cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
371
Views
0
Helpful
4
Replies

site to site VPN #

ronald.ramzy
Level 1
Level 1

Hi,

How could I check if the remote tunnel is ip with configuration

interface Tunnel0

ip address 192.168.1.1 255.255.255.252

tunnel source FastEthernet0/0

tunnel destination 163.129.169.88

sh ip int tunnel0 ( shows up )

ping 192.168.1.2 source fa 0/0 ( can ping )

Are there any other commands which can help in troublshooting tunnels / network reachability

What are the disadvantages of using this setup compared to IPSEC ( apart from security )

What is the other best option to have when IPSEC is not allowed.

1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Ronald,

if both ends support it you can use GRE keepalives to detect the good state of the other side

the command can be

int tu0

keepalive 10 3

or you can run a routing protocol over the tunnel GRE ip subnet

like

router ospf 10

network 192.168.1.0 0.0.0.3 area 0

!

both methods provide a way to detect peer and overall path state.

Often GRE tunnel is transported into IPsec for protection.

this is handy because the definition of traffic to be protected is made with a single line ACL GRE between public ip addresses hosts

if IPSec cannot be used you can use GRE alone as described above.

Hope to help

Giuseppe

View solution in original post

4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Ronald,

if both ends support it you can use GRE keepalives to detect the good state of the other side

the command can be

int tu0

keepalive 10 3

or you can run a routing protocol over the tunnel GRE ip subnet

like

router ospf 10

network 192.168.1.0 0.0.0.3 area 0

!

both methods provide a way to detect peer and overall path state.

Often GRE tunnel is transported into IPsec for protection.

this is handy because the definition of traffic to be protected is made with a single line ACL GRE between public ip addresses hosts

if IPSec cannot be used you can use GRE alone as described above.

Hope to help

Giuseppe

Thanks Giuseppe you are great help.

Just a question, if the remote site public ip can be pinged but traceroute doesnt completes, in this scenario will the site to site vpn be established.

Ronald

You do not tell us whether the site to site is peering to the remote site public IP, though that would seem very likely. If the remote peer address can be pinged successfully then it demonstrates that there is IP connectivity. IP connectivity is one of the requirements for the site to site VPN to be established.

If traceroute does not work it is likely that somewhere in between the routers there is an access list that is not permitting the traceroute traffic or is not permitting the response to traceroute. This does not have anything to do directly with whether the VPN will be established.

HTH

Rick

HTH

Rick

Thanks Giuseppe & Rick.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco