06-21-2022 03:02 AM
hello
i have configured my GRE over IPSEC Tunnel and it is UP on both routers
but when i configure BGP between both routers it doesnot come UP and when i try to make a ping between both loopbacks used for BGP it is not passing, i realised the tunnel blocks the packets from those IPs
please i do i authorize those IPs to be used for BGP inside the tunnel
06-21-2022 03:07 AM
share config please.
06-21-2022 07:26 AM
Hello @dacobelltacham ,
for each direction you need an host /32 static route pointing to the GRE tunnel with destination the loopback of the other node.
Without it the tunnel is not used.
In addition if using eBGP you will need to enable eBGP-multihop under router BGP for the neighbor +
neighbor x.x.x.x update-source loopM
Hope to help
Giuseppe
06-21-2022 08:06 AM
06-21-2022 08:13 AM
Ebgp using loopback as update source need ebgp multi hop command.
This what mr. @Giuseppe Larosa mention before.
06-21-2022 09:19 AM
For reachability you
Ip route lo tunnel x
In both gre tunnel end router,
This make lo is reachable.
After that
Config ebgp update source lo
Config ebgp multi hop 2
06-21-2022 09:58 AM
06-21-2022 10:10 AM
ip access-list extended IPSEC_ACL
permit gre host x.x.x.x host x.x.x.x
Only this need for acl of ipsec.
06-21-2022 12:43 PM
Hello ,
>> when i try to creat a policy to
permit my Loopbacks communicate inside the tunnel i noticed that the tunnel
goes down
you cannot use the loopback address as external IP addresses and to route them inside the tunnel at the same time this error is called recursive routing.
it would be easier if you would share in txt attachment file your configuraition of the two routers.
Hope to help
Giuseppe
06-21-2022 01:49 PM - edited 06-21-2022 01:50 PM
Hello
You need reachabilty to the loopbacks if you wish to establish an bgp peer.on them, So as suggested can you attach the output of the following into a file and attach it to your OP.
sh run | sect router
sh ip route
sh ip protocols
sh ip int brief | in up
sh ip bgp sum
sh run | in crypto
sh crypto isakmp sa
sh crypto ipsec sa
06-21-2022 02:38 PM
BTW, on many Cisco devices, an "UP" tunnel doesn't always imply the tunnel is really UP.
From one tunnel device, can you ping the other side's internal IP?
06-22-2022 10:50 PM
- are both end point of the tunnel reachable?
- check your vrf configuration if used
-create a route to your loopback
- check if BGP configuration is pointing to correct neighbor and
- add in BGP the correct sourcing
- run the above 'show commands'
- as a side test, create dynamic routing between if you administer both end points
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: