If you’ve ever needed to set up a GRE-over-IPSec tunnel between a Palo Alto firewall and a Cisco router, you’ve probably noticed the documentation is thin on the ground — especially when it comes to interoperability between the two platforms. I recently went through this exercise between a PA-VM (PAN-OS 11.2.5) and a Cisco CSRv-8000 (IOS-XE 17.16.1a) and learned some things the hard way.
The Goal Link to heading
Replicate a production pattern where a customer device connects to a target router using GRE tunnels encapsulated inside IPSec — the same architecture used in financial trading networks where encrypted, routed tunnels carry sensitive traffic between sites.
The reference design uses:
- IPSec as the outer encryption layer (ESP, transport mode)
- GRE (protocol 47) as the inner encapsulation, creating a routed point-to-point tunnel
- Loopback addresses as the tunnel endpoints for both GRE and IPSec
- BGP or static routes running over the GRE tunnel for overlay routing
The Topology Link to heading
graph LR
subgraph pa["PA-VM — PAN-OS 11.2 — Customer Side"]
pa_eth["eth1/3\n10.21.0.1/24"]
pa_lo["Lo.100\n172.20.1.20/32"]
pa_tun["tunnel.10\n192.168.75.110/30"]
end
subgraph csr["CSRv-8K — IOS-XE 17.16 — Target Side"]
csr_gi["Gi1\n10.21.0.2/24"]
csr_lo["Lo0\n192.168.50.50/32"]
csr_tun["Tunnel0\n192.168.75.109/30"]
end
pa_eth --- |"Underlay 10.21.0.0/24"| csr_gi
pa_lo -.- |"IPSec ESP Endpoints"| csr_lo
pa_tun === |"GRE-over-IPSec Overlay"| csr_tun
style pa fill:#1a3a4a,stroke:#42a5f5,stroke-width:2px,color:#e0e0e0
style csr fill:#1a3a2e,stroke:#66bb6a,stroke-width:2px,color:#e0e0e0
style pa_eth fill:#263238,stroke:#42a5f5,color:#e0e0e0
style pa_lo fill:#263238,stroke:#ffb74d,color:#e0e0e0
style pa_tun fill:#263238,stroke:#ef5350,color:#e0e0e0
style csr_gi fill:#263238,stroke:#66bb6a,color:#e0e0e0
style csr_lo fill:#263238,stroke:#ffb74d,color:#e0e0e0
style csr_tun fill:#263238,stroke:#ef5350,color:#e0e0e0
On the wire, packets are encapsulated as follows:
flowchart LR
ip["IP Header\nsrc: 172.20.1.20\ndst: 192.168.50.50"] --> esp["ESP Header\nSPI + Seq"]
esp --> gre["GRE\nProtocol 47"]
gre --> payload["Original\nIP Payload"]
payload --> auth["ESP Auth\nIntegrity"]
style ip fill:#1a3a4a,stroke:#42a5f5,stroke-width:2px,color:#e0e0e0
style esp fill:#4a2a1a,stroke:#ffb74d,stroke-width:2px,color:#e0e0e0
style gre fill:#1a3a2e,stroke:#66bb6a,stroke-width:2px,color:#e0e0e0
style payload fill:#3a1a3a,stroke:#ce93d8,stroke-width:2px,color:#e0e0e0
style auth fill:#4a2a1a,stroke:#ffb74d,stroke-width:2px,color:#e0e0e0
The Cisco Side: Full Configuration Link to heading
Cisco IOS-XE handles GRE-over-IPSec with two separate, well-understood constructs: a GRE tunnel interface and a crypto map on the physical interface.
