I am deploying many Cisco 851 routers to various sites, and connecting these back to my network via GRE over IPSEC VPNs. The 851's will have dynamic IPs (as you can see via the config below). I'm also NATing remotely at the 851. Works great. However, I'd like to use dynamic routing to simply administration and keep from having to add tons of static routes to my hub router.
I've tried various configurations, none of which work. Each time I add the 10.0.0.0 network to the RIP configuration, I receive "Tunnel0 state set to DOWN due to recursive routing" (paraphrased). The tunnel just flaps after that. My configurations are below. Please let me know if I've missed something simple (I've looked at it so long I may just be overlooking the obvious). BTW, I was really disappointed that Cisco disabled EIGRP in the 851. Great box overall, but hate to use RIP. TIA!
You need to put the following command in your tunnel interface
tunnel mode gre ip
or tunnel mode gre multipoint (check this out, cause you talked about dynamic assigment, and the multipoint will permit you to create dynamic tunnel between to two spokes with dynamic IP)
Also you'll have to permit gre on both side if your have ACL on both wan interface. You better add the ACL like this "permit gre any any" and put some security on your tunnel instead, like "tunnel key".
But for troubleshooting, you always better remove those ACLs to exclude that kind of issue.
Thanks, but "tunnel mode gre ip" is the default setting for tunnel intefaces. It will not show up in the configuration unless it is set to another value (such as multipoint). I do not want remote sites to communicate with each other, so multipoint is not an option.
The tunnels are working fine. Using static routes I can route between sites without a problem. It's just that RIP does not seem to propogate across the tunnel interfaces. And when I add the IP's of the tunnel to the RIP config (network 10.0.0.0), the tunnels begin to flap.
I've made progress and now see RIP routes at least going one way. The "hub" is receiving routers from the remote 851 without issue. The 851 is now receiving "%TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing." RIP routes from the Hub never make it into the 851's routing table.
This issue occured on the Hub, but was resolved by placing a distribute-list on the RIP process to exclude the Tunnel interfaces from the advertisement. For some reason the same fix did not work on the 851. Ideas?
If it helps, the following config works for me. Granted, this on an 871 with no NAT but it might be a good standing point. I'd take a close look at "tunnel source", as I think using the loopback could be the problem.
crypto map HOMEOFFICE 1 ipsec-isakmp
set peer 22.214.171.124
set transform-set ESP-3DES
match address 101
ip address 10.88.88.1 255.255.255.252
ip mtu 1400
keepalive 10 3
tunnel source FastEthernet4
tunnel destination 126.96.36.199
crypto map HOMEOFFICE
ip address 10.10.8.71 255.255.255.255
access-list 101 permit ip 172.16.231.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 101 permit ip 172.17.1.0 0.0.0.255 172.16.0.0 0.15.255.255
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...