I try to setup office to office VPN tunnel ipsec over gre.
My first step is to setup GRE tunnel.
I do following:
On HQ router
configure terminal interface tunnel 0 ip address 172.24.3.3 255.255.255.0 tunnel source FastEthernet 0 tunnel destination x.x.x.x (public IP of other router) tunnel mode gre ip no shut
ip route 172.24.3.6 255.255.255.255 tunnel 0
On remote router
configure terminal interface tunnel 0 ip address 172.24.3.6 255.255.255.0 tunnel source FastEthernet 0 tunnel destination x.x.x.x (public IP of other router) tunnel mode gre ip no shut
ip route 172.24.3.3 255.255.255.255 tunnel 0
--------------------- Then I try to ping other interface and initially worked only from remote router to HQ, but after 5 min there is no more connection.
I've tried debug tunnel
(nothing appears)
the routers are 7206 (IOS 12.2) and 7300 (IOS 12.3)
The IP endpoint is throught the Tunnel itself. I would not have thought the Tunnel could form properley as there is no route to the tunnel destination.
Add a route to the tunnel destination outside of the tunnel. When the endpoints find each other the tunnel should form.
Looks fine. However you haven't shown us details of Fa0 or x.x.x.x or the routing in between.
This static route is pointless. The existence of the interface creates a connected route toward 172.24.3.0/24 via tunnel 0.
You don't need a /32 route in addition to the /24.
Again, this looks fine, bearing in mind that we know nothing about Fa0 or x.x.x.x or the routing path between them.
And again, this static /32 route is pointless when you already have a connected /24.
Do both tunnels show "up" and "up"?
If you do "show ip route 172.24.3.6" on the one router and "show ip route 172.24.3.3" on the other, do you see the proper routes showing?
Is the physical link configured in such a way that you can ping across that and verify connectivity between the tunnel's physical endpoint addresses?
Is the tunnel configured symmetrically? That is, is the IP address on Fa0 on the one router equal to the x.x.x.x address configured in the tunnel on the other? And vice versa? The source/destination pair on the one router's tunnel configuration must exactly match the destination/source pair on the other -- otherwise the receiving router won't recognize the arriving GRE packets as belonging to the proper tunnel.
You said that ping works... for a while.
Try a traceroute while the ping is still working. What route does it show and what IP address does it say that it's ultimately arriving at? Cisco's UDP-based traceroute will tell you which interface the packets are arriving at on the far end (unlike Windows ICMP-based tracert which just tells you the destination address you originally chose).
Repeat with a trace after the ping has failed to if anything is different.
Are there any router ACLs, firewalls or NAT on the routing path the GRE packets will take? How is the routing for that path configured?
Are there any dynamic routing protocols in use that might cause the tunnelled traffic to follow a dynically learned route that takes the tunnel path (thus creating an infinite encapsulation loop).
It is a public address connected to internet, actually I try to do it over internet to replace existing leased line.
I added it explicitly, because I was not able to ping other end, but it still did not works :(
Routing path as I already mentioned is over internet....
Yes they show up/up even no packet is traversing?!
Yes I see /32 routes going on the tunnel
There is conectivity betweeen addresses
Yes they match
Actually worked for a while.... and I'm not able to establish the connection for second time even I shutdonw the interfaces and bring them up
I'm setting up a lab of 2 other routers and will try if I'll have the same problems.
I may try it in few days on production routers with proper addressing
I do not see in the logs any packets blocked, and there is no ACL explicitly blocking it; I do not have NAT or other firewall (on my side of the network)
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.