No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Router/NE20E-S2F(V800R008C10SPC500)Can’t establish Gre over IPsec between NE20 to AR201

Publication Date:  2019-07-11 Views:  374 Downloads:  0

Issue Description

Version information

Network topology diagram


 Configure the script

no( customer want configure Gre over IPsec  between  NE20 to AR)

Failure phenomenon
the customer needs a configuration case


Handling Process

The customer wants a configuration case.

In the laboratory test, after the success,Configuration send to customers.


Provide configuration to customers(NE device)

service-location 1
location slot 3
service-instance-group 1
service-location 1

acl number 3002
rule 10 permit ip vpn-instance XXXXX  source 0 destination 0     //As you want to test ping, so you need to permit “ip” but not only “gre”. And you need to involve “vpn-instance ArCaTemp” in rule.

ike proposal 41
encryption-algorithm aes-cbc 256
dh group14
authentication-algorithm sha2-512
integrity-algorithm hmac-sha2-256

ike peer test1
pre-shared-key cipher xxxxx
ike-proposal 41
undo version 2
remote-address vpn-instance XXXXX
sa binding vpn-instance XXXXX    // Here you need to add command “sa binding vpn-instance XXXXX”.

ipsec proposal test1
esp authentication-algorithm sha1
esp encryption-algorithm aes 256

ipsec policy test2 1 isakmp
security acl 3002
ike-peer test1
proposal test1

interface GigabitEthernet0/3/13
 undo shutdown
ip binding vpn-instance XXXXX
ip address
undo dcn
binding tunnel ipsec

interface LoopBack2
ip binding vpn-instance XXXXX
ip address
target-board 3
binding tunnel gre

interface Tunnel3/0/1
ip address
tunnel-protocol gre
source LoopBack2
destination vpn-instance XXXXX
interface Tunnel3/3/1
  ip binding vpn-instance XXXXX
ip address unnumbered interface GigabitEthernet0/3/13
tunnel-protocol ipsec
ipsec policy test2 service-instance-group 1

ip route-static vpn-instance ArCaTemp Tunnel3/3/1  // Here should be Tunnel3/3/1 but not GigabitEthernet0/3/13.