Establishing GRE connection between 2 routers

Discussion in 'Cisco' started by foxb@abv.bg, Nov 14, 2007.

  1. Guest

    Hi,

    I try to setup office to office VPN tunnel ipsec over gre.

    My first step is to setup GRE tunnel.

    I do following:

    On HQ router

    configure terminal
    interface tunnel 0
    ip address 172.24.3.3 255.255.255.0
    tunnel source FastEthernet 0
    tunnel destination x.x.x.x (public IP of other router)
    tunnel mode gre ip
    no shut

    ip route 172.24.3.6 255.255.255.255 tunnel 0


    On remote router

    configure terminal
    interface tunnel 0
    ip address 172.24.3.6 255.255.255.0
    tunnel source FastEthernet 0
    tunnel destination x.x.x.x (public IP of other router)
    tunnel mode gre ip
    no shut

    ip route 172.24.3.3 255.255.255.255 tunnel 0

    ---------------------
    Then I try to ping other interface and initially worked only from
    remote router to HQ, but after 5 min there is no more connection.

    I've tried
    debug tunnel

    (nothing appears)

    the routers are 7206 (IOS 12.2) and 7300 (IOS 12.3)

    Any suggestions how to troubleshoot?
    , Nov 14, 2007
    #1
    1. Advertising

  2. Darren Green Guest

    On 14 Nov, 00:22, wrote:
    > Hi,
    >
    > I try to setup office to office VPN tunnel ipsec over gre.
    >
    > My first step is to setup GRE tunnel.
    >
    > I do following:
    >
    > On HQ router
    >
    > configure terminal
    > interface tunnel 0
    > ip address 172.24.3.3 255.255.255.0
    > tunnel source FastEthernet 0
    > tunnel destination x.x.x.x (public IP of other router)
    > tunnel mode gre ip
    > no shut
    >
    > ip route 172.24.3.6 255.255.255.255 tunnel 0
    >
    > On remote router
    >
    > configure terminal
    > interface tunnel 0
    > ip address 172.24.3.6 255.255.255.0
    > tunnel source FastEthernet 0
    > tunnel destination x.x.x.x (public IP of other router)
    > tunnel mode gre ip
    > no shut
    >
    > ip route 172.24.3.3 255.255.255.255 tunnel 0
    >
    > ---------------------
    > Then I try to ping other interface and initially worked only from
    > remote router to HQ, but after 5 min there is no more connection.
    >
    > I've tried
    > debug tunnel
    >
    > (nothing appears)
    >
    > the routers are 7206 (IOS 12.2) and 7300 (IOS 12.3)
    >
    > Any suggestions how to troubleshoot?


    The IP endpoint is throught the Tunnel itself. I would not have
    thought the Tunnel could form properley as there is no route to the
    tunnel destination.

    Add a route to the tunnel destination outside of the tunnel. When the
    endpoints find each other the tunnel should form.

    Regards

    Darren
    Darren Green, Nov 14, 2007
    #2
    1. Advertising

  3. Guest

    In article <>, writes:
    > Hi,
    >
    > I try to setup office to office VPN tunnel ipsec over gre.
    >
    > My first step is to setup GRE tunnel.
    >
    > I do following:
    >
    > On HQ router
    >
    > configure terminal
    > interface tunnel 0
    > ip address 172.24.3.3 255.255.255.0
    > tunnel source FastEthernet 0
    > tunnel destination x.x.x.x (public IP of other router)
    > tunnel mode gre ip
    > no shut


    Looks fine. However you haven't shown us details of Fa0 or x.x.x.x
    or the routing in between.

    > ip route 172.24.3.6 255.255.255.255 tunnel 0


    This static route is pointless. The existence of the interface
    creates a connected route toward 172.24.3.0/24 via tunnel 0.

    You don't need a /32 route in addition to the /24.

    >
    > On remote router
    >
    > configure terminal
    > interface tunnel 0
    > ip address 172.24.3.6 255.255.255.0
    > tunnel source FastEthernet 0
    > tunnel destination x.x.x.x (public IP of other router)
    > tunnel mode gre ip
    > no shut


    Again, this looks fine, bearing in mind that we know nothing about
    Fa0 or x.x.x.x or the routing path between them.

    > ip route 172.24.3.3 255.255.255.255 tunnel 0


    And again, this static /32 route is pointless when you already
    have a connected /24.

    >
    > ---------------------
    > Then I try to ping other interface and initially worked only from
    > remote router to HQ, but after 5 min there is no more connection.


    Do both tunnels show "up" and "up"?

    If you do "show ip route 172.24.3.6" on the one router and
    "show ip route 172.24.3.3" on the other, do you see the proper
    routes showing?

    Is the physical link configured in such a way that you can ping
    across that and verify connectivity between the tunnel's physical
    endpoint addresses?

    Is the tunnel configured symmetrically? That is, is the IP address on
    Fa0 on the one router equal to the x.x.x.x address configured in
    the tunnel on the other? And vice versa? The source/destination
    pair on the one router's tunnel configuration must exactly match
    the destination/source pair on the other -- otherwise the receiving
    router won't recognize the arriving GRE packets as belonging to the
    proper tunnel.

    You said that ping works... for a while.

    Try a traceroute while the ping is still working. What route does
    it show and what IP address does it say that it's ultimately arriving
    at? Cisco's UDP-based traceroute will tell you which interface the packets
    are arriving at on the far end (unlike Windows ICMP-based tracert
    which just tells you the destination address you originally chose).

