topic Re: GRE Over IPSEC configuration in Routing and SD-WAN

GRE Over IPSEC configuration

dacobelltacham — Tue, 21 Jun 2022 10:02:58 GMT

hello

i have configured my GRE over IPSEC Tunnel and it is UP on both routers

but when i configure BGP between both routers it doesnot come UP and when i try to make a ping between both loopbacks used for BGP it is not passing, i realised the tunnel blocks the packets from those IPs

please i do i authorize those IPs to be used for BGP inside the tunnel

Re: GRE Over IPSEC configuration

MHM Cisco World — Tue, 21 Jun 2022 10:07:08 GMT

share config please.

Re: GRE Over IPSEC configuration

Giuseppe Larosa — Tue, 21 Jun 2022 14:26:52 GMT

Hello @dacobelltacham ,

for each direction you need an host /32 static route pointing to the GRE tunnel with destination the loopback of the other node.

Without it the tunnel is not used.

In addition if using eBGP you will need to enable eBGP-multihop under router BGP for the neighbor +

neighbor x.x.x.x update-source loopM

Hope to help

Giuseppe

Re: GRE Over IPSEC configuration

dacobelltacham — Tue, 21 Jun 2022 15:06:19 GMT

when i try to ping both loopbacks which am to used for eBGP sessions it is
not successfull even though my tunnel is UP and reachability is ok

Re: GRE Over IPSEC configuration

MHM Cisco World — Tue, 21 Jun 2022 15:13:27 GMT

Ebgp using loopback as update source need ebgp multi hop command.

This what mr. @Giuseppe Larosa mention before.

Re: GRE Over IPSEC configuration

MHM Cisco World — Tue, 21 Jun 2022 16:19:55 GMT

For reachability you

Ip route lo tunnel x

In both gre tunnel end router,

This make lo is reachable.

After that

Config ebgp update source lo

Config ebgp multi hop 2

Re: GRE Over IPSEC configuration

dacobelltacham — Tue, 21 Jun 2022 16:58:19 GMT

i have done that but no reachability , and when i try to creat a policy to
permit my Loopbacks communicate inside the tunnel i noticed that the tunnel
goes down

Re: GRE Over IPSEC configuration

MHM Cisco World — Tue, 21 Jun 2022 17:10:02 GMT

ip access-list extended IPSEC_ACL
permit gre host x.x.x.x host x.x.x.x

Only this need for acl of ipsec.

Re: GRE Over IPSEC configuration

Giuseppe Larosa — Tue, 21 Jun 2022 19:43:11 GMT

Hello ,

>> when i try to creat a policy to
permit my Loopbacks communicate inside the tunnel i noticed that the tunnel
goes down

you cannot use the loopback address as external IP addresses and to route them inside the tunnel at the same time this error is called recursive routing.

it would be easier if you would share in txt attachment file your configuraition of the two routers.

Hope to help

Giuseppe

Re: GRE Over IPSEC configuration

paul driver — Tue, 21 Jun 2022 20:50:20 GMT

Hello
You need reachabilty to the loopbacks if you wish to establish an bgp peer.on them, So as suggested can you attach the output of the following into a file and attach it to your OP.

sh run | sect router
sh ip route
sh ip protocols
sh ip int brief | in up
sh ip bgp sum
sh run | in crypto
sh crypto isakmp sa
sh crypto ipsec sa

Re: GRE Over IPSEC configuration

Joseph W. Doherty — Tue, 21 Jun 2022 21:38:27 GMT

BTW, on many Cisco devices, an "UP" tunnel doesn't always imply the tunnel is really UP.

From one tunnel device, can you ping the other side's internal IP?

Re: GRE Over IPSEC configuration

_|brt.drml|_ — Thu, 23 Jun 2022 05:50:26 GMT

- are both end point of the tunnel reachable?

- check your vrf configuration if used

-create a route to your loopback

- check if BGP configuration is pointing to correct neighbor and

- add in BGP the correct sourcing

- run the above 'show commands'

- as a side test, create dynamic routing between if you administer both end points