Interfaces Link to heading
interface Loopback0
description -Loopback for GRE Tunnel Termination-
ip address 192.168.50.50 255.255.255.255
interface Tunnel0
ip address 192.168.75.109 255.255.255.252
ip mtu 1408
ip tcp adjust-mss 1360
tunnel source 192.168.50.50
tunnel destination 172.20.1.20
no keepalive
interface GigabitEthernet1
ip address 10.21.0.2 255.255.255.0
no ip redirects
no ip proxy-arp
negotiation auto
crypto map CMAP-VPN
Key points:
- Loopback0 is the GRE tunnel source and IKE identity
- Tunnel0 is the GRE tunnel interface with overlay IP;
no keepaliveis required because PAN-OS doesn’t echo Cisco GRE keepalives - GigabitEthernet1 has the crypto map applied — this is where IPSec encryption happens
IKE and IPSec Link to heading
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 14
crypto ipsec transform-set TS-GRE-TRANSPORT esp-aes 256 esp-sha256-hmac
mode transport
crypto map CMAP-VPN local-address Loopback0
crypto map CMAP-VPN 10 ipsec-isakmp
set peer 172.20.1.20
set transform-set TS-GRE-TRANSPORT
match address ACL-ENCRYPT-GRE
ip access-list extended ACL-ENCRYPT-GRE
permit gre host 192.168.50.50 host 172.20.1.20
The critical details:
- Transform set uses
mode transport— not tunnel mode (the default). Transport mode is correct for GRE-over-IPSec because GRE already provides the outer IP header. Using tunnel mode here was the original cause of Phase 2 failure (NO-PROPOSAL-CHOSEN). crypto map local-address Loopback0sources IKE from the loopback — the PAN-OS equivalent is the IKE gatewaylocal-addresssetting.- The ACL matches only GRE (protocol 47) between loopback addresses. This is the interesting traffic selector — only GRE gets encrypted, everything else passes in cleartext.
Routing Link to heading
ip route 0.0.0.0 0.0.0.0 10.21.0.1
ip route 172.20.1.20 255.255.255.255 10.21.0.1
The static route for 172.20.1.20 (PAN-OS loopback) points to the physical next-hop. This must stay on the physical underlay — routing it through Tunnel0 would create a recursive dependency.
BGP Link to heading
router bgp 65001
bgp router-id 192.168.50.50
bgp log-neighbor-changes
network 10.21.0.0 mask 255.255.255.0
network 192.168.50.50 mask 255.255.255.255
neighbor 192.168.75.110 remote-as 65002
BGP peers with the PAN-OS tunnel IP (192.168.75.110), meaning the TCP session traverses GRE-over-IPSec. Cisco advertises its loopback and connected network.
The PAN-OS Side: Full Configuration Link to heading
What I Tried First (and Failed) Link to heading
My initial approach was to mirror the Cisco architecture: create a standalone GRE tunnel under Network > GRE Tunnels (available since PAN-OS 9.0) and a separate IPSec tunnel for encryption:
set network tunnel gre gre-to-cisco tunnel-interface tunnel.10
set network tunnel gre gre-to-cisco local-address interface loopback.100
set network tunnel gre gre-to-cisco peer-address ip 192.168.50.50
Every commit failed with:
Error: tunnel configuration error
(Module: device)
client device phase 1 failure
I tested exhaustively — multiple tunnel interfaces, minimal configs, different zone assignments. The management plane accepted the syntax, but the data plane rejected it at commit time.
Root Cause: PA-VM Doesn’t Support Standalone GRE Link to heading
PAN-OS GRE tunnels (Network > GRE Tunnels) are only supported on hardware platforms — PA-3200, PA-5200, PA-7000 series, and newer. PA-VM does not support this feature.
This is documented in the PAN-OS networking features compatibility matrix, though it’s easy to miss since the CLI and Web UI still expose the GRE configuration options.
Takeaway: If you’re labbing GRE tunnels on a PA-VM, standalone GRE won’t work. The config parses but the commit always fails.
What Actually Works: enable-gre-encapsulation on the IPSec Tunnel
Link to heading
PAN-OS provides an alternative: the enable-gre-encapsulation yes flag on the IPSec tunnel. This combines GRE and IPSec into a single tunnel construct.
