I have done a fair amount of searching on the forums to see if there has been a similar problem/resolution but havent been successful. I hope i descibe my problem well enough but if you need more information please let me know.
My situation is this. Im trying to build a site to site GRE tunnel VPN. I have a c2811 at the Head Office, and a c1811 at the remote site. Head Office has its public IP on its WAN Interface, however the remote site has its public ip NAT'd by its service provider to a private, and its this private address which sits on the c1811 WAN interface. The Head Office 2811 has its destination endpoint for the tunnel to be the remote sites public IP, and its source as its own public IP. But here is where i believe i am having the problem. The remote site has its destination IP as Head Offices public, but its source is its NAT'd private IP, which obviously is different to Head Offices desination. Does each endpoint have to have matching source to desination IP's? Because the tunnel says via "show ip int brief" up / up however no traffic is flowing over the link, and a "show crypto session" says its down. With a "show crypto ipsec sa" on the Head Office c2811 it shows 46 send errors, 0 recieved errors, 0 received in total actually. On the remote sites c1811 it doesnt show any errors, receieved or sent.
The Head Office c2811 has other tunnels to other sites, which dont have NAT'd public IP's which work fine, and im quite confident that there are no firewall rules/acl's which would be blocking the traffic.
I apologise if i havent made myself clear enough. And thank you in advance for any input.
I think a way around this would be to create a NAT aware IPSEC VPN tunnel between the outside interfaces of the 2811 and 1811 first, and then create a GRE tunnel from the *inside* interfaces of your routers, which runs over the IPSEC tunnel. If you take a look at this document:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :