GRE over IPSec - can ping tunnel interface but not remote LAN

Jared Oliver · ‎11-05-2014

Hi Everyone,

I've setup GRE over IPSec between 881 and 887VAs with no problem. I'm now trying to setup one between two 881s. The configuration was working when SITE B was setup behind a router. FastEthernet4 is now connected directly to a public ip address as it's connected to a new cable connection.

The tunnels are up. I can ping both tunnels, but I can't get a ping back on the remote LAN. Only Site B can initialise the tunnel with interesting traffic.

Site B router can ping Site A router, but no other devices on Site A's LAN. Site A can't ping Site B's router. Both routers can ping tunnel interfaces (10.0.64.1 and 10.0.64.254).

SITE A:

Local LAN: 192.168.1.254/255.255.255.0

Tunnel64: 10.0.64.1/255.255.255.0

interface Tunnel64
description testing tunnel
ip address 10.0.64.1 255.255.255.0
ip mtu 1352
ip tcp adjust-mss 1312
tunnel source FastEthernet4
tunnel destination (SITE B Public IP)
tunnel path-mtu-discovery
tunnel protection ipsec profile (VPN-PROFILE)

ip route 0.0.0.0 0.0.0.0 (ROUTER IP ADDRESS)

ip route 192.168.64.0 255.255.255.0 10.0.64.254

SITE B:

Local LAN: 192.168.64.254/255.255.255.0

Tunnel1: 10.0.64.254/255.255.255.0

interface Tunnel1
ip address 10.0.64.254 255.255.255.0
ip mtu 1352
ip tcp adjust-mss 1312
tunnel source FastEthernet4
tunnel destination (SITE A Public IP)
tunnel path-mtu-discovery
tunnel protection ipsec profile (VPN PROFILE)

ip route 0.0.0.0 0.0.0.0 (PUBLIC IP GATEWAY)

ip route 192.168.1.0 255.255.255.0 10.0.64.1

Any help would be appreciated :) I'm pretty stumped :(

Jared Oliver · ‎11-05-2014

Thought I'd add some pings and traceroutes

SITE B:ping 192.168.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/26/28 ms

SITE B:traceroute 192.168.1.254
Type escape sequence to abort.
Tracing the route to 192.168.1.254
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.64.1 28 msec * 28 msec

SITE B: traceroute 192.168.1.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.64.1 28 msec 24 msec 32 msec
2 * * *
3 * * *
4

SITE A:ping 192.168.64.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.64.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

SITE A: traceroute 192.168.64.254
Type escape sequence to abort.
Tracing the route to 192.168.64.254
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.64.254 28 msec 28 msec 24 msec
2 * * *
3 * * *
4 * * *

Jared Oliver · ‎11-05-2014

I haven't got a device plugged in to the LAN interfaces at site B. I notice that VLAN1 status and protocol are down. Could this be the issue? Is it down because nothing is plugged into a LAN port?

SITE B:show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset down down
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
FastEthernet4 (SITE B PUBLIC IP) YES NVRAM up up
NVI0 (SITE B PUBLIC IP) YES unset up up
Tunnel1 10.0.64.254 YES NVRAM up up
Vlan1 192.168.64.254 YES NVRAM down down

Jared Oliver · ‎11-05-2014

Connecting a computer to one of the FastEthernet ports fixed my issue.

I love and loathe you Cisco.

LA-Engineer · ‎11-05-2014

I'm glad you figured it out.

Jared Oliver · ‎11-05-2014

Only took three days too. It's funny how writing things out on a forum helps you work it all out.