Interfaces Link to heading
set network interface ethernet ethernet1/3 layer3 ip 10.21.0.1/24
set network interface loopback units loopback.100 ip 172.20.1.20/32
set network interface tunnel units tunnel.10 ip 192.168.75.110/30
set network interface tunnel units tunnel.10 mtu 1408
- ethernet1/3 is the physical underlay link to Cisco
- loopback.100 is the IKE/GRE endpoint identity (equivalent to Cisco’s Loopback0)
- tunnel.10 is the combined GRE+IPSec tunnel interface with the overlay IP
All three interfaces are in the wan zone:
set vsys vsys1 zone wan network layer3 [ ethernet1/3 tunnel.10 loopback.100 ]
IKE Gateway Link to heading
set network ike gateway cisco-ike-gw authentication pre-shared-key
set network ike gateway cisco-ike-gw protocol version ikev1
set network ike gateway cisco-ike-gw protocol ikev1 exchange-mode main
set network ike gateway cisco-ike-gw protocol ikev1 ike-crypto-profile cisco-ike-phase1-prof
set network ike gateway cisco-ike-gw local-address interface loopback.100
set network ike gateway cisco-ike-gw local-address ip 172.20.1.20/32
set network ike gateway cisco-ike-gw peer-address ip 192.168.50.50
set network ike gateway cisco-ike-gw local-id id 172.20.1.20 type ipaddr
set network ike gateway cisco-ike-gw peer-id id 192.168.50.50 type ipaddr
The local-address on loopback.100 is the PAN-OS equivalent of Cisco’s crypto map local-address Loopback0.
IKE Crypto Profile (Phase 1) Link to heading
set network ike crypto-profiles ike-crypto-profiles cisco-ike-phase1-prof hash sha256
set network ike crypto-profiles ike-crypto-profiles cisco-ike-phase1-prof dh-group group14
set network ike crypto-profiles ike-crypto-profiles cisco-ike-phase1-prof encryption [ aes-256-cbc aes-128-cbc ]
set network ike crypto-profiles ike-crypto-profiles cisco-ike-phase1-prof lifetime days 1
IPSec Crypto Profile (Phase 2) Link to heading
set network ike crypto-profiles ipsec-crypto-profiles cisco-ipsec-phase2-prof esp authentication sha256
set network ike crypto-profiles ipsec-crypto-profiles cisco-ipsec-phase2-prof esp encryption [ aes-256-cbc aes-128-cbc aes-256-gcm ]
set network ike crypto-profiles ipsec-crypto-profiles cisco-ipsec-phase2-prof lifetime seconds 3600
set network ike crypto-profiles ipsec-crypto-profiles cisco-ipsec-phase2-prof dh-group no-pfs
IPSec Tunnel (with GRE Encapsulation) Link to heading
set network tunnel ipsec ipsec-tun-to-cisco tunnel-interface tunnel.10
set network tunnel ipsec ipsec-tun-to-cisco ipsec-mode transport
set network tunnel ipsec ipsec-tun-to-cisco enable-gre-encapsulation yes
set network tunnel ipsec ipsec-tun-to-cisco anti-replay no
set network tunnel ipsec ipsec-tun-to-cisco auto-key ike-gateway cisco-ike-gw
set network tunnel ipsec ipsec-tun-to-cisco auto-key ipsec-crypto-profile cisco-ipsec-phase2-prof
set network tunnel ipsec ipsec-tun-to-cisco auto-key proxy-id gre-to-cisco protocol number 47
set network tunnel ipsec ipsec-tun-to-cisco auto-key proxy-id gre-to-cisco local 172.20.1.20
set network tunnel ipsec ipsec-tun-to-cisco auto-key proxy-id gre-to-cisco remote 192.168.50.50
This is the core of the PA-VM approach:
ipsec-mode transport— matches Cisco’smode transporton the transform setenable-gre-encapsulation yes— PAN-OS adds a GRE header to all traffic entering tunnel.10- Proxy-ID with protocol 47 — equivalent to Cisco’s
permit greACL; tells both sides the SA carries GRE - The tunnel interface gets the overlay IP and serves as both the GRE and IPSec endpoint
Routing Link to heading
set network virtual-router default routing-table ip static-route demo-tdwl-lo0-192.168.50.50 destination 192.168.50.50/32
set network virtual-router default routing-table ip static-route demo-tdwl-lo0-192.168.50.50 interface ethernet1/3
set network virtual-router default routing-table ip static-route demo-tdwl-lo0-192.168.50.50 nexthop ip-address 10.21.0.2
set network virtual-router default routing-table ip static-route demo-tdwl-lo0-192.168.50.50 metric 10
Same as Cisco — the remote loopback route stays on the physical underlay.
BGP Link to heading
set network virtual-router default protocol bgp enable yes
set network virtual-router default protocol bgp router-id 172.20.1.20
set network virtual-router default protocol bgp local-as 65002
set network virtual-router default protocol bgp peer-group cisco-peer enable yes
set network virtual-router default protocol bgp peer-group cisco-peer type ebgp import-nexthop original
set network virtual-router default protocol bgp peer-group cisco-peer type ebgp export-nexthop resolve
set network virtual-router default protocol bgp peer-group cisco-peer peer 192.168.75.109 enable yes
set network virtual-router default protocol bgp peer-group cisco-peer peer 192.168.75.109 peer-as 65001
set network virtual-router default protocol bgp peer-group cisco-peer peer 192.168.75.109 peer-address ip 192.168.75.109
set network virtual-router default protocol bgp peer-group cisco-peer peer 192.168.75.109 local-address interface tunnel.10
set network virtual-router default protocol bgp peer-group cisco-peer peer 192.168.75.109 local-address ip 192.168.75.110/30
set network virtual-router default protocol bgp redist-rules connected-routes enable yes
set network virtual-router default protocol bgp redist-rules connected-routes address-family-identifier ipv4
set network virtual-router default protocol redist-profile connected-routes filter type connect
set network virtual-router default protocol redist-profile connected-routes priority 1
set network virtual-router default protocol redist-profile connected-routes action redist
BGP peers using the tunnel overlay IPs. PAN-OS redistributes connected routes into BGP.
Security Policy Link to heading
set vsys vsys1 rulebase security rules default-rule to any from any source any destination any application any service any action allow
A permissive lab rule — in production you’d scope this to specific zones and applications.
Proving GRE Is Working: Cisco Tunnel0 as the Signal Link to heading
The Cisco Tunnel0 interface being UP/UP is the definitive proof that GRE is working. Tunnel0 is a pure GRE interface — it only processes GRE-encapsulated packets. For it to receive traffic, valid GRE packets must arrive from the expected source.
After clearing counters and sending a single ping across the tunnel:
=== BEFORE ===
IPSec SA: #pkts encaps: 0, #pkts decaps: 0
Tunnel0: 0 packets input, 0 packets output
=== AFTER 1 PING ===
IPSec SA: #pkts encaps: 1, #pkts decaps: 1
Tunnel0: 1 packets input, 1 packets output
Both counters increment in lockstep — IPSec encrypted/decrypted one GRE packet each way, and Tunnel0 processed one GRE-encapsulated payload each way.
The IPSec SA confirms what’s being encrypted:
local ident: (192.168.50.50/255.255.255.255/47/0) ← protocol 47 = GRE
remote ident: (172.20.1.20/255.255.255.255/47/0)
transform: esp-256-aes esp-sha256-hmac
in use settings = {Transport}
During early testing when IPSec Phase 2 hadn’t negotiated yet, Cisco logged:
%IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet,
dest_addr=192.168.50.50, src_addr=172.20.1.20, prot=47
This confirms PAN-OS was sending GRE (protocol 47) packets even before IPSec was up — proving enable-gre-encapsulation generates real GRE packets.
BGP Over the Tunnel Link to heading
eBGP was established using the tunnel overlay IPs to prove routing protocols work over GRE-over-IPSec. The BGP TCP session itself (port 179) traverses the encrypted GRE tunnel.
PAN-OS (AS 65002):
Peer 192.168.75.109: Established
Prefixes received: 2 (192.168.50.50/32, 10.21.0.0/24)
Prefixes sent: 4 (connected routes)
Cisco (AS 65001):
Neighbor 192.168.75.110: Established
Prefixes received: 4 (10.20.0.0/24, 10.21.0.0/24, 172.29.129.0/24, 192.168.75.108/30)
Prefixes sent: 2
Gotchas and Lessons Learned Link to heading
IPSec mode mismatch kills Phase 2. The original Cisco config used tunnel mode (the IOS default for transform sets). PAN-OS was set to transport mode. This caused every Phase 2 attempt to fail with NO-PROPOSAL-CHOSEN. Both sides must agree — transport mode is correct for GRE-over-IPSec.
GRE keepalives don’t interop. Cisco GRE keepalives are Cisco-proprietary echo packets. PAN-OS doesn’t respond to them, so Cisco Tunnel0 goes to UP/DOWN. Use no keepalive on the Cisco side and PAN-OS tunnel monitoring (with a destination IP) if you need health checking.
Underlay routing must stay physical. The loopback addresses are the GRE/IPSec tunnel endpoints. Routing them through the tunnel creates a recursive dependency — the tunnel needs those IPs to function. Overlay subnets go through the tunnel; endpoint reachability stays on the physical link.
