cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2213
Views
5
Helpful
20
Replies

GRE Tunnel suggestion

Robert Craig
Level 3
Level 3

I am doing a booth at the end of this month. They have public WIFI access. I'd like to bring some phones with me to connect back to my hub router. My thoughts are to connect my laptop to the wifi, bridge the wireless card to the LAN card, and then connect my 871W to the laptop. Then just have a multipoint GRE tunnel from the 871W back to the hub. Anyone see any issues with the setup?

20 Replies 20

Unforetunately even turning on NAT didn't help. I did get a few more results. The hub side said "incomplete" when I do a 'show ip nhrp'. That never appeared at all. The spoke still says it was created, but I know it's not up yet. The Tunnel interface is up/up on both sides, but it never completely establishes. I'm not even concentrating on the LAN subnets right now. Just being able to ping the other side of the tunnel will suffice. I'm starting to think maybe my HUB side is messed up. Below is the hub config. Maybe I am doing something wrong.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.03.15 13:33:50 =~=~=~=~=~=~=~=~=~=~=~=

show run

Building configuration...

Current configuration : 11833 bytes

!

! Last configuration change at 13:30:10 Arizona Fri Mar 15 2013 by robert.l.craig

! NVRAM config last updated at 13:30:11 Arizona Fri Mar 15 2013 by robert.l.craig

! NVRAM config last updated at 13:30:11 Arizona Fri Mar 15 2013 by robert.l.craig

version 15.1

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname core_router

!

boot-start-marker

boot system flash:c2800nm-adventerprisek9-mz.151-4.M4.bin

boot system flash:c3825-adventerprisek9-mz.151-4.M6.bin

boot-end-marker

!

!

no logging console

enable secret XXXXXXXXXXXXXXXXXX

!

aaa new-model

!

!

aaa group server radius RadiusServers

server 192.168.4.44 auth-port 1812 acct-port 1813

!

aaa authentication login default group RadiusServers local

aaa authentication login vty_ssh group RadiusServers local

aaa authentication enable default enable

aaa authorization network default group RadiusServers local

aaa accounting exec default

action-type start-stop

group RadiusServers

!

!

!

!

!

!

aaa session-id common

!

clock timezone Arizona -7 0

!

crypto pki token default removal timeout 0

!

!

dot11 syslog

no ip source-route

no ip gratuitous-arps

!

ip cef

!

!

!

!

no ip bootp server

no ip domain lookup

ip domain name craig.net

ip name-server 4.2.2.1

ip multicast-routing

ip inspect name FW tcp

ip inspect name FW udp

ip inspect name FW dns

ip inspect name FW ftp

ip inspect name FW ntp

ip inspect name FW tftp

ip inspect name FW sip

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

password encryption aes

voice-card 0

!

!

!

!

!

!

!

!

!

license udi pid CISCO3825 sn FTX1041A39S

archive

log config

hidekeys

username craigrobertlee privilege 15 password XXXXXXXXXXXXXXXXXX

!

redundancy

!

!

ip ssh time-out 60

ip ssh source-interface Loopback0

ip ssh version 2

!

class-map match-any VOIP_TRAFFIC

match ip dscp ef

match protocol rtp

!

!

policy-map Voip-for-Tunnel-to-Rogers

class VOIP_TRAFFIC

  priority percent 50

class class-default

  bandwidth remaining percent 99

policy-map Tunnel-to-Rogers

class class-default

  shape average 5000000

  service-policy Voip-for-Tunnel-to-Rogers

policy-map VOIP_POLICY

class VOIP_TRAFFIC

  priority percent 50

class class-default

  bandwidth remaining percent 99

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

crypto isakmp key XXXXXXXXXXXXXXX address 0.0.0.0 0.0.0.0

!

crypto isakmp client configuration group vpn_client

key XXXXXXXXXXXXXXXXXXXXXXXXXXX

dns 192.168.1.126 192.168.15.10

domain atw.local

pool vpn-pool

acl VPN-CLIENT

netmask 255.255.255.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac

!

crypto ipsec profile CRYPTO-GRE

set security-association lifetime seconds 86400

set transform-set VPNSET

!

crypto ipsec profile Rogers-VPN

set transform-set ESP-3DES-SHA

!

crypto ipsec profile VPN-Clients

set transform-set ESP-3DES-SHA

!

