Posted on June 17, 2021 9:06 pm
 |  Asked by Christopher Vickers
Print Friendly, PDF & Email

I am trying to configure a basic IPSEC/GRE tunnel on CloudEOS. I have followed the example IPSec/GRE configuration on the page “”, however I believe the example configurations are incorrect. The ike policy name’s are incorrect for “Running Configuration for CloudEOS and vEOS2”. The tunnel does not come up.

I have corrected what i believe are the errors, however when running the configrations “IPSec – Modified 1.txt” and “IPSec – Modified 2.txt”, however the status of tunnel is still down and shows:

IPSEC1#show interfaces tunnel 1
Tunnel1 is down, line protocol is down (notconnect)
Hardware is Tunnel, address is 0000.0000.0000
Internet address is
Broadcast address is
Tunnel source, destination
Tunnel protocol/transport GRE/IP
Hardware forwarding enabled
Tunnel transport MTU 1404 bytes
Tunnel underlay VRF “default”
Line protocol status details
Waiting for successful completion of security association negotiation with remote peer
Hardware programming pending

Can you please advise what is incorrect with my configs.

Thank you


Posted by Aniket Bhowmick
Answered on June 18, 2021 2:56 am

Hi Chris,

Thank you for reaching out on EOS forums !

Can you try the below steps:

  • shutdown "interface Tunnel1" on both vEOS router (IPSEC1 and IPSEC2)
  • Remove the "connection start" command under "profile hq" from IPSEC2 (or if you want you can remove from IPSEC1 device)
  • do a "no shut" under "interface Tunnel1"
  • Monitor the status of Tunnel for few minutes, see if it comes up

Whichever device has the "connection start" command will be the initiator of the IKE-phase-1 tunnel. Only one device can be the "initiator", other one would be the "responder". Hence the command should exist only on one device.

If the tunnel still shows as down. Then remove the "Tunnel1" interface completely (CMD: no interface tunnel 1) on both sides and create a new one with same configuration and check again.



Post your Answer

You must be logged in to post an answer.