08-18-2009 05:39 AM - edited 03-04-2019 05:46 AM
All, I am trying to set up GRE between 2 2811 routers. I have verified that IPSec works properly between the two but when I try and set up GRE like I think it should be, basically everything loses connection. The 2811 at our Home Office is behind a firewall and is NAT'd there (60.60.60.60) so all my commands on the distant end reflect that. I need to know what I'm doing wrong though I suspect it has something to do with my usage of the vrf forwarding. Anyway, if you have any ideas I would appreciate it!
First the Home Office
ip vrf 3g
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key ******** address 70.70.70.70
!
!
crypto ipsec transform-set aptset esp-aes 256 esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto map aptmap 20 ipsec-isakmp
set peer 70.70.70.70
set transform-set aptset
set pfs group5
match address SC1000
!
!
interface Tunnel1
description SC1000 GRE Tunnel Interface
ip vrf forwarding 3g
ip address 10.69.3.5 255.255.255.252
tunnel source FastEthernet0/1
tunnel destination 70.70.70.70 (cellular card address on Distant End)
!
interface FastEthernet0/0
ip address 192.168.222.105 255.255.255.0
duplex full
speed 100
!
interface FastEthernet0/1
ip vrf forwarding 3g
ip address 192.168.23.105 255.255.255.0
duplex full
speed 100
ip access-group GRE in
crypto map aptmap
!
interface Serial0/0/0
no ip address
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip route 10.0.0.0 255.0.0.0 192.168.200.1
ip route vrf 3g 0.0.0.0 0.0.0.0 192.168.200.1
!
!
no ip http server
no ip http secure-server
!
ip access-list extended GRE
permit ip host 70.70.70.70 host 192.168.23.105
permit esp host 70.70.70.70 host 192.168.23.105
permit udp host 70.70.70.70 eq isakmp host 192.168.23.105
deny ip any any log
ip access-list extended SC1000
permit ip host 70.70.70.70 any
permit ip any 10.69.2.0 0.0.0.255
permit gre host 70.70.70.70 host 192.168.23.105
!
Now the Distant End
ip vrf 3g
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key ******** address 60.60.60.60
!
!
crypto ipsec transform-set aptset esp-aes 256 esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto map aptmap 10 ipsec-isakmp
set peer 60.60.60.60
set transform-set aptset
set pfs group5
match address sc100
!
!
!
!
!
!
interface Tunnel0
ip vrf forwarding 3g
ip address 10.69.3.6 255.255.255.252
tunnel source Cellular0/1/0
tunnel destination 60.60.60.60 (NAT address at Home Office)
!
interface FastEthernet0/0
ip address 10.69.2.1 255.255.255.0
ip helper-address 10.36.74.30
ip helper-address 10.36.74.31
duplex full
speed 100
!
interface FastEthernet0/1
ip address 10.39.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly
shutdown
duplex auto
speed 100
!
interface Serial0/0/0
no ip address
!
interface Cellular0/1/0
ip vrf forwarding 3g
ip address negotiated (negotiated ip 70.70.70.70)
encapsulation ppp
ip access-group GRE in
dialer in-band
dialer idle-timeout 10000
dialer string cdma
dialer-group 1
async mode interactive
ppp authentication chap callin
ppp chap hostname 3343227377@vzw3g.com
ppp chap password 7 0312411C
crypto map aptmap
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Cellular0/1/0
ip route vrf 3g 0.0.0.0 0.0.0.0 Cellular0/1/0
!
!
no ip http server
no ip http secure-server
!
ip access-list extended GRE
permit esp host 60.60.60.60 host 70.70.70.70
permit ip host 70.70.70.70 host 60.60.60.60
permit udp host 60.60.60.60 eq isakmp host 70.70.70.70
deny ip any any log
ip access-list extended sc100
permit ip host 60.60.60.60 any
permit gre host 70.70.70.70 host 60.60.60.60
permit ip 10.69.2.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
08-18-2009 06:21 AM
First of all you are using address range 192.168.x.x in your home office as Tunnel source. It should be routable to your distant office. I doubt that you can use this setup where your FW needs to NAT GRE tunnel source IP(192.168.23.105) to public address 60.60.60.60. Tunnel should be build directly between hosts 60.60.60.60 & 70.70.70.70.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: