site to site VPN #

Answered Question
Jul 22nd, 2009

Hi,

How could I check if the remote tunnel is ip with configuration

interface Tunnel0

ip address 192.168.1.1 255.255.255.252

tunnel source FastEthernet0/0

tunnel destination 163.129.169.88

sh ip int tunnel0 ( shows up )

ping 192.168.1.2 source fa 0/0 ( can ping )

Are there any other commands which can help in troublshooting tunnels / network reachability

What are the disadvantages of using this setup compared to IPSEC ( apart from security )

What is the other best option to have when IPSEC is not allowed.

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 7 years 6 months ago

Hello Ronald,

if both ends support it you can use GRE keepalives to detect the good state of the other side

the command can be

int tu0

keepalive 10 3

or you can run a routing protocol over the tunnel GRE ip subnet

like

router ospf 10

network 192.168.1.0 0.0.0.3 area 0

!

both methods provide a way to detect peer and overall path state.

Often GRE tunnel is transported into IPsec for protection.

this is handy because the definition of traffic to be protected is made with a single line ACL GRE between public ip addresses hosts

if IPSec cannot be used you can use GRE alone as described above.

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer
Giuseppe Larosa Wed, 07/22/2009 - 11:30

Hello Ronald,

if both ends support it you can use GRE keepalives to detect the good state of the other side

the command can be

int tu0

keepalive 10 3

or you can run a routing protocol over the tunnel GRE ip subnet

like

router ospf 10

network 192.168.1.0 0.0.0.3 area 0

!

both methods provide a way to detect peer and overall path state.

Often GRE tunnel is transported into IPsec for protection.

this is handy because the definition of traffic to be protected is made with a single line ACL GRE between public ip addresses hosts

if IPSec cannot be used you can use GRE alone as described above.

Hope to help

Giuseppe

ronald.ramzy Wed, 07/22/2009 - 12:41

Thanks Giuseppe you are great help.

Just a question, if the remote site public ip can be pinged but traceroute doesnt completes, in this scenario will the site to site vpn be established.

Richard Burts Thu, 07/23/2009 - 09:01

Ronald

You do not tell us whether the site to site is peering to the remote site public IP, though that would seem very likely. If the remote peer address can be pinged successfully then it demonstrates that there is IP connectivity. IP connectivity is one of the requirements for the site to site VPN to be established.

If traceroute does not work it is likely that somewhere in between the routers there is an access list that is not permitting the traceroute traffic or is not permitting the response to traceroute. This does not have anything to do directly with whether the VPN will be established.

HTH

Rick

Actions

This Discussion