Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Why do I need GRE?

We have purchased two 2811 routers to use for a site to site VPN. Both routers have the VPN AIM. I have everything working in a lab now, but it was a struggle. I'm new to this, so I happily used SDM to configure everthing. Initially I used an IPSEC VPN without GRE. Everything went smooth and I tested the tunnel using SDM and it all checked out. Then when I tried to ping between clients across the tunnel and every other ping request timed out. This was repeatable and occured regardless of which side of the tunnel the ping was initiated from. Everything else (file transfer, web browsing) was not working. I started over and used GRE over IPSEC this time and everthing began working...sorta. Small data transfers (32 byte ping requests) would work but I couldn't transfer large files across the tunnel. I fixed this by changing the MTU on the tunnel interfaces and on the clients to 1476 bytes to allow for 24 bytes that would be added due to encapsulation (at least I think that's what's going on). Changing the MTU on every client is acceptable for the moment, but it might not be down the road. If GRE is causing me to change the MTU, it makes me wonder why exactly do I need it? The SDM wizard help says to use GRE to connect remote sites with different network topologies, but that's not what I'm doing. Also, if a non-GRE IPSEC vpn can't get the job done, why is it even included in the wizard?

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Why do I need GRE?

Hi, just looked over the configuration here, looks fine for a L2L setup using pre-shared keys. Have you checked the basics, tried pinging from the router console port to the remote router F0/1 across your link. This will be un-encrypted.

Then try using an extended ping to the remote router, sending traffic between the F0/0 ports. This should get encrypted, you can verify this with `sh crypto ipsec sa', find the packet counters in this output. Also you can clear the counters, `clear crypto sa counters' before running the test.

Have you tried removing the crypto maps at both ends and pinging host to host with no encryption?

What about errors on the F0/1 interfaces, are they clean. Same goes for the F0/0 interfaces when testing host to host.

Some other points I'd try if all this passes ok, remove IP CEF and disable the other fast switching services on the interface, see if that makes any difference.

Andy

6 REPLIES
Hall of Fame Super Silver

Re: Why do I need GRE?

Chris

I do not think that we know enough about your situation to fully explain it. But let me tell a few things and if you still have questions, then you can rephrase your questions and provide a bit more information about your situation.

When you describe the first attempt to configure using only IPSec (without GRE) and you say that every other ping would time out, it sounds like a routing problem. In this problem there are two entries in the routing table pointing to the destination but only one of them works. The router sends a packet over the good path, and then a packet over the dead-end path, then a packet over the good path, then a packet over the dead-end path, repeat over and over.

It sounds like in configuring IPSec with GRE that the routing issue got resolved. If we knew the differences between the two configs we might explain how it was fixed, but for now all we can say is that the GRE configuraiton seems to have fixed it.

I believe that depending on what you are trying to do that you may or may not need GRE. To pass unicast IP traffic between the networks where static routes and/or default routes are sufficient (no dynamic routing between sites is required) then IPSec without GRE should be enough. If you wanted to pass non-IP traffic, or if you wanted to pass multicast, or if you need to run a dynamic routing protocol between sites then you need IPSec with GRE.

So the non-GRE IPSec was included because in some situations it does get the job done. In some others it does not. You need to determine what your requirements are and then you can choose the most appropriate solution.

HTH

Rick

New Member

Re: Why do I need GRE?

Rick,

I will try to reconfigure the tunnel without GRE using SDM and see if two routes to the destination exist. One other piece of info that I should have included the first time worked just fine. The hops showed correctly and every ping request came back quickly.

From what I've been reading the past couple of days, I think I'm going to have to wean myself off SDM quickly. For the moment though, I'll try to do everything just as before.

The traffic between the remote sites will be unicast IP. One side of the tunnel has a Smartgate server that will act as a web proxy for clients. The Smartgate server will then be used to access a webserver on the other side of the webserver. I have this all working now in our lab with GRE, There's no dynamic routing involved. Based on everything you've said it sounds like I don't really need GRE.

I'll give the IPSec only method another shot and post back what I find.

