If you have a 3g or 4g interface and you set up a GRE tunnel out this 4g interface, make sure to lower your ip mtu below 1376 (your router will tell you the correct value if you set it too high). Failure to do so will cause the tunnel to be in DOWN state, even though ipsec negotiation is fine. I spent 30 minutes today looking at the config until I made the right decision to delete the tunnel interface and configure it line by line. When I entered ”ip mtu 1400”, ios gave me a warning that the mtu should be no higher than 1376.
The reason is that there some protocols in 4g network core that need to be additionally included in your mtu calculation. Normally we are able to send 1460 bytes ( + 20 bytes IP, 20 bytes TCP). However, when you have ipsec and gre, a safe value is 1400. Then come various 4g tunnel encapsulations, so 1376 seems to be just fine.