Re: Establishing GRE connection between 2 routers

On Nov 14, 7:12 am, bri...@xxxxxxxxxxxxxxxxx wrote:
In article <1194999750.015145.272...@xxxxxxxxxxxxxxxxxxxxxxxxxxx>, f...@xxxxxx writes:
Hi,

I try to setup office to office VPN tunnel ipsec over gre.

My first step is to setup GRE tunnel.

I do following:

On HQ router

configure terminal
interface tunnel 0
ip address 172.24.3.3 255.255.255.0
tunnel source FastEthernet 0
tunnel destination x.x.x.x (public IP of other router)
tunnel mode gre ip
no shut

Looks fine. However you haven't shown us details of Fa0 or x.x.x.x
or the routing in between.
It is a public address connected to internet, actually I try to do it
over internet to replace existing leased line.


ip route 172.24.3.6 255.255.255.255 tunnel 0

This static route is pointless. The existence of the interface
creates a connected route toward 172.24.3.0/24 via tunnel 0.

You don't need a /32 route in addition to the /24.


I added it explicitly, because I was not able to ping other end, but
it still did not works :(



On remote router

configure terminal
interface tunnel 0
ip address 172.24.3.6 255.255.255.0
tunnel source FastEthernet 0
tunnel destination x.x.x.x (public IP of other router)
tunnel mode gre ip
no shut

Again, this looks fine, bearing in mind that we know nothing about
Fa0 or x.x.x.x or the routing path between them.

Routing path as I already mentioned is over internet....


ip route 172.24.3.3 255.255.255.255 tunnel 0

And again, this static /32 route is pointless when you already
have a connected /24.



---------------------
Then I try to ping other interface and initially worked only from
remote router to HQ, but after 5 min there is no more connection.

Do both tunnels show "up" and "up"?

Yes they show up/up even no packet is traversing?!



If you do "show ip route 172.24.3.6" on the one router and
"show ip route 172.24.3.3" on the other, do you see the proper
routes showing?

Yes I see /32 routes going on the tunnel


Is the physical link configured in such a way that you can ping
across that and verify connectivity between the tunnel's physical
endpoint addresses?

There is conectivity betweeen addresses


Is the tunnel configured symmetrically? That is, is the IP address on
Fa0 on the one router equal to the x.x.x.x address configured in
the tunnel on the other? And vice versa? The source/destination
pair on the one router's tunnel configuration must exactly match
the destination/source pair on the other -- otherwise the receiving
router won't recognize the arriving GRE packets as belonging to the
proper tunnel.

Yes they match

You said that ping works... for a while.

Actually worked for a while.... and I'm not able to establish the
connection for second time even I shutdonw the interfaces and bring
them up


Try a traceroute while the ping is still working. What route does
it show and what IP address does it say that it's ultimately arriving
at? Cisco's UDP-based traceroute will tell you which interface the packets
are arriving at on the far end (unlike Windows ICMP-based tracert
which just tells you the destination address you originally chose).

Repeat with a trace after the ping has failed to if anything is
different.

I'm setting up a lab of 2 other routers and will try if I'll have the
same problems.

I may try it in few days on production routers with proper addressing



Are there any router ACLs, firewalls or NAT on the routing path the GRE
packets will take? How is the routing for that path configured?


I do not see in the logs any packets blocked, and there is no ACL
explicitly blocking it; I do not have NAT or other firewall (on my
side of the network)

Are there any dynamic routing protocols in use that might cause
the tunnelled traffic to follow a dynically learned route that
takes the tunnel path (thus creating an infinite encapsulation loop).

There is no dynamic routes, only static


Thank you for the responce.....

.

Relevant Pages

  • Re: PPTP client, masquerade and routing
    ... # name of primary network interface (before tunnel) ... # provided by pppd: string to identify connection aka ipparam option ... route add -host $dev $ ...
    (comp.os.linux.networking)
  • Re: OpenVPN server (win32) wrong Netmask
    ... Laptop and server1 are both windows 2000 machines. ... An IP tunnel has two sets of addresses: ... When doing basic routing, the route ... local tun interface directly ...
    (comp.os.linux.networking)
  • Re: ASA routing decision
    ... asas and would like to have a backup internet tunnel terminating on ... If you apply a cryptomap on an interface you must make ... We rarelly think about it because we usually have a default route on ... where the crypto is applied. ...
    (comp.dcom.sys.cisco)
  • Re: ASA routing decision
    ... asas and would like to have a backup internet tunnel terminating on ... If you apply a cryptomap on an interface you must make sure ... We rarelly think about it because we usually have a default route on the ... where the crypto is applied. ...
    (comp.dcom.sys.cisco)
  • Re: Cisco ASA IPSEC Tunnelling
    ... I suggest creating a GRE tunnel between the MPLS connecting routers. ... Configure the GRE tunnel to go from a loopback IP address on one router ... DS-1/T-1 or similar connection. ...
    (comp.dcom.sys.cisco)