Two default routes and GRE tunnel does not work

If I have the 126.139.5.225 default routes the GRE tunnel will not work
from one the computers on the LAN side. Can anyone help me.


service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
boot-start-marker
boot-end-marker
!
memory-size iomem 15
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
ip audit po max-events 100
!
crypto isakmp policy 10
authentication pre-share
group 2
lifetime 3600
crypto isakmp key xxxxx address xxxxxxxxxxxxxxxx
crypto isakmp key xxxxx address xxxxxxxxxxxxxxxx
crypto isakmp key xxxx address xxxxxxxxxxxxxxxx
!
crypto ipsec transform-set des esp-des esp-md5-hmac
!
crypto map xxxxxxxxx 10 ipsec-isakmp
set peer xxxxxxxxxxxxxxx
set peer xxxxxxxxxxxxxxx
set peer xxxxxxxxxxxxxxxxx
set transform-set des
match address 150
!
interface Tunnel0
description to xxxxxxxxxx
ip address 10.10.151.2 255.255.255.252
no ip route-cache cef
no ip route-cache
no ip mroute-cache
tunnel source FastEthernet0/0
crypto map xxxxxxxx
!
interface Tunnel1
description Tunnel to xxxxxxx
bandwidth 10000
ip address 10.10.152.2 255.255.255.252
no ip route-cache cef
no ip route-cache
no ip mroute-cache
tunnel source FastEthernet0/0
tunnel destination xxxxxxxxxxxxxxxxxxx
crypto map xxxxxx
!
interface Tunnel2
description GRE tunnel to xxxxx
bandwidth 10000
ip address 10.10.153.2 255.255.255.252
no ip route-cache cef
no ip route-cache
no ip mroute-cache
tunnel source FastEthernet0/0
tunnel destination xxxxxxxxxxxxxxxxxx
crypto map xxxxxx
!
interface Tunnel3
description To xxxxxxxxx
ip address 10.199.0.34 255.255.255.252
no ip route-cache cef
no ip route-cache
no ip mroute-cache
tunnel source FastEthernet0/0
tunnel destination xxxxxxxxxxxxxxxxxxxx
crypto map xxxxxxx
!
interface FastEthernet0/0
ip address 126.139.47.114 255.255.255.248
ip nat outside
duplex auto
speed auto
crypto map xxxxxxx
!
interface Serial0/0
bandwidth 1536
ip address 126.139.5.226 255.255.255.252
ip verify unicast source reachable-via rx 2000
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
no ip mroute-cache
down-when-looped
no fair-queue
service-module t1 timeslots 1-24
no cdp enable
!
interface FastEthernet0/1
ip address 10.1.0.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source list 102 interface Serial0/0 overload
ip nat inside source static tcp 10.1.0.3 3389 126.139.47.114 3389
extendable
ip nat inside source static tcp 10.1.0.20 1494 126.139.47.114 1494
extendable
ip nat inside source static tcp 10.1.0.20 443 126.139.47.114 443
extendable
ip nat inside source static tcp 10.1.0.3 3389 126.139.5.226 3389
extendable
ip nat inside source static tcp 10.1.0.254 23 126.139.47.114 23
extendable
ip nat inside source static tcp 10.1.0.254 23 126.139.5.226 23
extendable
ip nat inside source static tcp 10.1.0.20 1494 126.139.5.226 1494
extendable
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 126.139.47.113
ip route 0.0.0.0 0.0.0.0 126.139.5.225
ip route 10.1.2.0 255.255.255.0 Tunnel1
ip route 10.10.100.0 255.255.255.0 Tunnel3
ip route 10.10.151.0 255.255.255.0 Tunnel0
ip route 10.10.152.0 255.255.255.0 Tunnel1
ip route 10.10.153.0 255.255.255.0 Tunnel2
ip route 10.100.1.0 255.255.255.0 Tunnel3
!

access-list 101 permit tcp any any
access-list 101 permit ip any any
access-list 102 permit ip any any
access-list 150 permit gre host 126.139.47.114 host xxxxxxxxxxxxxxxxx
access-list 150 permit gre host 126.139.47.114 host
xxxxxxxxxxxxxxxxxxxxxxxx
access-list 150 permit gre host 126.139.47.114 host xxxxxxxxxxxxxxxxxxx

 

You have two default routes for one, and try setting the default to the
tunnel endpoint if you want to put the traffic in the tunnel - then
crypted.

 

I believe that the vpn is probably failing on the other end. It has one
destination for the vpn endpoint, but is getting responses from two
different addresses. You should probably use PBR to send out the vpn
traffic through just one interface (the one based on the address you use on
the other side).

Actually, the setup that you have is enough to confuse a lot of
applications, not just vpn. Even as much of a question... Why would you
try to load balance this way with a T1 and an ethernet connection? Seems
like that would serverly impact your network peformance. I would say to put
a higher admin distance on the route going through the serial interface.

 

Jay
How would I create default to the tunnel. If its 0.0.0.0 0.0.0.0
Tunnel1 wouldn't it send all traffic.
Scooby the tunnel is fine if I remove the default route of 0.0.0.0
0.0.0.0 126.39.5.225 from the router. How would I give a higher admin
distance for the serial.

 

I think to work with metrics... Just add 250 behind it for lower priority.
Besides that: make sure to route the tunnel destination to a different interface/ip since it won't find the destination
VIA the tunnel since the tunnel is not up because it can't find it's destination because etc.....

 

I tried adding 250 to the 126.39.5.225 to the default route.It works
but when I am trying to telnet or access the 126.39.5.225 from the
outside LAN it doesn't work.

Hans when you say "make sure to route the tunnel destination to a
different interface", what should I do. I already have a route 10.1.2.0
255.255.255.0 Tunnel1.