Tunneling over WAN

abaghir · ‎06-28-2005

Hello,

Our company is having two links with our providers and we want to use these links for a point to point connection, our provider cannot route our private IPs and they provided thier own IP range, so we've tried to create a tunnel between these locations over our provider network, below is the configuration for the two routers

**********************

Site A

**********************

interface Tunnel0

ip address 10.1.1.1 255.255.255.252

tunnel source FastEthernet0/1

tunnel destination 192.168.123.106

!

interface FastEthernet0/0

ip address 172.16.0.1 255.255.255.0

interface FastEthernet0/1

ip address 192.168.123.34 255.255.255.252

ip route 172.16.1.0 255.255.255.0 Tunnel0

***************************

Site B

***************************

interface Tunnel0

ip address 10.1.1.2 255.255.255.252

tunnel source Ethernet0/1

tunnel destination 192.168.123.34

!

interface Ethernet0/0

ip address 172.16.1.1 255.255.255.0

interface Ethernet0/1

ip address 192.168.123.106 255.255.255.252

ip route 172.16.0.0 255.255.255.0 Tunnel0

with the above configuration, the 192 range which provided by our Provider is reachable from both routers while our local IP range 172 and the tunnel IP 10 ARE NOT REACHABLE

Could you please advice what could be the cause of that?

your help is highly appreciated...

aacole · ‎06-28-2005

Is the tunnel up, do a show int t0 to verify. Also I'd add keepalive onto the tunnel interface, as it may well show up/up even though its not really active. The output of show int t0 will indicate if keepalives are flowing across the link.

If not then I suspect a routing issue, can you ping the remote router 192.168.x.x from the local router? So long as you can route to the 192.168.x.x addresses the tunnel should come up.

When pinging the remote 172 network across the tunnel are you using an extended ping and setting the source address to the local 172.16.x.x address?

You will need a route to the remote 192.168.x.x network via the 192.168.x.x next hop, or out of the appropriate interface, or a default route to the same address or interface.

Post up you routing tables if your still having problems and the output of sh int t0.

Finally if all that is ok, have you enabled subnet zero on the site A router?

abaghir · ‎06-28-2005

Thank you for the info..

I've enabled the keeplive on the tunnel interfaces with 10 sec, and i executed the sh int t0 command which show the status of the tunnel int on both routers up/down

Pleace advice how can i make the tunnel up...

aacole · ‎06-28-2005

On both routers you need a route so the tunnel packets to the tunnel destination are routed out of the correct interface.

On site A either:

ip route 192.168.123.106 255.255.255.255 f0/1

or

ip route 0.0.0.0 0.0.0.0 f0/1

On site B router

ip route 192.168.123.34 255.255.255.255 e0/1

or a default route out of the same interface.

Before adding these routes use the extended ping feature, (ping followed by return and fill in the details at the prompts) select the option to use extended options and use the 192.168.x.x address as the source IP address. If you fail to get replies to the pings then its most likely a routing problem.

Add the routes and check the tunnel status, if its still down use the extended ping again to verify connectivity.

abaghir · ‎06-29-2005

Routes already added and i'm able to reach 192.168 address from both routers with the source of 192.168 but Tunnel interface still down

Please advice...

aacole · ‎06-29-2005

How odd, I would have expected the tunnel to establish then.

I've just set one up here in my lab, and turned on debug ip packet to see the GRE tunnel packets.

You could verify if your sending and receiving the tunnel packets across the correct interface by this method.

On one of the routers in config mode set up an access list, `access-list 110 permit gre any any'

then exit config mode and enter `debug ip packet 110 det' this turns on detailled debugging for any GRE packets.

In my case I see the following:

*Mar 1 01:39:14.951: IP: s=10.1.1.1 (Tunnel0), d=10.1.1.2 (FastEthernet0/0), len 48, sending, proto=47

*Mar 1 01:39:14.951: IP: tableid=0, s=10.1.1.2 (FastEthernet0/0), d=10.1.1.1 (FastEthernet0/0), routed via RIB

*Mar 1 01:39:14.951: IP: s=10.1.1.2 (FastEthernet0/0), d=10.1.1.1 (FastEthernet

0/0), len 24, rcvd 3, proto=47

These 3 lines show I'm sending and receiving GRE packets, denoted by the `proto=47' The debug also shows the interface they go over and the IP addresses used, my tunnel source and dest are both in the 10.1.1.0 subnet.

Turn the debug off by `no debug all'

What do you get? You may also ned to turn off the fast switching on the ISP facing interface by the command `no ip route-cache'

Richard Burts · ‎06-29-2005

I agree with Andy that in what you posted in the original message the main issue was that there was not anything that told the router how to route to the other end point of the tunnel.

Now you say that routes are already added and you are able to reach the 192.168 addresses.

I suggest that it is time for you to post an updated version of what is in your config, including the complete tunnel config, the config of all interfaces, and any config of routing information. It would also help to post the output of show ip route from both routers.

I have done a lot of GRE tunnels and in my experience the biggest source of problems with GRE is basic IP connectivity between tunnel source and tunnel destination.

I suspect that part of our difficulty is that you have changed addresses in your post to protect security interrests and may have obscured some facet of things.

HTH

Rick

HTH

Rick

abaghir · ‎07-02-2005

The tunnel is up now and everything is working fine...

there was a routing problem.

Thank you all for your help...