GRE not Synching up

Unanswered Question
Aug 18th, 2009

All, I am trying to set up GRE between 2 2811 routers. I have verified that IPSec works properly between the two but when I try and set up GRE like I think it should be, basically everything loses connection. The 2811 at our Home Office is behind a firewall and is NAT'd there (60.60.60.60) so all my commands on the distant end reflect that. I need to know what I'm doing wrong though I suspect it has something to do with my usage of the vrf forwarding. Anyway, if you have any ideas I would appreciate it!

First the Home Office

ip vrf 3g

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key ******** address 70.70.70.70

!

!

crypto ipsec transform-set aptset esp-aes 256 esp-sha-hmac

no crypto ipsec nat-transparency udp-encaps

!

crypto map aptmap 20 ipsec-isakmp

set peer 70.70.70.70

set transform-set aptset

set pfs group5

match address SC1000

!

!

interface Tunnel1

description SC1000 GRE Tunnel Interface

ip vrf forwarding 3g

ip address 10.69.3.5 255.255.255.252

tunnel source FastEthernet0/1

tunnel destination 70.70.70.70 (cellular card address on Distant End)

!

interface FastEthernet0/0

ip address 192.168.222.105 255.255.255.0

duplex full

speed 100

!

interface FastEthernet0/1

ip vrf forwarding 3g

ip address 192.168.23.105 255.255.255.0

duplex full

speed 100

ip access-group GRE in

crypto map aptmap

!

interface Serial0/0/0

no ip address

shutdown

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.0.1

ip route 10.0.0.0 255.0.0.0 192.168.200.1

ip route vrf 3g 0.0.0.0 0.0.0.0 192.168.200.1

!

!

no ip http server

no ip http secure-server

!

ip access-list extended GRE

permit ip host 70.70.70.70 host 192.168.23.105

permit esp host 70.70.70.70 host 192.168.23.105

permit udp host 70.70.70.70 eq isakmp host 192.168.23.105

deny ip any any log

ip access-list extended SC1000

permit ip host 70.70.70.70 any

permit ip any 10.69.2.0 0.0.0.255

permit gre host 70.70.70.70 host 192.168.23.105

!

Now the Distant End

ip vrf 3g

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key ******** address 60.60.60.60

!

!

crypto ipsec transform-set aptset esp-aes 256 esp-sha-hmac

no crypto ipsec nat-transparency udp-encaps

!

crypto map aptmap 10 ipsec-isakmp

set peer 60.60.60.60

set transform-set aptset

set pfs group5

match address sc100

!

!

!

!

!

!

interface Tunnel0

ip vrf forwarding 3g

ip address 10.69.3.6 255.255.255.252

tunnel source Cellular0/1/0

tunnel destination 60.60.60.60 (NAT address at Home Office)

!

interface FastEthernet0/0

ip address 10.69.2.1 255.255.255.0

ip helper-address 10.36.74.30

ip helper-address 10.36.74.31

duplex full

speed 100

!

interface FastEthernet0/1

ip address 10.39.4.1 255.255.255.0

ip nat inside

ip virtual-reassembly

shutdown

duplex auto

speed 100

!

interface Serial0/0/0

no ip address

!

interface Cellular0/1/0

ip vrf forwarding 3g

ip address negotiated (negotiated ip 70.70.70.70)

encapsulation ppp

ip access-group GRE in

dialer in-band

dialer idle-timeout 10000

dialer string cdma

dialer-group 1

async mode interactive

ppp authentication chap callin

ppp chap hostname [email protected]

ppp chap password 7 0312411C

crypto map aptmap

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Cellular0/1/0

ip route vrf 3g 0.0.0.0 0.0.0.0 Cellular0/1/0

!

!

no ip http server

no ip http secure-server

!

ip access-list extended GRE

permit esp host 60.60.60.60 host 70.70.70.70

permit ip host 70.70.70.70 host 60.60.60.60

permit udp host 60.60.60.60 eq isakmp host 70.70.70.70

deny ip any any log

ip access-list extended sc100

permit ip host 60.60.60.60 any

permit gre host 70.70.70.70 host 60.60.60.60

permit ip 10.69.2.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
yagnesh_tel Tue, 08/18/2009 - 06:21

First of all you are using address range 192.168.x.x in your home office as Tunnel source. It should be routable to your distant office. I doubt that you can use this setup where your FW needs to NAT GRE tunnel source IP(192.168.23.105) to public address 60.60.60.60. Tunnel should be build directly between hosts 60.60.60.60 & 70.70.70.70.

Actions

This Discussion