#sh clock
  .15:10:33.296 UTC Thu Dec 25 2014
  Router_2#
  ========================
  Router_2#sh int Tu1
  Tunnel1 is up, line protocol is down>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Down
    Hardware is Tunnel
    Internet address is 3.85.129.142/30
    MTU 17916 bytes, BW 2000 Kbit/sec, DLY 50000 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation TUNNEL, loopback not set
    Keepalive set (10 sec), retries 3
    Tunnel source 109.224.62.26 (GigabitEthernet0/0), destination 195.27.20.14
     Tunnel Subblocks:
        src-track:
           Tunnel1 source tracking subblock associated with GigabitEthernet0/0
            Set of tunnels with source GigabitEthernet0/0, 2 members (includes iterators), on interface <OK>
    Tunnel protocol/transport GRE/IP
      Key disabled, sequencing disabled
      Checksumming of packets disabled
    Tunnel TTL 255, Fast tunneling enabled
    Tunnel transport MTU 1476 bytes
    Tunnel transmit bandwidth 8000 (kbps)
    Tunnel receive bandwidth 8000 (kbps)
    Last input 1w6d, output 00:00:02, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 14843
    Queueing strategy: fifo
    Output queue: 0/0 (size/max)
    30 second input rate 0 bits/sec, 0 packets/sec
    30 second output rate 0 bits/sec, 0 packets/sec
       1881547260 packets input, 956465296 bytes, 0 no buffer
       Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       1705198723 packets output, 2654132592 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out
  =============================
  Router_2#ping 195.27.20.14 re 100 sou 109.224.62.26
  Type escape sequence to abort.
  Sending 100, 100-byte ICMP Echos to 195.27.20.14, timeout is 2 seconds:
  Packet sent with a source address of 109.224.62.26
  Success rate is 94 percent (94/100), round-trip min/avg/max = 136/143/164 ms
  Router_2#
  =========================

  Hello.
  First of all, try to reset IPSec (clear crypto isakmp sa ..., clear crypto session ...).
  Configure inbound ACL on the router to match esp protocol and check if the packets arrive.
  Please provide full output "show crypto ipsec sa"
   from both sides.

• DIscussion on GRE Tunnel IPSec VPN

  I am looking for some good discussion topics on GRE Tunnel / IPSec / VPN for a beginner. I am sure there will be some good articles on Cisco Site. Can someone please point me some of these articles
  Alphonse

  this url should be a good one for your
  https://learningnetwork.cisco.com/docs/DOC-15048#comment-30627
  which helps in configuring,verifying and troubleshooting.

• IP routing utilizing Verizon private network (GRE tunnel) with remote cellular gateways

