4.2.a Implement and troubleshoot IPsec with preshared key

4.2.a [ii] IPv6 in IPv4 tunnels

Generic routing encapsulation (GRE) tunnels sometimes are combined with IPSec, because IPSec does not support IPv6 multicast packets. This function prevents dynamic routing protocols from running successfully over an IPSec VPN network. Because GRE tunnels do support IPv6 multicast , a dynamic routing protocol can be run over a GRE tunnel. Once a dynamic routing protocol is configured over a GRE tunnel, you can encrypt the GRE IPv6 multicast packets using IPSec.

IPSec can encrypt GRE packets using a crypto map or tunnel protection. Both methods specify that IPSec encryption is performed after GRE encapsulation is configured. When a crypto map is used, encryption is applied to the outbound physical interfaces for the GRE tunnel packets. When tunnel protection is used, encryption is configured on the GRE tunnel interface.

“% CRPTO-4-IKMP_BAD_MESSAGE: IKE” message from 150.150.150.1 failed its sanity check or is malformed appears if the pre-shared keys on the peers do not match. In order to fix this issue, check the pre-shared keys on both sides.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 4860-4863).  . Kindle Edition.

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-ipv6-ipv4-gre.html

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#ike