Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

site to site VPN #

Hi,

How could I check if the remote tunnel is ip with configuration

interface Tunnel0

ip address 192.168.1.1 255.255.255.252

tunnel source FastEthernet0/0

tunnel destination 163.129.169.88

sh ip int tunnel0 ( shows up )

ping 192.168.1.2 source fa 0/0 ( can ping )

Are there any other commands which can help in troublshooting tunnels / network reachability

What are the disadvantages of using this setup compared to IPSEC ( apart from security )

What is the other best option to have when IPSEC is not allowed.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: site to site VPN #

Hello Ronald,

if both ends support it you can use GRE keepalives to detect the good state of the other side

the command can be

int tu0

keepalive 10 3

or you can run a routing protocol over the tunnel GRE ip subnet

like

router ospf 10

network 192.168.1.0 0.0.0.3 area 0

!

both methods provide a way to detect peer and overall path state.

Often GRE tunnel is transported into IPsec for protection.

this is handy because the definition of traffic to be protected is made with a single line ACL GRE between public ip addresses hosts

if IPSec cannot be used you can use GRE alone as described above.

Hope to help

Giuseppe

4 REPLIES
Hall of Fame Super Silver

Re: site to site VPN #

Hello Ronald,

if both ends support it you can use GRE keepalives to detect the good state of the other side

the command can be

int tu0

keepalive 10 3

or you can run a routing protocol over the tunnel GRE ip subnet

like

router ospf 10

network 192.168.1.0 0.0.0.3 area 0

!

both methods provide a way to detect peer and overall path state.

Often GRE tunnel is transported into IPsec for protection.

this is handy because the definition of traffic to be protected is made with a single line ACL GRE between public ip addresses hosts

if IPSec cannot be used you can use GRE alone as described above.

Hope to help

Giuseppe

New Member

Re: site to site VPN #

Thanks Giuseppe you are great help.

Just a question, if the remote site public ip can be pinged but traceroute doesnt completes, in this scenario will the site to site vpn be established.

Hall of Fame Super Silver

Re: site to site VPN #

Ronald

You do not tell us whether the site to site is peering to the remote site public IP, though that would seem very likely. If the remote peer address can be pinged successfully then it demonstrates that there is IP connectivity. IP connectivity is one of the requirements for the site to site VPN to be established.

If traceroute does not work it is likely that somewhere in between the routers there is an access list that is not permitting the traceroute traffic or is not permitting the response to traceroute. This does not have anything to do directly with whether the VPN will be established.

HTH

Rick

New Member

Re: site to site VPN #

Thanks Giuseppe & Rick.

140
Views
0
Helpful
4
Replies