!

!

!

!

!

!

interface Loopback0

ip address 192.168.0.5 255.255.255.255

ip ospf 1 area 0

!

interface Tunnel1

bandwidth 5000

bandwidth receive 2000

ip address 10.10.10.1 255.255.255.248

ip mtu 1278

load-interval 30

qos pre-classify

keepalive 10 3

tunnel source GigabitEthernet0/0

tunnel mode ipsec ipv4

tunnel destination 184.X.X.X

tunnel protection ipsec profile Rogers-VPN

service-policy output Tunnel-to-Rogers

!

interface Tunnel2

ip address 10.77.140.2 255.255.255.0

no ip redirects

ip mtu 1472

ip nhrp map 10.77.140.1 8.11.X.X

ip nhrp map multicast 8.11.X.X

ip nhrp network-id XX

ip nhrp nhs 10.77.140.1

ip tcp adjust-mss 1400

load-interval 30

keepalive 10 3

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key XX

!

interface Tunnel5

description Test DMVPN

ip address 10.10.20.1 255.255.255.0

no ip redirects

ip mtu 1472

ip nhrp map multicast dynamic

ip nhrp network-id XX

ip tcp adjust-mss 1400

ip ospf network broadcast

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key XX

!

interface Null0

no ip unreachables

!

interface GigabitEthernet0/0

bandwidth 5000

ip address dhcp

ip access-group Outside_In in

ip access-group BLOCK_PRIV_ADDRS out

ip nat outside

ip inspect FW out

ip virtual-reassembly in

load-interval 30

duplex auto

speed auto

media-type rj45

no cdp enable

service-policy output VOIP_POLICY

!

interface GigabitEthernet0/1

ip address 192.168.0.1 255.255.255.252

ip nat inside

ip virtual-reassembly in

ip verify unicast reverse-path

ip ospf 1 area 0

load-interval 30

duplex auto

speed auto

media-type rj45

!

router ospf 1

redistribute static subnets

passive-interface default

no passive-interface Tunnel1

network 10.10.10.0 0.0.0.255 area 0

network 10.10.20.0 0.0.0.255 area 0

network 192.168.0.5 0.0.0.0 area 0

network 192.168.2.0 0.0.0.255 area 0

network 192.168.3.0 0.0.0.255 area 0

distribute-list Deny_OSPF_Routes out

!

ip local pool vpn-pool 192.168.0.129 192.168.0.140

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

no ip nat service sip udp port 5060

ip nat inside source static tcp 192.168.4.48 443 interface GigabitEthernet0/0 443

ip nat inside source static tcp 192.168.4.48 22 interface GigabitEthernet0/0 22

ip nat inside source static tcp 192.168.4.48 21 interface GigabitEthernet0/0 21

ip nat inside source static udp 192.168.4.2 5060 interface GigabitEthernet0/0 5060

ip nat inside source route-map nonat interface GigabitEthernet0/0 overload

ip route 8.11.254.0 255.255.255.0 10.77.140.1 name Smartchoice

ip route 8.11.254.245 255.255.255.255 GigabitEthernet0/0

ip route 8.22.188.0 255.255.255.0 10.77.140.1 name Smartchoice

ip route 8.22.188.100 255.255.255.255 GigabitEthernet0/0

ip route 10.77.146.0 255.255.255.0 192.168.0.2

ip route 192.168.1.0 255.255.255.0 192.168.0.2

ip route 192.168.2.0 255.255.255.0 192.168.0.2

ip route 192.168.3.0 255.255.255.0 192.168.0.2

ip route 192.168.4.0 255.255.255.224 192.168.0.2

ip route 192.168.4.32 255.255.255.224 192.168.0.2

ip route 192.168.4.64 255.255.255.224 192.168.0.2

ip route 192.168.4.96 255.255.255.224 192.168.0.2

ip route 192.168.4.128 255.255.255.224 192.168.0.2

ip route 192.168.50.0 255.255.255.0 10.10.20.2 name Test

!

ip access-list standard CME-SIP-Traffic

permit 192.168.2.6

ip access-list standard Deny_OSPF_Routes

deny   8.11.254.245

deny   8.22.188.0

deny   8.22.188.100

deny   10.77.140.0

deny   10.77.146.0

deny   172.19.73.13

deny   8.11.254.0

permit any

ip access-list standard SNMP

permit 192.168.4.48

ip access-list standard Test

permit any

ip access-list standard Test_In

permit any

!

ip access-list extended BLOCK_PRIV_ADDRS

deny   ip any 10.0.0.0 0.255.255.255

deny   ip any 172.16.0.0 0.15.255.255

deny   ip any 192.168.0.0 0.0.255.255

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 172.16.0.0 0.15.255.255 any

deny   ip 192.168.0.0 0.0.255.255 any

permit ip any any

ip access-list extended NO_NAT_WAN

deny   ip 192.168.0.0 0.0.3.255 192.168.15.0 0.0.0.255

deny   ip 192.168.0.0 0.0.3.255 192.168.16.0 0.0.0.255

deny   ip 192.168.4.0 0.0.0.255 192.168.15.0 0.0.0.255

deny   ip 192.168.4.0 0.0.0.255 192.168.16.0 0.0.0.255

permit ip 192.168.0.0 0.0.3.255 any

permit ip 192.168.4.0 0.0.0.255 any

ip access-list extended Outside_In

permit udp any any eq bootpc log

permit udp any any eq bootps log

permit udp any eq bootps any eq bootpc log

permit udp any host 68.3.X.X eq isakmp log

permit udp any host 68.3.X.X eq non500-isakmp log

permit esp any host 68.3.X.X log

permit tcp any host 68.3.X.X eq 443 log

permit ip host 8.11.X.X host 68.3.X.X log

permit udp any eq domain host 68.3.X.X log

permit udp any host 68.3.102.45 range 16384 32767 log

permit ip host 216.115.69.144 host 68.3.X.X log

permit ip host 70.167.153.130 host 68.3.X.X log

permit ip host 50.63.176.99 host 68.3.X.X log

permit tcp host 50.63.176.99 host 68.3.X.X eq 22 log

permit gre any host 68.3.X.X log

permit tcp host 72.167.34.44 host 68.3.X.X eq 22 log

permit udp host 72.167.34.44 host 68.3.X.X eq 5060 log

permit ip host 72.167.34.44 host 68.3.X.X log

permit icmp any any echo log

permit icmp any any echo-reply log

permit icmp any any time-exceeded log

permit icmp any any unreachable log

permit icmp any any packet-too-big log

permit udp host 208.110.65.18 host 68.3.X.X log

permit udp host 192.43.244.18 eq ntp any eq ntp log

permit udp host 204.34.198.40 eq ntp any eq ntp log

deny   ip host 139.130.130.34 host 139.130.130.34 log

deny   ip 127.0.0.0 0.255.255.255 any log

deny   ip 169.254.0.0 0.0.255.255 any log

deny   ip host 255.255.255.255 any log

deny   ip host 0.0.0.0 any log

deny   icmp any any redirect log

deny   icmp any any mask-request log

deny   ip any any log

ip access-list extended UDP_RTP

permit udp host 192.168.4.15 any range 16384 32768

permit udp any any range 16384 32768

permit udp any any range 10000 20000

ip access-list extended VPN-CLIENT

permit ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.0.255

!