PA-VM GRE limitation is silent. The PAN-OS CLI and Web UI expose GRE tunnel configuration on PA-VM even though it’s not supported. The config parses cleanly — the error only appears at commit time. Check the platform compatibility matrix before planning your architecture.
Platform Comparison Link to heading
| Aspect | Cisco IOS-XE | PAN-OS PA-VM |
|---|---|---|
| GRE tunnel | Standalone interface Tunnel0 | Not supported (enable-gre-encapsulation on IPSec instead) |
| IPSec | Crypto map on physical interface | Route-based VPN with proxy-ID |
| Mode | Transport (explicit mode transport) | Transport (explicit ipsec-mode transport) |
| Interesting traffic | ACL: permit gre host <lo> host <lo> | Proxy-ID: protocol 47 between loopbacks |
| IKE source | crypto map local-address Loopback0 | IKE gateway local-address loopback.100 |
| Routing over tunnel | Works (BGP, static) | Works (BGP, static, redistributed connected) |
| GRE keepalive | Supported (but disabled for interop) | Not supported (use tunnel monitoring) |
The setup works well once you know the PA-VM limitation. The enable-gre-encapsulation flag produces wire-compatible packets, and the Cisco side is none the wiser.
Appendix A: Full PAN-OS PA-VM Configuration (set commands) Link to heading
Exported directly from the PAN-OS CLI via set cli config-output-format set then show in configure mode. Authentication credentials and default boilerplate profiles have been excluded.
set deviceconfig system type static
set deviceconfig system timezone Asia/Riyadh
set deviceconfig system service disable-telnet yes
set deviceconfig system service disable-http yes
set deviceconfig system hostname LAB-FW
set deviceconfig system ip-address 192.168.100.63
set deviceconfig system netmask 255.255.255.0
set deviceconfig system default-gateway 192.168.100.3
set deviceconfig system dns-setting servers primary 1.1.1.1
set deviceconfig system dns-setting servers secondary 1.0.0.1
set deviceconfig system ntp-servers primary-ntp-server ntp-server-address sa.pool.ntp.org
set deviceconfig system ntp-servers primary-ntp-server authentication-type none
set network interface ethernet ethernet1/1 layer3 interface-management-profile ping-only
set network interface ethernet ethernet1/2 layer3 ip 10.20.0.1/24
set network interface ethernet ethernet1/2 layer3 interface-management-profile ping-only
set network interface ethernet ethernet1/3 layer3 ip 10.21.0.1/24
set network interface ethernet ethernet1/3 layer3 interface-management-profile ping-only
set network interface tunnel units tunnel.10 comment "GRE over IPSec Tunnel"
set network interface tunnel units tunnel.10 interface-management-profile ping-only
set network interface tunnel units tunnel.10 mtu 1408
set network interface tunnel units tunnel.10 ip 192.168.75.110/30
set network interface tunnel units tunnel.20 comment "Outer IPSec Tunnel"
set network interface loopback units loopback.100 ip 172.20.1.20/32
set network interface loopback units loopback.100 interface-management-profile ping-only
set network interface loopback units loopback.100 comment "Loopback customer side "
set network profiles interface-management-profile ping-only ping yes
set network ike crypto-profiles ike-crypto-profiles cisco-ike-phase1-prof hash sha256
set network ike crypto-profiles ike-crypto-profiles cisco-ike-phase1-prof dh-group group14
set network ike crypto-profiles ike-crypto-profiles cisco-ike-phase1-prof encryption [ aes-256-cbc aes-128-cbc ]
set network ike crypto-profiles ike-crypto-profiles cisco-ike-phase1-prof lifetime days 1
set network ike crypto-profiles ipsec-crypto-profiles cisco-ipsec-phase2-prof esp authentication sha256
set network ike crypto-profiles ipsec-crypto-profiles cisco-ipsec-phase2-prof esp encryption [ aes-256-cbc aes-128-cbc aes-256-gcm ]
set network ike crypto-profiles ipsec-crypto-profiles cisco-ipsec-phase2-prof lifetime seconds 3600
set network ike crypto-profiles ipsec-crypto-profiles cisco-ipsec-phase2-prof dh-group no-pfs