  Okay, I give up, and think I have done my due diligence (I have been engrossed and fascinated spending many more hours than allotted to try and learn some of the finer details).  Time for some advice.  My usual trade is controls engineering which generally require only basic knowledge of networking principals.  However I recently took a job to integrate 100 or so lift stations scattered around a county into a central SCADA system.  I decided to use cellular technology to connect these remote sites back to the main SCADA system.  Well the infrastructure is now in and it’s time to get these things talking.  Basic topology description is as follows:  Each remote site has an Airlink LS300 gateway.  Attached to the gateway via Ethernet is a system controller that I will be polling via Modbus TCP from the main SCADA system.  The Airlinks are provisioned by Verizon utilizing a private network with static IP's.  This private networks address is 192.168.1.0/24.  Back at the central office the SCADA computer is sitting behind a Cisco 2911.  The LAN address of the central office is 192.168.11.0/24.  The 2911 is utilizing GRE tunnels that terminate with Verizon.  The original turn up was done with another contractor that did a basic config of the router which you will find below.  As it stands now I am pretty confident the tunnels are up and working (if I change a local computers subnet to 255.255.0.0 I can surprisingly reach the airlinks in the field), but this is obviously not the right way to solve the problem, not to mention I was unable to successfully poll the end devices on the other side of the Airlinks.  I think I understand just about every part of the config below and think it is just missing a few items to be complete.  I would greatly appreciate anyone’s help in getting this set up correctly.  I also have a few questions about the set up that still don’t make sense to me, you will find them below the config.  Thanks in advance.
  no aaa new-model
  ip cef
  ip dhcp excluded-address 10.10.10.1
  ip dhcp pool ccp-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1 
   lease 0 2
  ip domain name yourdomain.com
  no ipv6 cef
  multilink bundle-name authenticated
  username cisco privilege 15 one-time secret 
  redundancy
  crypto isakmp policy 1
  encr 3des
  hash md5
   authentication pre-share
   group 2
  crypto isakmp key AbCdEf01294 address 99.101.15.99  
  crypto isakmp key AbCdEf01294 address 99.100.14.88 
  crypto ipsec transform-set VZW_TSET esp-3des esp-md5-hmac 
  mode transport
  crypto map VZW_VPNTUNNEL 1 ipsec-isakmp 
   description Verizon Wireless Tunnel
   set peer 99.101.15.99
   set peer 99.100.14.88
   set transform-set VZW_TSET 
   match address VZW_VPN
  interface Tunnel1
   description GRE Tunnel to Verizon Wireless
   ip address 172.16.200.2 255.255.255.252
   tunnel source 22.20.19.18
   tunnel destination 99.101.15.99
  interface Tunnel2
  description GRE Tunnel 2 to Verizon Wireless
   ip address 172.16.200.6 255.255.255.252
   tunnel source 22.20.19.18
   tunnel destination 99.100.14.88
  interface Embedded-Service-Engine0/0
   no ip address
   shutdown
  interface GigabitEthernet0/0
   description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
   ip address 10.10.10.1 255.255.255.248
   shutdown
   duplex auto
   speed auto
  interface GigabitEthernet0/1
   ip address 192.168.11.1 255.255.255.0
   duplex auto
   speed auto
  interface GigabitEthernet0/2
   ip address 22.20.19.18 255.255.255.0
  duplex full
   speed 100
   crypto map VZW_VPNTUNNEL
  router bgp 65505
   bgp log-neighbor-changes
   network 0.0.0.0
   network 192.168.11.0
   neighbor 172.16.200.1 remote-as 6167
   neighbor 172.16.200.5 remote-as 6167
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip route 0.0.0.0 0.0.0.0 22.20.19.19
  ip access-list extended VZW_VPN
   permit gre host 99.101.15.99 host 22.20.19.18
   permit icmp host 99.101.15.99 host 22.20.19.18
   permit esp host 99.101.15.99 host 22.20.19.18
   permit udp host 99.101.15.99 host 22.20.19.18 eq isakmp
   permit gre host 22.20.19.18 host 99.101.15.99
   permit gre host 22.20.19.18 host 99.100.14.88
  access-list 23 permit 10.10.10.0 0.0.0.7
  control-plane
  end
  So after spending countless hours analyzing every portion of this,  I think that adding one line to this will get it going (or at least closer).
  ip route 192.168.1.0 255.255.0.0 22.20.19.19
  That should allow my internal LAN to reach the Airlink gateways on the other side of the tunnel (I think)
  Now for a couple of questions for those that are still actually hanging around.
  #1 what is the purpose of the Ethernet address assigned to each tunnel?  I only see them being used in the BGP section where they are receiving routing tables from the Verizon side (is that correct?).  Why wouldn't or couldn't you just use the physical Ethernet address interface in its place (in the BGP section)?
  #2 is the config above correct in pointing the default route to the physical Ethernet address?  Does that force the packets into the tunnel, or shouldn’t you be pointing it towards the tunnel IP's (172.16.200.2)?  If the config above is correct then I should not need to add the route I described above as if I ping out to 192.168.1.X that should catch it and force it into the tunnel where Verizon would pick it up and know how to get it to its destination??
  #3 Will I need to add another permit to the VZW_VPN for TCP as in the end I need to be able to poll via Modbus which uses port 502 TCP.  Or is TCP implicit in some way with the GRE permit?
   I actually have alot more questions, but I will keep reading for now.
  I really appreciate the time you all took to trudge through this.  Also please feel free to point anything else out that I may have missed or that can be improved.  Have a great day!

  This post is a duplicate of this thread
  https://supportforums.cisco.com/discussion/12275476/proper-routing-lan-through-verizon-private-network-gre-airlink-gateways
  which has a response. I suggest that all discussion of this question be done through the other thread.
  HTH
  Rick

• Interface Bridging Into GRE Tunnel

  Hello all, I was wondering if it is still possible as I know it was never supported to bridge a layer 2 interface directly into a GRE tunnel. I have a customer that currently has a dedicated L2 circuit and a new L3 connection, he wants to move his L2 device to his L3 link to save money on circuits. The issue that I have is he does not want to change his IP addresses and the layer 2 network terminates in another location 20 miles away. The layer 3 routed network is also between both buildings and I can create a GRE tunnel between the 2 locations without touching the Internet. I have tried this using a 2921 router runnning IOS 15.4(2)T1 but the bridge-group command is not available on the GRE tunnel interface.
  I have also looked at pseudowire and cannot find the commands related to this, do I need to upgrade my license to security?
  Cheers
  Stuart

  It's a hidden command.  Even do, you might get a warning messasge stating this is obsolete and unsupported, it still technically a valid configuration. Legacy, but works.
  Keep in mind there are better solutions for this kind of connections.  But you can try it, it's simple anyways.
  Host1---Fa0/0--R1-------------GRE------------R2--Fa0/0---Host2
  1. Create a Loopback intf. on both routers and ensure L3 connectivity between them.
  2. Create bridge:
  router(config)#bridge 1 protocol ieee
  3. Create a GRE tunnel interface (dont configure IP's):
  router(config)# interface tun0
  router(config-if)# tun source loopback x
  router(config-if)# tun destination <other router loopback ip>
  router(config-if)# bridge-group 1
  **This is a hidden cmd. You will get a warning message, but ignore it**
  3. Attach Physical Interface to Bridge as well:
  router(config)# interface Fa0/0
  router(config-if)# bridge-group 1
  4. Configure the Hosts IP addresses to be on the same IP Segment and validate communication between them.
  You can try this on GNS3 as well.  I made a diagram and a brief explanation at another thread, but really don't remember how to get to it.
  Once again, this is legacy and there are better ways to achieve this. But for small implementations this is valid and easier.  It also helps to understand the newer versions/enhancements to this as well. 
  HTH

