GRE over IPSEC between Juniper and Cisco Router

This caused headaches as it needed slightly different configuration to normal. ip mtu not being set here was the cause of things sort-of-but-not-quite-working.

Normally with Cisco to Cisco over IPSEC we’d add “ip tcp adjust mss-1392” to the Tunnel interfaces either side.

This is the config that worked in the end.

GRE Juniper router side
=======================

interfaces {
    lo0 {
        unit 0 {
            family inet {
                address 192.168.255.1/32;
            }
        }
    }

    gr-1/1/10 {
        unit 2 {
            clear-dont-fragment-bit;
            description "-= Gre Tunnel to Remote Office =-";
            tunnel {
                source 192.168.255.1;
                destination 192.168.255.2;
            }
            family inet {
                mtu 1400;
                address 10.0.0.2/30;
            }
        }
    }
}

routing-options
    static {
        route 192.168.255.2/32 next-hop [IPSEC FW Addr];
    }
}


---------


GRE Cisco Side
==============

interface Loopback1
 description * Loopback for GRE Tunnel source/endpoint *
 ip address 192.168.255.2 255.255.255.255


interface Tunnel2
 description * GRE Tunnel to Juniper GR-1/1/10.2 *
 ip address 10.0.0.1 255.255.255.252
 ip mtu 1400
 load-interval 30
 tunnel source Loopback1
 tunnel destination 192.168.255.1
 hold-queue 2000 in
 hold-queue 2000 out

! Route GRE endpoint via IPSEC FW
ip route 192.168.255.1 255.255.255.255 [IPSEC FW Addr]

Reference config for normal Cisco – Cisco.

interface Tunnel2
 description * GRE Tunnel to Remote site int tunnel2 *
 bandwidth 2000
 ip address 10.0.0.1 255.255.255.252
 ip tcp adjust-mss 1392
 load-interval 30
 tunnel source Loopback1
 tunnel destination 192.168.16.13
 hold-queue 2000 in
 hold-queue 2000 out