Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
220
Views
0
Helpful
1
Replies

Help with configuring a tunnel...

ArdjanCisco
Level 1
Level 1

‎09-25-2006 01:20 PM - edited ‎03-09-2019 04:18 PM

Hi! I want to configure a tunnel between a 871w (R1) and a 871 (R2).

R1 = 80.108.1.1, R2 = 80.109.2.2, these are public IPs.

R1 has no private network (yet), but R2 has a 10.0.0.40/29 on the inside. I like to establish a tunnel between R1 and R2 with the address of 10.0.0.64/30, and a dynamic routing protocol for learning all routes of the 10.x network. (dynamic, because at the end there will be 5 routers, with 10.x networks behind them...)

Currently, the config on R1 looks like:

interface Tunnel1014

ip unnumbered Loopback1014

tunnel source FastEthernet4

tunnel destination 80.109.2.2

tunnel sequence-datagrams

tunnel checksum

!

interface Loopback10

ip address 10.0.0.85 255.255.255.255

!

interface Loopback1014

ip address 10.0.0.65 255.255.255.252

!

router eigrp 1

network 10.0.0.64 0.0.0.3

network 10.0.0.85 0.0.0.0

no auto-summary

!

ip route 192.168.0.0 255.255.255.0 Vlan10 permanent

ip route 0.0.0.0 0.0.0.0 dhcp

!

access-list 101 permit gre host 80.109.2.2 host 80.108.1.1

!

interface FastEthernet4

ip access-group 101 in

(these should be all relevant config).

Of course, the other site is reverse... :-)

The tunnel is up, but I can't get a ping to 10.0.0.41 (which is fa0 in the remote router), I think this is because of the recursive routing...

Can somone give me a detailed config of how to get rid of this recursive routing problem? I tried "O'reilly Cisco Cookbook" recipe 12.3, but couldn't get it working...

Thanx in advance!

Labels:
0 Helpful
1 Reply 1

martindesrosiers
Level 1
Level 1

‎09-26-2006 04:42 AM

First of all ;

You can change the ACL101 for permit esp any any and permit gre any any. Anyone can't pass gre traffic if you haven't create a VPN connection with it. If it's a security concern, you can had sonme security to you tunnel interface (ex.: Tunnel key).

But for troubleshooting you better remove your ACL.

You can add also the "tunnel mode gre" into your tunnel interface.

Does your IPSec SA is working fine ?

Does you receiving routing update ?

Which dynamic routing protocol are you using ?

Can you add a static route that simulate you dynamic routing proto to see if is a routing issue.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents