Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

GRE not Synching up

All, I am trying to set up GRE between 2 2811 routers. I have verified that IPSec works properly between the two but when I try and set up GRE like I think it should be, basically everything loses connection. The 2811 at our Home Office is behind a firewall and is NAT'd there (60.60.60.60) so all my commands on the distant end reflect that. I need to know what I'm doing wrong though I suspect it has something to do with my usage of the vrf forwarding. Anyway, if you have any ideas I would appreciate it!

First the Home Office

ip vrf 3g

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key ******** address 70.70.70.70

!

!

crypto ipsec transform-set aptset esp-aes 256 esp-sha-hmac

no crypto ipsec nat-transparency udp-encaps

!

crypto map aptmap 20 ipsec-isakmp

set peer 70.70.70.70

set transform-set aptset

set pfs group5

match address SC1000

!

!

interface Tunnel1

description SC1000 GRE Tunnel Interface

ip vrf forwarding 3g

ip address 10.69.3.5 255.255.255.252

tunnel source FastEthernet0/1

tunnel destination 70.70.70.70 (cellular card address on Distant End)

!

interface FastEthernet0/0

ip address 192.168.222.105 255.255.255.0

duplex full

speed 100

!

interface FastEthernet0/1

ip vrf forwarding 3g

ip address 192.168.23.105 255.255.255.0

duplex full

speed 100

ip access-group GRE in

crypto map aptmap

!

interface Serial0/0/0

no ip address

shutdown

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.0.1

ip route 10.0.0.0 255.0.0.0 192.168.200.1

ip route vrf 3g 0.0.0.0 0.0.0.0 192.168.200.1

!

!

no ip http server

no ip http secure-server

!

ip access-list extended GRE

permit ip host 70.70.70.70 host 192.168.23.105

permit esp host 70.70.70.70 host 192.168.23.105

permit udp host 70.70.70.70 eq isakmp host 192.168.23.105

deny ip any any log

ip access-list extended SC1000

permit ip host 70.70.70.70 any

permit ip any 10.69.2.0 0.0.0.255

permit gre host 70.70.70.70 host 192.168.23.105

!

Now the Distant End

ip vrf 3g

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key ******** address 60.60.60.60

!

!

crypto ipsec transform-set aptset esp-aes 256 esp-sha-hmac

no crypto ipsec nat-transparency udp-encaps

!

crypto map aptmap 10 ipsec-isakmp

set peer 60.60.60.60

set transform-set aptset

set pfs group5

match address sc100

!

!

!

!

!

!

interface Tunnel0

ip vrf forwarding 3g

ip address 10.69.3.6 255.255.255.252

tunnel source Cellular0/1/0

tunnel destination 60.60.60.60 (NAT address at Home Office)

!

interface FastEthernet0/0

ip address 10.69.2.1 255.255.255.0

ip helper-address 10.36.74.30

ip helper-address 10.36.74.31

duplex full

speed 100

!

interface FastEthernet0/1

ip address 10.39.4.1 255.255.255.0

ip nat inside

ip virtual-reassembly

shutdown

duplex auto

speed 100

!

interface Serial0/0/0

no ip address

!

interface Cellular0/1/0

ip vrf forwarding 3g

ip address negotiated (negotiated ip 70.70.70.70)

encapsulation ppp

ip access-group GRE in

dialer in-band

dialer idle-timeout 10000

dialer string cdma

dialer-group 1

async mode interactive

ppp authentication chap callin

ppp chap hostname 3343227377@vzw3g.com

ppp chap password 7 0312411C

crypto map aptmap

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Cellular0/1/0

ip route vrf 3g 0.0.0.0 0.0.0.0 Cellular0/1/0

!

!

no ip http server

no ip http secure-server

!

ip access-list extended GRE

permit esp host 60.60.60.60 host 70.70.70.70

permit ip host 70.70.70.70 host 60.60.60.60

permit udp host 60.60.60.60 eq isakmp host 70.70.70.70

deny ip any any log

ip access-list extended sc100

permit ip host 60.60.60.60 any

permit gre host 70.70.70.70 host 60.60.60.60

permit ip 10.69.2.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

1 REPLY
Bronze

Re: GRE not Synching up

First of all you are using address range 192.168.x.x in your home office as Tunnel source. It should be routable to your distant office. I doubt that you can use this setup where your FW needs to NAT GRE tunnel source IP(192.168.23.105) to public address 60.60.60.60. Tunnel should be build directly between hosts 60.60.60.60 & 70.70.70.70.

198
Views
0
Helpful
1
Replies