cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
779
Views
10
Helpful
11
Replies

GRE Over IPSEC configuration

dacobelltacham
Level 1
Level 1

hello

i have configured my GRE over IPSEC Tunnel and it is UP on both routers 

but when i configure BGP between both routers it doesnot come UP and when i try to make a ping between both loopbacks used for BGP it is not passing, i realised the tunnel blocks the packets from those IPs

 

please i do i authorize those IPs to be used for BGP inside the tunnel

11 Replies 11

share config please.

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @dacobelltacham ,

for each direction you need an host /32 static route pointing to the GRE tunnel with destination the loopback of the other node.

 

Without it the tunnel is not used.

 

In addition if using eBGP you will need to enable eBGP-multihop under router BGP for the neighbor +

neighbor x.x.x.x update-source loopM

 

Hope to help

Giuseppe

 

when i try to ping both loopbacks which am to used for eBGP sessions it is
not successfull even though my tunnel is UP and reachability is ok

Ebgp using loopback as update source need ebgp multi hop command.

This what mr. @Giuseppe Larosa mention before.

 

For reachability you

Ip route lo tunnel x

In both gre tunnel  end router,

This make lo is reachable.

After that 

Config ebgp update source lo

Config ebgp multi hop 2 

i have done that but no reachability , and when i try to creat a policy to
permit my Loopbacks communicate inside the tunnel i noticed that the tunnel
goes down

ip access-list extended IPSEC_ACL
permit gre host x.x.x.x host x.x.x.x

 

Only this need for acl of ipsec.

Hello ,

>> when i try to creat a policy to
permit my Loopbacks communicate inside the tunnel i noticed that the tunnel
goes down

 

you cannot use the loopback address as external IP addresses and to route them inside the tunnel at the same time this error is called recursive routing.

 

it would be easier if you would share in txt attachment file your configuraition of the two routers.

 

Hope to help

Giuseppe

 

Hello
You need reachabilty to the loopbacks if you wish to establish an bgp peer.on them, So as suggested can you attach the output of the following into a file and attach it to your OP.

sh run | sect router
sh ip route
sh ip protocols
sh ip int brief | in up
sh ip bgp sum
sh run | in crypto
sh crypto isakmp sa

sh crypto ipsec sa


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joseph W. Doherty
Hall of Fame
Hall of Fame

BTW, on many Cisco devices, an "UP" tunnel doesn't always imply the tunnel is really UP.

From one tunnel device, can you ping the other side's internal IP?

 

_|brt.drml|_
Level 1
Level 1

- are both end point of the tunnel reachable? 

- check your vrf configuration if used

-create a route to your loopback  

- check if BGP configuration is pointing to correct neighbor and 

- add in BGP the correct sourcing

- run the above 'show commands'

- as a side test, create dynamic routing between if you administer both end points

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: