Solved: There are a few things to

Elias Michalitsis · ‎12-20-2016

Hi,

I have installed a GNS3 lab and i have configured the routers for gre tunnel over ipsec, as seen in the attached picture.

Attached you can see the configurations of the R3,R1,R7,R4

The problem is that with this setup the tunnels are up but i cannot ping from PC2 (192.168.1.2) to PC1 (192.168.2.2).

When i put in the tunnel destionation the loopback ip of the R4, i receive a recurcive routing problem, which i can't resolve.

When i put in tunnel source the R3 fa0/0 ip address and the tunnel destination the R4 fa0/1 ip address (and vice verca) the tunnel are up and i can ping from PC2 to PC1.

I would like to put in then tunnel source and tunnel destination the loopback ip addresses of the routers as best solution, but i receive "recursive routing" error, and i cant find where i have wrong configuration.

Can you help me?

Regards

Georg Pauwen · ‎12-23-2016

Hello Elias,

I got the config to work with loopback interfaces, the 4 configurations are attached. I have changed a few things such as the transform set encryption, the tunnel interfaces, and the static routing. Try and see if you get this to work in your GNS3 setup.

View solution in original post

Georg Pauwen · ‎12-20-2016

Hello,

as far as I can tell, the recursive routing occurs because the next hop for the tunnel destination is the tunnel itself. Try and add the following static routes:

R3#
ip route 192.168.5.2 255.255.255.255 FastEthernet0/0

R4#
ip route 192.168.4.2 255.255.255.255 FastEthernet0/0

Elias Michalitsis · ‎12-20-2016

Thanks for your answer.

As you can see on R3 and R4 i have default routes pointing to the other end, so i dont think that these extra routes will help.

Georg Pauwen · ‎12-20-2016

Hello Elias,

sorry for the misunderstanding. What I meant to say is: whatever address or interface you use as tunnel source and/or destination must be reachable in your network NOT through the tunnel. That is when recursive routing occurs. In your case, if you want to use the loopback interfaces as sources, make sure there is a route to them within your network, and that route must not include the tunnel. I labbed your setup, and the only way I could accomplish that is by adding static host routes on both R7 and R1:

R7:

ip route 1.1.1.1 255.255.255.255 Serial2/0

ip route 2.2.2.2 255.255.255.255 FastEthernet0/0

R1

ip route 1.1.1.1 255.255.255.255 FastEthernet0/0

ip route 2.2.2.2 255.255.255.255 Serial2/0

Elias Michalitsis · ‎12-22-2016

Hi again

I have implemented all these nice things that you have told me, and in the attached files you can see the configurations of R3 and R4.

Now, as you can see, i can ping the tunnel destination of both R3 and R4 (R3:1.1.1.1 and R4:2.2.2.2), but i can't ping the LAN ip addresses of the respective routers. It suppose these pings will pass through the gre tunnel (172.16.0.1 from R3 and 172.16.0.2 from R4), but the pings are failed!

Any help?

Georg Pauwen · ‎12-22-2016

Hello,

are your tunnel interfaces up/up ?

Georg Pauwen · ‎12-22-2016

Also, since you are not using crypto maps, add the following to both tunnels:

tunnel mode ipsec ipv4

This creates the IPSec static VTIs.

Of course make sure you have static routes configured for 192.16.1.0/24 and 192.168.2.0/24 pointing to the tunnels on the respective routers.

Elias Michalitsis · ‎12-22-2016

Hi,

The tunnels are up/up.

Because i have no other ideas about the problem, i have attached the whole GNS3 lab, in order someone of you can help me more.

I have made many changes but i can't see what going wrong!

If you have time take a look!

Georg Pauwen · ‎12-23-2016

Hello Elias,

I got the config to work with loopback interfaces, the 4 configurations are attached. I have changed a few things such as the transform set encryption, the tunnel interfaces, and the static routing. Try and see if you get this to work in your GNS3 setup.

Elias Michalitsis · ‎12-23-2016

My friend gpauwen i would like to thank you for the corrections that you have made to the configs.

I copy your corrections and the lab works fine!

I think that the main problem was the below command:

In my config i had the 192.168.5.2 ip address and not the 2.2.2.2.

Thank you very much for your help!

crypto isakmp key cisco123! address 2.2.2.2

Georg Pauwen · ‎12-23-2016

Elias,

to be honest, I am not sure if some of the problems are GNS3 specific. Either way, (static) virtual tunnel interfaces do not work when the transport set is configured for 'mode transport', you have to configure 'mode tunnel'.

Anyway, it works; the idea is of course that xVTIs are much easier to configure than VPNs with crypto maps, interesting traffic, etc...

Good luck with this and other labs !

SAM R. · ‎12-21-2016

There are a few things to consider:

Does Router 3 have a route to the source and destination? If not, then you need to fix this. This can be done with a static route or with dynamic routing (OSPF,EIGRP,etc) Ensure that on Router 3, you have a route to the source and destination. Loopback should be directly connected so that shouldn't be problem

Does Router 1 have a route to the source and destination (tunnel source/destination)? If not, then you need to fix this. This can be done with a static route or with dynamic routing (OSPF,EIGRP,etc) Ensure that on Router 1, you have a route to the source and destination.

Same for router 7 and Router 4, ensure that each specific router has a path (route) to source and destination. Once you fix this, I believe you should be good to go. Sorry I didn't give you the specific answer, but I think you have the knowledge to fix this based on the information you already posted.

Sam

Gre tunnel problem