• How to setup GRE tunnel on a 3005

  Does the vpn3005 support GRE tunnels and how do I configure it? Reference paper will be fine.
  Thanks
  /Bent

  Yes, VPN 3005 concentrator should support GRE tunnels. Here are some configuration examples for the same.
  Configuring a GRE Tunnel over IPSec with OSPF
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml.
  For more such examples please refer to:
  http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html

• WCCP Redirection on a GRE Tunnel

  For some of our smaller branch offices we run GRE tunnels through a secured IPSec VPN connection over the Internet. Will WCCP redirect work if configured on the GRE Tunnel interface?

  Hi,
  Yes, it will work.
  Regards,
  Erik
  Sent from Cisco Technical Support iPad App

• 887 ipsec+gre+ospf models and licenses

  I'm choosing router for brunch office among this models  - 887VA-SEC-K9 or 887VA-K9. I want this router to can IPSEC site-to-site, GRE-tunnels and OSPF. I read the datasheet but I haven't understood several things about this model so I can't choose a right model. The datasheet says that default software is Advanced Security Feature Set for all 887 routers which supports IPSEC and GRE. Then I don't understand what are differences between 887VA-SEC-K9 or 887VA-K9? What does the word "SEC" mean? The second things aren't understood - I want the router to support OSPF. The Advanced IP Services can do it but there is two options too - SL-880-AIS and L-SL-800-SEC-K9. What are differences between them?
  What should I choose to implement IPSEC-GRE-OSPF among this models and licenses?

  The ASR1004 router we can only send packets with a maximum MTU size of 1438 Bytes over the encrypted tunnel.

• Redirection on GRE tunnels

  I have implemented WCCP redirect on a serial interface I have. I also have a GRE tunnel interface sourced from that same serial interface.I would like to know the IOS order of operation for that GRE tunnel interface in regards to redirection. Do I have to specifically configure the "ip wccp redirect" command on the tunnel interafce or the command on the underlying serial interface would suffice?

  Hello Shiravani,
  You need to configure the "ip wccp redirect " on the GRE tunnel interface itself and not the serial interface ( if you want to redirect traffic coming out from the GRE tunnel ).
  The IOS order does not really apply on this case,the GRE tunnel is just like any other interface.( GRE/ipsec packets are handled by physical (WAN) interface.)
  I  also suggest to do a lab if any doubts or further questions before you making the changes.
  Hope this helps!
  Felix

• GRE Tunnel on cisco 831

  Hi ,
  Who can tell me how to config ipsec over GRE tunnel when remote side useing dynamic ip !
  Thanks!

  Cisco has introduced a feature designed to do exactly what you are asking. You can configure an IPSec VPN over GRE tunnel where the remote has dynamic IP using the feature of Dynamic Multipoint VPN (DMVPN).
  The key concept here is that the remote side must initiate the tunnel to the central side. In the message requesting the tunnel the remote indicates what address the central should use as the tunnel destination.
  I have configured it in the lab and it worked pretty well. I have not yet used it in a production environment.
  This URL should help you get started with this:
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110ba1.html
  HTH
  Rick

• Bridging over GRE tunnel

  Dear expert,
  Currently I have problem running bridging over GRE tunnel.We are using cisco 3640 but somehow under tunnel 0, the is no 'bridge-group 1' command.We are trying to get the IOS that support the command under tunnel 0 but to no avail.Can someone help me ? Thanks
  --ran

  It's a hidden command.  Even do, you might get a warning messasge stating this is obsolete and unsupported, it still technically a valid configuration. Legacy, but works.
  Keep in mind there are better solutions for this kind of connections.  But you can try it, it's simple anyways.
  Host1---Fa0/0--R1-------------GRE------------R2--Fa0/0---Host2
  1. Create a Loopback intf. on both routers and ensure L3 connectivity between them.
  2. Create bridge:
  router(config)#bridge 1 protocol ieee
  3. Create a GRE tunnel interface (dont configure IP's):
  router(config)# interface tun0
  router(config-if)# tun source loopback x
  router(config-if)# tun destination <other router loopback ip>
  router(config-if)# bridge-group 1
  **This is a hidden cmd. You will get a warning message, but ignore it**
  3. Attach Physical Interface to Bridge as well:
  router(config)# interface Fa0/0
  router(config-if)# bridge-group 1
  4. Configure the Hosts IP addresses to be on the same IP Segment and validate communication between them.
  You can try this on GNS3 as well.  I made a diagram and a brief explanation at another thread, but really don't remember how to get to it.
  Once again, this is legacy and there are better ways to achieve this. But for small implementations this is valid and easier.  It also helps to understand the newer versions/enhancements to this as well. 
  HTH