Thanks for the help.

Chris

New Member

Re: Why do I need GRE?

Well I put everything back the way it was with a non-GRE, IPSec only tunnel and the exact same problem occurred. I checked the routing config and I did indeed have two routes setup. One was the "default route" which pointed to the remote router's public interface (in my case FE 0/1). The second route pointed to the private lan behind the remote router. I deleted the default route, but the problem persisted. I was in a hurry to get out of here to start a long weekend and forgot to save off the running config before I put everything back the way it was. Our software testers are currently using the working GRE setup, so I can't do anything until tomorrow. I'll try to get everything back into the non-working state and post the router configs tomorrow morning.

New Member

Re: Why do I need GRE?

Below is the config of one of the routers. Each router has a LAN (192.168.1.0/24 for router one and 192.168.2.0/24 for router two). Each lan is connected to FE0/0 of its particualar router and FE0/0. FE0/1 is the WAN interface on each router - ips are 172.168.240.10/20 for router one and 172.168.240.20/20 for router two. I'm having the same problem as before when a host pings a counterpart across the tunnel every other ping times out and I can get nothing else to work. Again this config is SDM generated. Does anything stand out that would cause the problem I'm seeing?

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname LabOne2811

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

enable secret xxxx

!

no aaa new-model

!

resource policy

!

clock timezone PCTime -5

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

ip subnet-zero

no ip source-route

ip tcp synwait-time 10

!

!

ip cef

!

!

no ip bootp server

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

crypto pki trustpoint TP-self-signed-902531810

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-902531810

revocation-check none

rsakeypair TP-self-signed-902531810

!

!

crypto pki certificate chain TP-self-signed-902531810

certificate self-signed 01

3082024D 308201B6 A0030201 ...

quit

username xxxx privilege 15 secret xxxx

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key tswg address 172.168.240.20

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to172.168.240.20

set peer 172.168.240.20

set transform-set ESP-3DES-SHA

match address 100

!

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$ES_LAN$$FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1

description $ES_WAN$$FW_OUTSIDE$

ip address 172.168.240.10 255.255.240.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

duplex auto

speed auto

no mop enabled

crypto map SDM_CMAP_1

!

ip classless

ip route 192.168.2.0 255.255.255.0 FastEthernet0/1

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

!

logging trap debugging

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

no cdp run

!

!

control-plane

!

!

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

Silver

Re: Why do I need GRE?

Hi, just looked over the configuration here, looks fine for a L2L setup using pre-shared keys. Have you checked the basics, tried pinging from the router console port to the remote router F0/1 across your link. This will be un-encrypted.

Then try using an extended ping to the remote router, sending traffic between the F0/0 ports. This should get encrypted, you can verify this with `sh crypto ipsec sa', find the packet counters in this output. Also you can clear the counters, `clear crypto sa counters' before running the test.

Have you tried removing the crypto maps at both ends and pinging host to host with no encryption?

What about errors on the F0/1 interfaces, are they clean. Same goes for the F0/0 interfaces when testing host to host.

Some other points I'd try if all this passes ok, remove IP CEF and disable the other fast switching services on the interface, see if that makes any difference.

Andy

New Member

Re: Why do I need GRE?

I just wanted to follow up and thank everyone for their help. The counters in 'sh crypto ipsec sa' are basically what led me to the problem. The servers I had set up on each side of the VPN tunnel had dual nics. Each NIC resided on it's own subnet. And I had given each of these interfaces it's own default gateway. I was able to ping from one host to another and watch every other packet not reach the router. The host was actually switching between default gateways. One was the correct path and the other had no means to get routed to the destination. I removed the second default gateway from each of the PC's and put in static routes to tell the computer which network card to use for a specific destination. Everything worked after that. I was using Windows 2003 Server and it never notified me that this was a bad idea. The funny think was when I was playing around with it again and trying to duplicate the error, a Windows message box notified me that two gateways on different subnets wouldn't work. I did not get this message the first time I made the mistake.

Just thought I'd share. Thanks again for the help.

296
Views
0
Helpful
6
Replies