Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

GRE over IPSec tunnel won't stay up.

I'm trying to build a GRE tunnel across an existing IPSec tunnel so I can run OSPF for dynamic routing in a backup scenario.

I have an IPSec tunnel built across the internet between two firewalls (non-Cisco). Behind each firewall, I have a Cisco 7206 that I would like to build a GRE tunnel between to exchange dynamic routing info via OSPF.

I've read the Cisco configuration document and my config is identical. Unfortunately, the tunnel comes up for about 15 seconds and then dies.

Diagram.......

7206 <----------> Firewall <--------> Internet <--------> Firewall <----------> 7206

Any comments or suggestions regarding this problem would be greatly appreciated !!

3 REPLIES
New Member

Re: GRE over IPSec tunnel won't stay up.

Sounds like a routing issue. I try once in the LAB and got similar situation as you got. The routes has been overrid by the OSPF then the GRE tunnel down.

So I use static route to keep the tunnel always up.

Here is the sample config I have done for the CCO:

http://www.cisco.com/warp/customer/707/gre_ipsec_ospf.html

In that case, I use following static route to keep the GRE tunnel always up:

In Rodney:

"ip route 0.0.0.0 0.0.0.0 192.168.4.1

ip route 10.10.10.0 255.255.255.0 Tunnel0"

In House:

"ip route 0.0.0.0 0.0.0.0 192.168.3.1

ip route 20.20.20.0 255.255.255.0 Tunnel0"

Best Regards,

New Member

Re: GRE over IPSec tunnel won't stay up.

Thanks.....but I already have it configured like you suggested (and as suggested from the Cisco GRE / IPSec document).

I've already tested connectivity across the IPSec tunnel and I am not dropping packets.....so I know I have a good connection across the Internet.

Cisco Employee

Re: GRE over IPSec tunnel won't stay up.

Do you have a one-to-one NAT translation in the firewall's? GRE won't work over PAT cause there's no port number for it to use, so make sure the router interfaces are statically NAT'd to a global IP address.

Do you see anything in the firewalls when the tunnels drop? Any syslog messages?

262
Views
0
Helpful
3
Replies
CreatePlease login to create content