«

Hi,

I try to setup office to office VPN tunnel ipsec over gre.

My first step is to setup GRE tunnel.

I do following:

On HQ router

configure terminal
interface tunnel 0
ip address 172.24.3.3 255.255.255.0
tunnel source FastEthernet 0
tunnel destination x.x.x.x (public IP of other router)
tunnel mode gre ip
no shut

ip route 172.24.3.6 255.255.255.255 tunnel 0


On remote router

configure terminal
interface tunnel 0
ip address 172.24.3.6 255.255.255.0
tunnel source FastEthernet 0
tunnel destination x.x.x.x (public IP of other router)
tunnel mode gre ip
no shut

ip route 172.24.3.3 255.255.255.255 tunnel 0

---------------------
Then I try to ping other interface and initially worked only from
remote router to HQ, but after 5 min there is no more connection.

I've tried
debug tunnel

(nothing appears)

the routers are 7206 (IOS 12.2) and 7300 (IOS 12.3)

Any suggestions how to troubleshoot?

On 14 Nov, 00:22, f...@abv.bg wrote:
> Hi,
>
> I try to setup office to office VPN tunnel ipsec over gre.
>
> My first step is to setup GRE tunnel.
>
> I do following:
>
> On HQ router
>
> configure terminal
> interface tunnel 0
> ip address 172.24.3.3 255.255.255.0
> tunnel source FastEthernet 0
> tunnel destination x.x.x.x (public IP of other router)
> tunnel mode gre ip
> no shut
>
> ip route 172.24.3.6 255.255.255.255 tunnel 0
>
> On remote router
>
> configure terminal
> interface tunnel 0
> ip address 172.24.3.6 255.255.255.0
> tunnel source FastEthernet 0
> tunnel destination x.x.x.x (public IP of other router)
> tunnel mode gre ip
> no shut
>
> ip route 172.24.3.3 255.255.255.255 tunnel 0
>
> ---------------------
> Then I try to ping other interface and initially worked only from
> remote router to HQ, but after 5 min there is no more connection.
>
> I've tried
> debug tunnel
>
> (nothing appears)
>
> the routers are 7206 (IOS 12.2) and 7300 (IOS 12.3)
>
> Any suggestions how to troubleshoot?

The IP endpoint is throught the Tunnel itself. I would not have
thought the Tunnel could form properley as there is no route to the
tunnel destination.

Add a route to the tunnel destination outside of the tunnel. When the
endpoints find each other the tunnel should form.

Regards

Darren

In article <. com>, writes:
> Hi,
>
> I try to setup office to office VPN tunnel ipsec over gre.
>
> My first step is to setup GRE tunnel.
>
> I do following:
>
> On HQ router
>
> configure terminal
> interface tunnel 0
> ip address 172.24.3.3 255.255.255.0
> tunnel source FastEthernet 0
> tunnel destination x.x.x.x (public IP of other router)
> tunnel mode gre ip
> no shut

Looks fine. However you haven't shown us details of Fa0 or x.x.x.x
or the routing in between.

> ip route 172.24.3.6 255.255.255.255 tunnel 0

This static route is pointless. The existence of the interface
creates a connected route toward 172.24.3.0/24 via tunnel 0.

You don't need a /32 route in addition to the /24.

>
> On remote router
>
> configure terminal
> interface tunnel 0
> ip address 172.24.3.6 255.255.255.0
> tunnel source FastEthernet 0
> tunnel destination x.x.x.x (public IP of other router)
> tunnel mode gre ip
> no shut

Again, this looks fine, bearing in mind that we know nothing about
Fa0 or x.x.x.x or the routing path between them.

> ip route 172.24.3.3 255.255.255.255 tunnel 0

And again, this static /32 route is pointless when you already
have a connected /24.

>
> ---------------------
> Then I try to ping other interface and initially worked only from
> remote router to HQ, but after 5 min there is no more connection.

Do both tunnels show "up" and "up"?

If you do "show ip route 172.24.3.6" on the one router and
"show ip route 172.24.3.3" on the other, do you see the proper
routes showing?

Is the physical link configured in such a way that you can ping
across that and verify connectivity between the tunnel's physical
endpoint addresses?

Is the tunnel configured symmetrically? That is, is the IP address on
Fa0 on the one router equal to the x.x.x.x address configured in
the tunnel on the other? And vice versa? The source/destination
pair on the one router's tunnel configuration must exactly match
the destination/source pair on the other -- otherwise the receiving
router won't recognize the arriving GRE packets as belonging to the
proper tunnel.

You said that ping works... for a while.

Try a traceroute while the ping is still working. What route does
it show and what IP address does it say that it's ultimately arriving
at? Cisco's UDP-based traceroute will tell you which interface the packets
are arriving at on the far end (unlike Windows ICMP-based tracert
which just tells you the destination address you originally chose).

Repeat with a trace after the ping has failed to if anything is
different.

Are there any router ACLs, firewalls or NAT on the routing path the GRE
packets will take? How is the routing for that path configured?

Are there any dynamic routing protocols in use that might cause
the tunnelled traffic to follow a dynically learned route that
takes the tunnel path (thus creating an infinite encapsulation loop).

On Nov 14, 7:12 am, bri...@encompasserve.org wrote:
> In article <1194999750.015145.272...@22g2000hsm.googlegroups. com>, f...@abv.bg writes:
> > Hi,
>
> > I try to setup office to office VPN tunnel ipsec over gre.
>
> > My first step is to setup GRE tunnel.
>
> > I do following:
>
> > On HQ router
>
> > configure terminal
> > interface tunnel 0
> > ip address 172.24.3.3 255.255.255.0
> > tunnel source FastEthernet 0
> > tunnel destination x.x.x.x (public IP of other router)
> > tunnel mode gre ip
> > no shut
>
> Looks fine. However you haven't shown us details of Fa0 or x.x.x.x
> or the routing in between.
It is a public address connected to internet, actually I try to do it
over internet to replace existing leased line.

>
> > ip route 172.24.3.6 255.255.255.255 tunnel 0
>
> This static route is pointless. The existence of the interface
> creates a connected route toward 172.24.3.0/24 via tunnel 0.
>
> You don't need a /32 route in addition to the /24.
>
>
I added it explicitly, because I was not able to ping other end, but
it still did not works


>
> > On remote router
>
> > configure terminal
> > interface tunnel 0
> > ip address 172.24.3.6 255.255.255.0
> > tunnel source FastEthernet 0
> > tunnel destination x.x.x.x (public IP of other router)
> > tunnel mode gre ip
> > no shut
>
> Again, this looks fine, bearing in mind that we know nothing about
> Fa0 or x.x.x.x or the routing path between them.

Routing path as I already mentioned is over internet....

>
> > ip route 172.24.3.3 255.255.255.255 tunnel 0
>
> And again, this static /32 route is pointless when you already
> have a connected /24.
>
>
>
> > ---------------------
> > Then I try to ping other interface and initially worked only from
> > remote router to HQ, but after 5 min there is no more connection.
>
> Do both tunnels show "up" and "up"?

Yes they show up/up even no packet is traversing?!


>
> If you do "show ip route 172.24.3.6" on the one router and
> "show ip route 172.24.3.3" on the other, do you see the proper
> routes showing?

Yes I see /32 routes going on the tunnel

>
> Is the physical link configured in such a way that you can ping
> across that and verify connectivity between the tunnel's physical
> endpoint addresses?

There is conectivity betweeen addresses

>
> Is the tunnel configured symmetrically? That is, is the IP address on
> Fa0 on the one router equal to the x.x.x.x address configured in
> the tunnel on the other? And vice versa? The source/destination
> pair on the one router's tunnel configuration must exactly match
> the destination/source pair on the other -- otherwise the receiving
> router won't recognize the arriving GRE packets as belonging to the
> proper tunnel.

Yes they match
>
> You said that ping works... for a while.

Actually worked for a while.... and I'm not able to establish the
connection for second time even I shutdonw the interfaces and bring
them up

>
> Try a traceroute while the ping is still working. What route does
> it show and what IP address does it say that it's ultimately arriving
> at? Cisco's UDP-based traceroute will tell you which interface the packets
> are arriving at on the far end (unlike Windows ICMP-based tracert
> which just tells you the destination address you originally chose).
>
> Repeat with a trace after the ping has failed to if anything is
> different.

I'm setting up a lab of 2 other routers and will try if I'll have the
same problems.

I may try it in few days on production routers with proper addressing


>
> Are there any router ACLs, firewalls or NAT on the routing path the GRE
> packets will take? How is the routing for that path configured?
>

I do not see in the logs any packets blocked, and there is no ACL
explicitly blocking it; I do not have NAT or other firewall (on my
side of the network)

> Are there any dynamic routing protocols in use that might cause
> the tunnelled traffic to follow a dynically learned route that
> takes the tunnel path (thus creating an infinite encapsulation loop).

There is no dynamic routes, only static


Thank you for the responce.....