Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

GRE over IPSec - can ping tunnel interface but not remote LAN

Hi Everyone,

 

I've setup GRE over IPSec between 881 and 887VAs with no problem. I'm now trying to setup one between two 881s. The configuration was working when SITE B was setup behind a router. FastEthernet4 is now connected directly to a public ip address as it's connected to a new cable connection.

 

The tunnels are up. I can ping both tunnels, but I can't get a ping back on the remote LAN. Only Site B can initialise the tunnel with interesting traffic.

 

Site B router can ping Site A router, but no other devices on Site A's LAN. Site A can't ping Site B's router. Both routers can ping tunnel interfaces (10.0.64.1 and 10.0.64.254).

 

SITE A:

Local LAN: 192.168.1.254/255.255.255.0

Tunnel64: 10.0.64.1/255.255.255.0

interface Tunnel64
 description testing tunnel
 ip address 10.0.64.1 255.255.255.0
 ip mtu 1352
 ip tcp adjust-mss 1312
 tunnel source FastEthernet4
 tunnel destination (SITE B Public IP)
 tunnel path-mtu-discovery
 tunnel protection ipsec profile (VPN-PROFILE)

ip route 0.0.0.0 0.0.0.0 (ROUTER IP ADDRESS)

ip route 192.168.64.0 255.255.255.0 10.0.64.254

 

 

SITE B:

Local LAN: 192.168.64.254/255.255.255.0

Tunnel1: 10.0.64.254/255.255.255.0

 

interface Tunnel1
 ip address 10.0.64.254 255.255.255.0
 ip mtu 1352
 ip tcp adjust-mss 1312
 tunnel source FastEthernet4
 tunnel destination (SITE A Public IP)
 tunnel path-mtu-discovery
 tunnel protection ipsec profile (VPN PROFILE)

ip route 0.0.0.0 0.0.0.0 (PUBLIC IP GATEWAY)

ip route 192.168.1.0 255.255.255.0 10.0.64.1

 

Any help would be appreciated :) I'm pretty stumped :(

 

 

 

5 REPLIES
New Member

Thought I'd add some pings

Thought I'd add some pings and traceroutes

SITE B:ping 192.168.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/26/28 ms

SITE B:traceroute 192.168.1.254
Type escape sequence to abort.
Tracing the route to 192.168.1.254
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.64.1 28 msec *  28 msec

SITE B: traceroute 192.168.1.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.64.1 28 msec 24 msec 32 msec
  2  *  *  *
  3  *  *  *
  4

SITE A:ping 192.168.64.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.64.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

SITE A: traceroute 192.168.64.254
Type escape sequence to abort.
Tracing the route to 192.168.64.254
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.64.254 28 msec 28 msec 24 msec
  2  *  *  *
  3  *  *  *
  4  *  *  *

 

 

 

New Member

I haven't got a device

I haven't got a device plugged in to the LAN interfaces at site B. I notice that VLAN1 status and protocol are down. Could this be the issue? Is it down because nothing is plugged into a LAN port?

SITE B:show ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0              unassigned      YES unset  down                  down
FastEthernet1              unassigned      YES unset  down                  down
FastEthernet2              unassigned      YES unset  down                  down
FastEthernet3              unassigned      YES unset  down                  down
FastEthernet4              (SITE B PUBLIC IP)  YES NVRAM  up                    up
NVI0                       (SITE B PUBLIC IP)  YES unset  up                    up
Tunnel1                    10.0.64.254     YES NVRAM  up                    up
Vlan1                      192.168.64.254  YES NVRAM  down                  down

 

New Member

Connecting a computer to one

Connecting a computer to one of the FastEthernet ports fixed my issue.

 

I love and loathe you Cisco. 

New Member

I'm glad you figured it out. 

I'm glad you figured it out.

 

 

 

New Member

Only took three days too. It

Only took three days too. It's funny how writing things out on a forum helps you work it all out. 

479
Views
0
Helpful
5
Replies