set network ike crypto-profiles ipsec-crypto-profiles cisco-ipsec-phase2-prof lifesize mb 450
set network ike gateway cisco-ike-gw protocol ikev1 dpd enable no
set network ike gateway cisco-ike-gw protocol ikev1 ike-crypto-profile cisco-ike-phase1-prof
set network ike gateway cisco-ike-gw protocol ikev1 exchange-mode main
set network ike gateway cisco-ike-gw protocol version ikev1
set network ike gateway cisco-ike-gw local-address ip 172.20.1.20/32
set network ike gateway cisco-ike-gw local-address interface loopback.100
set network ike gateway cisco-ike-gw protocol-common nat-traversal enable no
set network ike gateway cisco-ike-gw protocol-common fragmentation enable no
set network ike gateway cisco-ike-gw peer-address ip 192.168.50.50
set network ike gateway cisco-ike-gw local-id id 172.20.1.20
set network ike gateway cisco-ike-gw local-id type ipaddr
set network ike gateway cisco-ike-gw peer-id id 192.168.50.50
set network ike gateway cisco-ike-gw peer-id type ipaddr
set network virtual-router default protocol bgp enable yes
set network virtual-router default protocol bgp routing-options graceful-restart enable yes
set network virtual-router default protocol bgp router-id 172.20.1.20
set network virtual-router default protocol bgp local-as 65002
set network virtual-router default protocol bgp peer-group cisco-peer enable yes
set network virtual-router default protocol bgp peer-group cisco-peer type ebgp import-nexthop original
set network virtual-router default protocol bgp peer-group cisco-peer type ebgp export-nexthop resolve
set network virtual-router default protocol bgp peer-group cisco-peer peer 192.168.75.109 peer-as 65001
set network virtual-router default protocol bgp peer-group cisco-peer peer 192.168.75.109 local-address interface tunnel.10
set network virtual-router default protocol bgp peer-group cisco-peer peer 192.168.75.109 local-address ip 192.168.75.110/30
set network virtual-router default protocol bgp peer-group cisco-peer peer 192.168.75.109 enable yes
set network virtual-router default protocol bgp peer-group cisco-peer peer 192.168.75.109 peer-address ip 192.168.75.109
set network virtual-router default protocol bgp redist-rules connected-routes enable yes
set network virtual-router default protocol bgp redist-rules connected-routes address-family-identifier ipv4
set network virtual-router default protocol redist-profile connected-routes filter type connect
set network virtual-router default protocol redist-profile connected-routes priority 1
set network virtual-router default protocol redist-profile connected-routes action redist
set network virtual-router default interface [ ethernet1/1 ethernet1/2 ethernet1/3 loopback.100 tunnel.10 tunnel.20 ]
set network virtual-router default ecmp algorithm ip-modulo
set network virtual-router default routing-table ip static-route demo-tdwl-lo0-192.168.50.50 nexthop ip-address 10.21.0.2
set network virtual-router default routing-table ip static-route demo-tdwl-lo0-192.168.50.50 interface ethernet1/3
set network virtual-router default routing-table ip static-route demo-tdwl-lo0-192.168.50.50 destination 192.168.50.50/32
set network virtual-router default routing-table ip static-route demo-tdwl-lo0-192.168.50.50 metric 10
set network virtual-router default routing-table ip static-route demo-tdwl-lo0-192.168.50.50 route-table unicast
set network tunnel ipsec ipsec-tun-to-cisco auto-key ike-gateway cisco-ike-gw
set network tunnel ipsec ipsec-tun-to-cisco auto-key proxy-id gre-to-cisco protocol number 47
set network tunnel ipsec ipsec-tun-to-cisco auto-key proxy-id gre-to-cisco local 172.20.1.20
set network tunnel ipsec ipsec-tun-to-cisco auto-key proxy-id gre-to-cisco remote 192.168.50.50
set network tunnel ipsec ipsec-tun-to-cisco auto-key ipsec-crypto-profile cisco-ipsec-phase2-prof
set network tunnel ipsec ipsec-tun-to-cisco tunnel-monitor enable no
set network tunnel ipsec ipsec-tun-to-cisco tunnel-monitor destination-ip 192.168.75.109
set network tunnel ipsec ipsec-tun-to-cisco tunnel-interface tunnel.10
