Re: GRE Tunnel issues

Michaelkarper · ‎02-10-2018

Hi,

I'm trying to set up a GRE tunnel between me and my buddy for learning purposes. We both use a 1921 Router

However I'm not successful in making this work IRL, In GNS3 this was done in a minute.

I can ping the outside interfaces without any issues.

"Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 83.xxx.xxx.118, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/28 ms"

If anyone could point me in the right direction I'd be grateful.

I've added the output from my Running-configs and the show int Tunnel output.

R1#

interface Tunnel1
description Tunnel naar R2
ip address 172.16.0.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel destination 83.xxx.xxx.118
!
i
!
interface GigabitEthernet0/0
description Modem
ip ddns update hostname xxxxxx.xxxxx.xxxxx
ip ddns update NOIP
ip address dhcp
ip nat outside
ip virtual-reassembly in max-fragments 64
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
description Trunk Switch
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.10
description MAINS Subinterface
encapsulation dot1Q 10
ip address xxx.xxx.xxx.xxx
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.20
description GUEST Subinterface
encapsulation dot1Q 20
ip address xxx.xxx.xxx.xxx
ip access-group GUESTLAN in
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.30
description LIFX Subinterface
encapsulation dot1Q 30
ip address xxx.xxx.xxx.xxx
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
ip forward-protocol udp 56700
!
no ip http server
no ip http secure-server
!
ip nat inside source list INSIDENAT interface GigabitEthernet0/0 overload
ip nat inside source static tcp xxx.xxx.xxx.xxx 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp xxx.xxx.xxx.xxx 22 interface GigabitEthernet0/0 22
!
ip access-list standard INSIDENAT
permit xxx.xxx.xxx.xxx 0.0.0.255
permit xxx.xxx.xxx.xxx 0.0.0.255
permit xxx.xxx.xxx.xxx 0.0.0.255
ip access-list standard VTYACL
permit 172.168.0.2
permit xxx.xxx.xxx.xxx 0.0.0.255
!
ip access-list extended GUESTLAN
deny ip xxx.xxx.xxx.xxx 0.0.0.255 xxx.xxx.xxx.xxx 0.0.0.255 log
deny ip xxx.xxx.xxx.xxx 0.0.0.255 xxx.xxx.xxx.xxx 0.0.0.255 log
permit ip any any

sh int Tunnel

Tunnel1 is up, line protocol is up
Hardware is Tunnel
Description: Tunnel naar R2
Internet address is 172.16.0.1/24
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 94.xxx.xxx.59 (GigabitEthernet0/0), destination 83.xxx.xxx.118
Tunnel Subblocks:
src-track:
Tunnel1 source tracking subblock associated with GigabitEthernet0/0
Set of tunnels with source GigabitEthernet0/0, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 01:04:26, output 00:42:00, output hang never
Last clearing of "show interface" counters 03:47:39
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
614 packets input, 32928 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
689 packets output, 40732 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out

R2#

interface Tunnel1
ip address 172.16.0.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel destination 94.xxx.xxx.59
!
interface GigabitEthernet0/0
ip ddns update hostname xxx.xxx.xxx.xxx
ip ddns update NOIP
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
no ip address
ip access-group GUESTLAN in
duplex auto
speed auto
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip pim dense-mode
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip access-group GUESTLAN in
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip pim dense-mode
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list NATINSIDE interface GigabitEthernet0/0 overload
ip nat inside source static xxx.xxx.xxx.xxx interface GigabitEthernet0/0
ip nat inside source static tcp xxx.xxx.xxx.xxx 22 interface GigabitEthernet0/0 22
ip nat inside source static tcp xxx.xxx.xxx.xxx 443 interface GigabitEthernet0/0 443
ip route 0.0.0.0 0.0.0.0 83.87.40.1 254
!
ip access-list standard NATINSIDE
permit xxx.xxx.xxx.xxx 0.0.0.255
permit xxx.xxx.xxx.xxx 0.0.0.255
permit xxx.xxx.xxx.xxx 0.0.0.255
!
ip access-list extended GUESTLAN
deny ip xxx.xxx.xxx.xxx 0.0.0.255 xxx.xxx.xxx.xxx 0.0.0.255
deny ip xxx.xxx.xxx.xxx 0.0.0.255 xxx.xxx.xxx.xxx 0.0.0.255
permit ip any any
ip access-list extended VTYACL
permit ip xxx.xxx.xxx.xxx 0.0.0.255 any
permit ip xxx.xxx.xxx.xxx 0.0.0.255 any
permit ip host 172.16.0.1 any
deny ip any any

sh int Tunnel

Tunnel1 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.16.0.2/24
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 83.xxx.xxx.118 (GigabitEthernet0/0), destination 94.xxx.xxx.59
Tunnel Subblocks:
src-track:
Tunnel1 source tracking subblock associated with GigabitEthernet0/0
Set of tunnels with source GigabitEthernet0/0, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input never, output 00:13:35, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
614 packets output, 32928 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out

Deepak Kumar · ‎02-11-2018

Hi,

You are missing two points.

1. Routing for GRE tunnel traffic.

2. Deny in NAT acl for GRE tunnel traffic.

Please make it correct at both locations and I will work correctly.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Michaelkarper · ‎02-11-2018

Hi Deepak,

I've added a deny to my NAT access lists and added a static route on both routers.

Standard IP access list INSIDENAT
10 permit 192.168.1.0, wildcard bits 0.0.0.255 (491287 matches)
20 permit 192.168.2.0, wildcard bits 0.0.0.255
30 permit 192.168.3.0, wildcard bits 0.0.0.255 (188990 matches)
40 deny 172.16.0.0, wildcard bits 0.0.0.255

ip route 172.16.0.0 255.255.255.0 GigabitEthernet0/0

ping still doesn't work.

Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Am I missing someting??

Thank you for your help. Kind Regards,

Michael.

Deepak Kumar · ‎02-11-2018

again route is incorrect.

ip route 172.16.0.0 255.255.255.0 tunnel1 or remote site tunnel IP address.

and convert standard ACL to extended.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Michaelkarper · ‎02-11-2018

Hi Deepak,

That route already was placed in the routing table when I made the tunnel interface.

I've located the issue that was causing this, A static NAT translation for remote access was wrong. it was a translation for all traffic and not just the SSH port.

I removed the translation and replaced it with the correct one.

Everything is working now!

Thank you for your help.

Kind regards,

Michael.

Richard Burts · ‎02-12-2018

Michael

Thanks for posting back with the information that you have found the problem and corrected it. +5 for finding the solution. It is always good to see messages where the original poster has solved their own problem. I hope that other readers in the forum will find your solution helpful.

HTH

Rick

HTH

Rick

Julio E. Moisa · ‎02-11-2018

Hi

The tunnel configuration is ok, so you could route the traffic to be known via tunnel otherwise it is being known via through the interface g0/0 where the traffic could be being applied to the NAT.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<