Not completely understanding the GRE tunneling shown in the Cisco Press SNRS Quick Reference guide around page 65. I understand why I'd want to use GRE. I'm just not sure how the VPN ACL should look. If you want to send IP unicast data across an IPSec VPN, the ACL would be something like:

access-list 100 permit ip <local private addr/mask> <remote private addr/mask>

But when you add a GRE tunnel, the book says you replace the entry above with:

access-list 100 permit gre host <local external address> <remote external address>

Is this right, or should you ADD the GRE line to the existing ACL?

Indeed, when you create a IPsec VPN you use the LAN IP's as the interesting traffic.
But the GRE you use the outside interface source and destination in the ACL.

HTH.

Thanks BE! Sure enough, I simulated it a little yesterday and started to get the sense that you REPLACE the IP line with source and destination internal network addresses with a "permit gre" line with the addresses on the outside interfaces--not the tunnel interfaces, but the actual physical interfaces. I just wasn't totally sure because GNS3 was giving me fits! Much prefer using actual hardware, but was away from my lab yesterday.

Actually, that brings to mind one more thing. If using GRE, I probably want to set my ipsec transform-set to "mode transport" instead of the default tunnel, since I already have GRE tunneling. Make sense?

We use GRE here at work (not in a Cisco way though), i used it once when creating a site to site VPN and the EU was using EIGRP.

Good fun.