set network tunnel ipsec ipsec-tun-to-cisco ipsec-mode transport
set network tunnel ipsec ipsec-tun-to-cisco enable-gre-encapsulation yes
set network tunnel ipsec ipsec-tun-to-cisco anti-replay no
set zone untrust network layer3 ethernet1/1
set zone internal-net network layer3 ethernet1/2
set zone wan network layer3 [ ethernet1/3 tunnel.10 loopback.100 tunnel.20 ]
set rulebase security rules default-rule to any
set rulebase security rules default-rule from any
set rulebase security rules default-rule source any
set rulebase security rules default-rule destination any
set rulebase security rules default-rule source-user any
set rulebase security rules default-rule category any
set rulebase security rules default-rule saas-user-list any
set rulebase security rules default-rule saas-tenant-list any
set rulebase security rules default-rule application any
set rulebase security rules default-rule service any
set rulebase security rules default-rule source-hip any
set rulebase security rules default-rule destination-hip any
set rulebase security rules default-rule action allow
set rulebase security rules default-rule log-start no
set rulebase security rules default-rule log-end yes
set rulebase nat rules outbound-nat-to-untrust source-translation persistent-dynamic-ip-and-port interface-address interface ethernet1/1
set rulebase nat rules outbound-nat-to-untrust to untrust
set rulebase nat rules outbound-nat-to-untrust from [ internal-net wan ]
set rulebase nat rules outbound-nat-to-untrust source any
set rulebase nat rules outbound-nat-to-untrust destination any
set rulebase nat rules outbound-nat-to-untrust service any
set import network interface [ ethernet1/1 ethernet1/2 ethernet1/3 tunnel.10 loopback.100 tunnel.20 ]
Appendix B: Full Cisco IOS-XE CSRv-8000 Configuration Link to heading
Exported from show running-config. Authentication credentials, PKI certificates, and unused transform sets have been excluded.
hostname csr-rtr
!
vrf definition MGMT
description Out-of-Band Management
address-family ipv4
exit-address-family
!
logging buffered 16384
logging persistent filesize 2000000
no logging console
!
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 14
! crypto isakmp key <REDACTED> address 172.20.1.20
!
crypto ipsec transform-set TS-GRE-TRANSPORT esp-aes 256 esp-sha256-hmac
mode transport
!
crypto map CMAP-VPN local-address Loopback0
crypto map CMAP-VPN 10 ipsec-isakmp
set peer 172.20.1.20
set transform-set TS-GRE-TRANSPORT
match address ACL-ENCRYPT-GRE
!
interface Loopback0
description -Loopback for GRE Tunnel Termination-
ip address 192.168.50.50 255.255.255.255
!
interface Tunnel0
ip address 192.168.75.109 255.255.255.252
ip mtu 1408
ip tcp adjust-mss 1360
tunnel source 192.168.50.50
tunnel destination 172.20.1.20
no keepalive
!
interface GigabitEthernet1
ip address 10.21.0.2 255.255.255.0
no ip redirects
no ip proxy-arp
negotiation auto
crypto map CMAP-VPN
!
! GigabitEthernet2-7: shutdown (unused)
!
interface GigabitEthernet8
description MANAGEMENT_ONLY
vrf forwarding MGMT
ip address 192.168.100.163 255.255.255.0
ip access-group ACL-MGMT-IN in
negotiation auto
!
router bgp 65001
bgp router-id 192.168.50.50
bgp log-neighbor-changes
network 10.21.0.0 mask 255.255.255.0
network 192.168.50.50 mask 255.255.255.255
neighbor 192.168.75.110 remote-as 65002
!
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.21.0.1
ip route 172.20.1.20 255.255.255.255 10.21.0.1
ip route vrf MGMT 0.0.0.0 0.0.0.0 192.168.100.1
ip ssh bulk-mode 131072
!
ip access-list extended ACL-ENCRYPT-GRE
10 permit gre host 192.168.50.50 host 172.20.1.20
!
ip access-list extended ACL-MGMT-IN
10 remark Allow SSH specifically to the MGMT interface IP
10 permit tcp any host 192.168.100.163 eq 22
20 remark Allow Ping to the interface (Optional)
20 permit icmp any host 192.168.100.163 echo
30 permit icmp any host 192.168.100.163 echo-reply
40 remark Deny and log everything else
40 deny ip any any log
!
line con 0
stopbits 1
line vty 0 4
login local
transport input ssh
!
end