ip radius source-interface Loopback0

logging source-interface Loopback0

logging 192.168.4.49

access-list 10 permit 192.168.1.254

access-list 12 remark SSH_ACL

access-list 12 permit 192.168.4.0 0.0.0.255

access-list 101 permit udp any eq 5060 any eq 5060

access-list 101 remark VOIP_ACL

access-list 101 permit ip any any precedence critical

access-list 101 permit ip any any dscp ef

access-list 102 permit ip 192.168.0.0 0.0.3.255 192.168.15.0 0.0.0.255

access-list 102 remark ROGERS_IP_NETWORK

access-list 103 permit ip 192.168.0.0 0.0.3.255 192.168.16.0 0.0.0.255

access-list 103 remark TTOWN_VPN

access-list 110 remark NO_NAT

access-list 110 deny   ip 192.168.0.0 0.0.3.255 192.168.15.0 0.0.0.255

access-list 110 deny   ip 192.168.0.0 0.0.3.255 192.168.16.0 0.0.0.255

access-list 110 deny   ip 192.168.0.0 0.0.255.255 192.168.0.128 0.0.0.127

access-list 110 permit ip 192.168.0.0 0.0.3.255 any

access-list 110 permit ip 192.168.4.0 0.0.0.255 any

access-list 177 permit ip 192.168.0.0 0.0.255.255 192.168.0.128 0.0.0.127

access-list 177 remark VPN_CLIENT_SPLIT_TUNNEL

no cdp run

!

!

!

!

route-map CME-SIP-Traffic permit 10

match ip address CME-SIP-Traffic

set ip default next-hop 172.16.1.1

!

route-map SIP_NAT permit 10

match ip address UDP_RTP

!

route-map nonat permit 10

match ip address NO_NAT_WAN

!

snmp-server community craighome1 RO SNMP

snmp-server trap-source Loopback0

snmp-server source-interface informs Loopback0

snmp-server location Gear Closet

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps tty

snmp-server enable traps xgcp

snmp-server enable traps envmon

snmp-server enable traps isdn call-information

snmp-server enable traps isdn layer2

snmp-server enable traps isdn chan-not-avail

snmp-server enable traps isdn ietf

snmp-server enable traps atm subif

!

!

radius-server host 192.168.4.44 auth-port 1812 acct-port 1813 key XXXXXXXXXXXXXXXXX

!

!

control-plane

!

!

!

!

mgcp profile default

!

!

!

!

!

!

line con 0

exec-timeout 60 0

logging synchronous

line aux 0

no exec

line vty 0 4

access-class 12 in

exec-timeout 30 0

logging synchronous

login authentication vty_ssh

transport input ssh

transport output none

line vty 5

exec-timeout 0 0

login authentication vty_ssh

no exec

transport input ssh

transport output none

line vty 6 15

exec-timeout 0 0

no exec

transport input ssh

transport output none

!

scheduler allocate 20000 1000

ntp master 5

ntp server 192.43.244.18

ntp server 204.34.198.40

end

core_router#

Hello Robert,

I tested you HUB and Spoke config in GNS, and OSPF neighborship over GRE tunnel came up instantly. From my point of view everything should work.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

OK, I'm wondering if its the internet connection I'm using. I was turning on the Wifi hotspot on my cell phone, attaching the laptop, and then piggybacking the router off of the laptop. I'm going down the street to a friends house tomorrow and testing it via their wifi. Just ouf curiosity, would there be any foresable problems with the hub router being DHCP?

I think DHCP should not be a problem if both HUB router always obtain same IP. Also check if default route is installed correctly via DHCP on both HUB&Spoke.

Is ping from spoke to HUB WAN IP successful?

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Robert Craig
Level 3
Level 3

Ok, I'll give it a shot and let you guys know. Thanks!

Sent from Cisco Technical Support iPhone App

Robert Craig
Level 3
Level 3

Yes, I believe it's some type of firewall on the Verizon side as I can't ping the Verizon public IP from the hub. I even tried a different spoke router all together and got same results. I'm gonna try it from a regular wifi hotspot and see what I can come up with. Thanks for the help. I'll update you on the results from a different Internet connection.

Sent from Cisco Technical Support iPhone App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: