Problem with a simple GRE tunnel

Answered Question
Oct 28th, 2007
User Badges:

Hello everyone:

I have a problem with a simple GRE tunnel, and can not make it work, the problem lies in the instruction "tunnel source loopback-0" if I use this command does not work, now if I use "tunnel source <ip wan >" if it works, someone can tell me why?

Thanks for your help


Router 1: 2811


version 12.4

no service password-encryption

!

hostname cisco2811

!

no aaa new-model

!

!

ip cef

!

interface Loopback0

ip address 2.2.2.2 255.255.255.255

!

interface Tunnel0

ip address 10.10.1.1 255.255.255.0

tunnel source Loopback0

tunnel destination 217.127.XXX.188

!

interface Tunnel1

ip address 10.10.2.1 255.255.255.0

tunnel source Loopback0

tunnel destination 80.32.XXX.125

!

interface FastEthernet0/0

description LOCAL LAN Interface

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description WAN Interface

ip address 195.77.XXX.70 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 195.77.XXX.65

ip route 192.168.3.0 255.255.255.0 Tunnel0

ip route 192.168.4.0 255.255.255.0 Tunnel1

!

ip nat inside source route-map salida-fibra interface FastEthernet0/1 overload

!

access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 120 permit ip 192.168.1.0 0.0.0.255 any

!

route-map salida-fibra permit 10

match ip address 120

!


Router 2: 2811

version 12.4

service password-encryption

!

ip cef

no ip domain lookup

!

multilink bundle-name authenticated

username admin privilege 15 password 7 104CXXXXx13

!

interface Loopback0

ip address 4.4.4.4 255.255.255.255

!

interface Tunnel0

ip address 10.10.1.2 255.255.255.0

tunnel source Loopback0

tunnel destination 195.77.XXX.70

!

interface Ethernet0

ip address 192.168.3.251 255.255.255.0

ip nat inside

ip virtual-reassembly

hold-queue 100 out

!

interface ATM0

no ip address

no ip route-cache cef

no ip route-cache

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

ip address 217.127.XXX.188 255.255.255.192

ip nat outside

ip virtual-reassembly

no ip route-cache

no snmp trap link-status

pvc 8/32

encapsulation aal5snap

!

!

ip route 0.0.0.0 0.0.0.0 ATM0.1

ip route 192.168.1.0 255.255.255.0 Tunnel0

ip nat inside source route-map nonat interface ATM0.1 overload

!

access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 120 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 120 permit ip 192.168.3.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 120

!


Correct Answer by lgijssel about 9 years 5 months ago

The tunnel will only work when the peer interfaces are reachable.

There is nothing against using loopback interfaces but you need to accomodate for this in your ip plan. Using something like 2.2.2.2 is therefore not correct unless your had registered this range. Otherwise, the Internet will not route this adress back to you. (as already stated by p.bevilacqua)

The reason why a loopback is often used for this is that a loopback is idependent of the physical state of an interface. In other words: it never goes down due to a link failure.


regards,

Leo

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
paolo bevilacqua Sun, 10/28/2007 - 16:31
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi,

The remote end doesn't know about your loopback address. Just use addrres from a wan interface instead.

lidium.net Sun, 10/28/2007 - 23:41
User Badges:

Thanks for the answer, but I have a doubt, then I can not use in a loopback interface atm?

I changed the router 2, as you said but I can not functioning ... Any ideas?


Before

Interface Tunnel0

Ip address 10.10.1.2 255.255.255.0

Tunnel source Loopback0

Tunnel destination 195.77.XXX.70

!


After

Interface Tunnel0

Ip address 10.10.1.2 255.255.255.0

Tunnel source 217.127.XXX.188

Tunnel destination 195.77.XXX.70

!


He also removed the interface loopback 0 in the router 2

lgijssel Mon, 10/29/2007 - 00:20
User Badges:
  • Red, 2250 points or more

Please verify the ip connectivity between the tunnel peers.

What is the state of your tunnel interfaces?

Can you post some output regarding tunnel state changes? Any recursive routing there?


One other remark: Routing is applied before NAT and as you are not traversing a nat-outside interface but a tunnel interface instead, the route map is not needed in this config to avoid natting the tunnel traffic.


regards,

Leo

lidium.net Mon, 10/29/2007 - 01:08
User Badges:

Hello, thank you for the answer, as to your question, I have no connectivity within the tunnel, whether from Router 1, I ping 10.10.1.2 not get response ...

Now both routers remove the loopback, and the interface tunnel 0 change the tunnel source to "tunnel source " tunnel works perfectly, the problem is when I have to use the loopback. Unfortunately achieved when the tunnel work, this will have to endure multicast, and all the examples found carrying a loopback as' source '... but this is a step back ..


Tunnel0 is up, line protocol is up

Hardware is Tunnel

Internet address is 10.10.1.1/24

MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 2.2.2.2 (Loopback0), destination 217.127.XXX.188

Tunnel protocol/transport GRE/IP

Key disabled, sequencing disabled

Checksumming of packets disabled

Tunnel TTL 255

Fast tunneling enabled

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Last input 09:04:38, output 00:00:19, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

11101 packets output, 773420 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

Correct Answer
lgijssel Mon, 10/29/2007 - 01:27
User Badges:
  • Red, 2250 points or more

The tunnel will only work when the peer interfaces are reachable.

There is nothing against using loopback interfaces but you need to accomodate for this in your ip plan. Using something like 2.2.2.2 is therefore not correct unless your had registered this range. Otherwise, the Internet will not route this adress back to you. (as already stated by p.bevilacqua)

The reason why a loopback is often used for this is that a loopback is idependent of the physical state of an interface. In other words: it never goes down due to a link failure.


regards,

Leo

Actions

This Discussion