07-22-2009 07:56 AM - edited 03-04-2019 05:31 AM
Hi,
How could I check if the remote tunnel is ip with configuration
interface Tunnel0
ip address 192.168.1.1 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 163.129.169.88
sh ip int tunnel0 ( shows up )
ping 192.168.1.2 source fa 0/0 ( can ping )
Are there any other commands which can help in troublshooting tunnels / network reachability
What are the disadvantages of using this setup compared to IPSEC ( apart from security )
What is the other best option to have when IPSEC is not allowed.
Solved! Go to Solution.
07-22-2009 11:30 AM
Hello Ronald,
if both ends support it you can use GRE keepalives to detect the good state of the other side
the command can be
int tu0
keepalive 10 3
or you can run a routing protocol over the tunnel GRE ip subnet
like
router ospf 10
network 192.168.1.0 0.0.0.3 area 0
!
both methods provide a way to detect peer and overall path state.
Often GRE tunnel is transported into IPsec for protection.
this is handy because the definition of traffic to be protected is made with a single line ACL GRE between public ip addresses hosts
if IPSec cannot be used you can use GRE alone as described above.
Hope to help
Giuseppe
07-22-2009 11:30 AM
Hello Ronald,
if both ends support it you can use GRE keepalives to detect the good state of the other side
the command can be
int tu0
keepalive 10 3
or you can run a routing protocol over the tunnel GRE ip subnet
like
router ospf 10
network 192.168.1.0 0.0.0.3 area 0
!
both methods provide a way to detect peer and overall path state.
Often GRE tunnel is transported into IPsec for protection.
this is handy because the definition of traffic to be protected is made with a single line ACL GRE between public ip addresses hosts
if IPSec cannot be used you can use GRE alone as described above.
Hope to help
Giuseppe
07-22-2009 12:41 PM
Thanks Giuseppe you are great help.
Just a question, if the remote site public ip can be pinged but traceroute doesnt completes, in this scenario will the site to site vpn be established.
07-23-2009 09:01 AM
Ronald
You do not tell us whether the site to site is peering to the remote site public IP, though that would seem very likely. If the remote peer address can be pinged successfully then it demonstrates that there is IP connectivity. IP connectivity is one of the requirements for the site to site VPN to be established.
If traceroute does not work it is likely that somewhere in between the routers there is an access list that is not permitting the traceroute traffic or is not permitting the response to traceroute. This does not have anything to do directly with whether the VPN will be established.
HTH
Rick
07-24-2009 03:39 AM
Thanks Giuseppe & Rick.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: