GRE tunnel over IPSec between Cisco router and HP router

Step 1: Setting GRE Tunnel between Cisco router and HP router
Diagram：

Cisco Router：851 or 3845

Configure Tunnel：

interface Tunnel0

 ip address 10.1.1.1 255.255.255.0

 tunnel source 12.1.1.2

 tunnel destination 23.1.1.2

!

router rip

 version 2

 network 10.0.0.0

 network 192.168.1.0

 no auto-summary

!

 HP or Huawei router：AR1220 or MSR900 series

Configure Tunnel：

interface Tunnel0/0/0

tunnel-protocol gre

source 23.1.1.2

destination 12.1.1.2

#

Routing：

rip 1

undo summary

version 2

network 172.16.0.0

netw 10.0.0.0

#

=========================================

Results after you completed tunnel ：

Ping successfully!

R1#ping 172.16.1.1 so loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Step 2: Setting GRE Tunnel over IPSec between Cisco router and HP route


HP router：
#
acl number 3000
 rule 10 permit gre source 12.1.1.2 0 destination 23.1.1.2 0 
#
ipsec proposal trans
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
#
ike peer cisco     
pre-shared-key cisco
ike-proposal 1 
remote-address 23.1.1.2
#
ipsec policy map 1 isakmp
security acl 3000
ike-peer cisco
proposal trans
#
interface GigabitEthernet0/0/0
ip address 12.1.1.2 255.255.255.0
ipsec policy map
#
interface LoopBack0
ip address 192.168.1.1 255.255.255.0
#
interface Tunnel0/0/0
ip address 10.1.1.1 255.255.255.252
tunnel-protocol gre
source 12.1.1.2
destination 23.1.1.2
#
rip 1
undo summary
version 2
network 10.0.0.0
network 192.168.1.0
#
ip route-static 0.0.0.0 0.0.0.0 12.1.1.1
#
Return
================================================
Cisco router：
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 12.1.1.2
!
!
crypto ipsec transform-set trans esp-3des esp-sha-hmac
!
crypto map map 1 ipsec-isakmp
set peer 12.1.1.2
set transform-set trans
match address 100
!
!
interface Tunnel0
ip address 10.1.1.2 255.255.255.252
tunnel source 23.1.1.2
tunnel destination 12.1.1.2
!
interface Loopback0
ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet3
!
interface FastEthernet4
ip address 23.1.1.2 255.255.255.0
duplex auto
speed auto
crypto map map
router rip
version 2
network 10.0.0.0
network 172.16.1.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 23.1.1.1
!
no ip http server
no ip http secure-server
!
access-list 100 permit gre host 23.1.1.2 host 12.1.1.2
!
End
==================================================
Results after completed configuration：
Cisco#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id    slot status
12.1.1.2        23.1.1.2        MM_NO_STATE          0    9
------------------------------------------------------------------------
[Huawei]dis ips sa
===============================
Interface: GigabitEthernet0/0/0
Path MTU: 1500
===============================
-----------------------------
IPSec policy name: "map"
Sequence number  : 1
Mode             : ISAKMP
-----------------------------
Connection ID     : 4
Encapsulation mode: Tunnel
    Tunnel local      : 12.1.1.2
    Tunnel remote     : 23.1.1.2
[Outbound ESP SAs]
SPI: 96254068 (0x5bcb874)
Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
SA remaining key duration (bytes/sec): 1887436164/3538
Max sent sequence-number: 6
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 86227265 (0x523b941)
Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
SA remaining key duration (bytes/sec): 1887436068/3538
Max received sequence-number: 7
UDP encapsulation used for NAT traversal: N