    Repeat with a trace after the ping has failed to if anything is
    different.

    Are there any router ACLs, firewalls or NAT on the routing path the GRE
    packets will take? How is the routing for that path configured?

    Are there any dynamic routing protocols in use that might cause
    the tunnelled traffic to follow a dynically learned route that
    takes the tunnel path (thus creating an infinite encapsulation loop).
    , Nov 14, 2007
    #3
  4. FoxB Guest

    On Nov 14, 7:12 am, wrote:
    > In article <>, writes:
    > > Hi,

    >
    > > I try to setup office to office VPN tunnel ipsec over gre.

    >
    > > My first step is to setup GRE tunnel.

    >
    > > I do following:

    >
    > > On HQ router

    >
    > > configure terminal
    > > interface tunnel 0
    > > ip address 172.24.3.3 255.255.255.0
    > > tunnel source FastEthernet 0
    > > tunnel destination x.x.x.x (public IP of other router)
    > > tunnel mode gre ip
    > > no shut

    >
    > Looks fine. However you haven't shown us details of Fa0 or x.x.x.x
    > or the routing in between.

    It is a public address connected to internet, actually I try to do it
    over internet to replace existing leased line.

    >
    > > ip route 172.24.3.6 255.255.255.255 tunnel 0

    >
    > This static route is pointless. The existence of the interface
    > creates a connected route toward 172.24.3.0/24 via tunnel 0.
    >
    > You don't need a /32 route in addition to the /24.
    >
    >

    I added it explicitly, because I was not able to ping other end, but
    it still did not works :(


    >
    > > On remote router

    >
    > > configure terminal
    > > interface tunnel 0
    > > ip address 172.24.3.6 255.255.255.0
    > > tunnel source FastEthernet 0
    > > tunnel destination x.x.x.x (public IP of other router)
    > > tunnel mode gre ip
    > > no shut

    >
    > Again, this looks fine, bearing in mind that we know nothing about
    > Fa0 or x.x.x.x or the routing path between them.


    Routing path as I already mentioned is over internet....

    >
    > > ip route 172.24.3.3 255.255.255.255 tunnel 0

    >
    > And again, this static /32 route is pointless when you already
    > have a connected /24.
    >
    >
    >
    > > ---------------------
    > > Then I try to ping other interface and initially worked only from
    > > remote router to HQ, but after 5 min there is no more connection.

    >
    > Do both tunnels show "up" and "up"?


    Yes they show up/up even no packet is traversing?!


    >
    > If you do "show ip route 172.24.3.6" on the one router and
    > "show ip route 172.24.3.3" on the other, do you see the proper
    > routes showing?


    Yes I see /32 routes going on the tunnel

    >
    > Is the physical link configured in such a way that you can ping
    > across that and verify connectivity between the tunnel's physical
    > endpoint addresses?


    There is conectivity betweeen addresses

    >
    > Is the tunnel configured symmetrically? That is, is the IP address on
    > Fa0 on the one router equal to the x.x.x.x address configured in
    > the tunnel on the other? And vice versa? The source/destination
    > pair on the one router's tunnel configuration must exactly match
    > the destination/source pair on the other -- otherwise the receiving
    > router won't recognize the arriving GRE packets as belonging to the
    > proper tunnel.


    Yes they match
    >
    > You said that ping works... for a while.


    Actually worked for a while.... and I'm not able to establish the
    connection for second time even I shutdonw the interfaces and bring
    them up

    >
    > Try a traceroute while the ping is still working. What route does
    > it show and what IP address does it say that it's ultimately arriving
    > at? Cisco's UDP-based traceroute will tell you which interface the packets
    > are arriving at on the far end (unlike Windows ICMP-based tracert
    > which just tells you the destination address you originally chose).
    >
    > Repeat with a trace after the ping has failed to if anything is
    > different.


    I'm setting up a lab of 2 other routers and will try if I'll have the
    same problems.

    I may try it in few days on production routers with proper addressing


    >
    > Are there any router ACLs, firewalls or NAT on the routing path the GRE
    > packets will take? How is the routing for that path configured?
    >


    I do not see in the logs any packets blocked, and there is no ACL
    explicitly blocking it; I do not have NAT or other firewall (on my
    side of the network)

    > Are there any dynamic routing protocols in use that might cause
    > the tunnelled traffic to follow a dynically learned route that
    > takes the tunnel path (thus creating an infinite encapsulation loop).


    There is no dynamic routes, only static


    Thank you for the responce.....
    FoxB, Nov 14, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. news.microsoft.com

    Establishing Bluetooth network connection with PDA

    news.microsoft.com, Nov 22, 2004, in forum: Wireless Networking
    Replies:
    0
    Views:
    728
    news.microsoft.com
    Nov 22, 2004
  2. Paul
    Replies:
    4
    Views:
    460
    Ivan Ostres
    Feb 13, 2004
  3. ggeo99

    Re: Trouble Establishing Wireless Connection

    ggeo99, Jan 22, 2006, in forum: Wireless Networking
    Replies:
    0
    Views:
    1,188
    ggeo99
    Jan 22, 2006
  4. James
    Replies:
    9
    Views:
    27,844
    James
    Mar 6, 2006
  5. Replies:
    8
    Views:
    847
    Xangadib
    Apr 12, 2006
Loading...

Share This Page