Two default routes and GRE tunnel does not work

Discussion in 'Cisco' started by jmulkerin, May 4, 2006.

  1. jmulkerin

    jmulkerin Guest

    If I have the 126.139.5.225 default routes the GRE tunnel will not work
    from one the computers on the LAN side. Can anyone help me.


    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    boot-start-marker
    boot-end-marker
    !
    memory-size iomem 15
    no network-clock-participate slot 1
    no network-clock-participate wic 0
    no aaa new-model
    ip subnet-zero
    ip cef
    !
    ip audit po max-events 100
    !
    crypto isakmp policy 10
    authentication pre-share
    group 2
    lifetime 3600
    crypto isakmp key xxxxx address xxxxxxxxxxxxxxxx
    crypto isakmp key xxxxx address xxxxxxxxxxxxxxxx
    crypto isakmp key xxxx address xxxxxxxxxxxxxxxx
    !
    crypto ipsec transform-set des esp-des esp-md5-hmac
    !
    crypto map xxxxxxxxx 10 ipsec-isakmp
    set peer xxxxxxxxxxxxxxx
    set peer xxxxxxxxxxxxxxx
    set peer xxxxxxxxxxxxxxxxx
    set transform-set des
    match address 150
    !
    interface Tunnel0
    description to xxxxxxxxxx
    ip address 10.10.151.2 255.255.255.252
    no ip route-cache cef
    no ip route-cache
    no ip mroute-cache
    tunnel source FastEthernet0/0
    crypto map xxxxxxxx
    !
    interface Tunnel1
    description Tunnel to xxxxxxx
    bandwidth 10000
    ip address 10.10.152.2 255.255.255.252
    no ip route-cache cef
    no ip route-cache
    no ip mroute-cache
    tunnel source FastEthernet0/0
    tunnel destination xxxxxxxxxxxxxxxxxxx
    crypto map xxxxxx
    !
    interface Tunnel2
    description GRE tunnel to xxxxx
    bandwidth 10000
    ip address 10.10.153.2 255.255.255.252
    no ip route-cache cef
    no ip route-cache
    no ip mroute-cache
    tunnel source FastEthernet0/0
    tunnel destination xxxxxxxxxxxxxxxxxx
    crypto map xxxxxx
    !
    interface Tunnel3
    description To xxxxxxxxx
    ip address 10.199.0.34 255.255.255.252
    no ip route-cache cef
    no ip route-cache
    no ip mroute-cache
    tunnel source FastEthernet0/0
    tunnel destination xxxxxxxxxxxxxxxxxxxx
    crypto map xxxxxxx
    !
    interface FastEthernet0/0
    ip address 126.139.47.114 255.255.255.248
    ip nat outside
    duplex auto
    speed auto
    crypto map xxxxxxx
    !
    interface Serial0/0
    bandwidth 1536
    ip address 126.139.5.226 255.255.255.252
    ip verify unicast source reachable-via rx 2000
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip route-cache flow
    no ip mroute-cache
    down-when-looped
    no fair-queue
    service-module t1 timeslots 1-24
    no cdp enable
    !
    interface FastEthernet0/1
    ip address 10.1.0.254 255.255.255.0
    ip nat inside
    duplex auto
    speed auto
    !
    ip nat inside source list 101 interface FastEthernet0/0 overload
    ip nat inside source list 102 interface Serial0/0 overload
    ip nat inside source static tcp 10.1.0.3 3389 126.139.47.114 3389
    extendable
    ip nat inside source static tcp 10.1.0.20 1494 126.139.47.114 1494
    extendable
    ip nat inside source static tcp 10.1.0.20 443 126.139.47.114 443
    extendable
    ip nat inside source static tcp 10.1.0.3 3389 126.139.5.226 3389
    extendable
    ip nat inside source static tcp 10.1.0.254 23 126.139.47.114 23
    extendable
    ip nat inside source static tcp 10.1.0.254 23 126.139.5.226 23
    extendable
    ip nat inside source static tcp 10.1.0.20 1494 126.139.5.226 1494
    extendable
    no ip http server
    no ip http secure-server
    ip classless
    ip route 0.0.0.0 0.0.0.0 126.139.47.113
    ip route 0.0.0.0 0.0.0.0 126.139.5.225
    ip route 10.1.2.0 255.255.255.0 Tunnel1
    ip route 10.10.100.0 255.255.255.0 Tunnel3
    ip route 10.10.151.0 255.255.255.0 Tunnel0
    ip route 10.10.152.0 255.255.255.0 Tunnel1
    ip route 10.10.153.0 255.255.255.0 Tunnel2
    ip route 10.100.1.0 255.255.255.0 Tunnel3
    !

    access-list 101 permit tcp any any
    access-list 101 permit ip any any
    access-list 102 permit ip any any
    access-list 150 permit gre host 126.139.47.114 host xxxxxxxxxxxxxxxxx
    access-list 150 permit gre host 126.139.47.114 host
    xxxxxxxxxxxxxxxxxxxxxxxx
    access-list 150 permit gre host 126.139.47.114 host xxxxxxxxxxxxxxxxxxx
     
    jmulkerin, May 4, 2006
    #1
    1. Advertisements

  2. jmulkerin

    jay Guest

    You have two default routes for one, and try setting the default to the
    tunnel endpoint if you want to put the traffic in the tunnel - then
    crypted.
     
    jay, May 4, 2006
    #2
    1. Advertisements

  3. jmulkerin

    Scooby Guest

    I believe that the vpn is probably failing on the other end. It has one
    destination for the vpn endpoint, but is getting responses from two
    different addresses. You should probably use PBR to send out the vpn
    traffic through just one interface (the one based on the address you use on
    the other side).

    Actually, the setup that you have is enough to confuse a lot of
    applications, not just vpn. Even as much of a question... Why would you
    try to load balance this way with a T1 and an ethernet connection? Seems
    like that would serverly impact your network peformance. I would say to put
    a higher admin distance on the route going through the serial interface.
     
    Scooby, May 4, 2006
    #3
  4. jmulkerin

    jmulkerin Guest

    Jay
    How would I create default to the tunnel. If its 0.0.0.0 0.0.0.0
    Tunnel1 wouldn't it send all traffic.
    Scooby the tunnel is fine if I remove the default route of 0.0.0.0
    0.0.0.0 126.39.5.225 from the router. How would I give a higher admin
    distance for the serial.
     
    jmulkerin, May 4, 2006
    #4
  5. jmulkerin

    Hans Guest

    I think to work with metrics... Just add 250 behind it for lower priority.
    Besides that: make sure to route the tunnel destination to a different interface/ip since it won't find the destination
    VIA the tunnel since the tunnel is not up because it can't find it's destination because etc.....
     
    Hans, May 4, 2006
    #5
  6. jmulkerin

    jmulkerin Guest

    I tried adding 250 to the 126.39.5.225 to the default route.It works
    but when I am trying to telnet or access the 126.39.5.225 from the
    outside LAN it doesn't work.

    Hans when you say "make sure to route the tunnel destination to a
    different interface", what should I do. I already have a route 10.1.2.0
    255.255.255.0 Tunnel1.
     
    jmulkerin, May 5, 2006
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.