01-30-2012 02:13 AM - edited 03-04-2019 03:03 PM
Hi,
I'm having a bit of a strange issue getting a single GRE tunnel to come up between my head office and a remote site. I'll be the first to admit, I'm quite new to new to setting up vpn's and the like so forgive me if I'm missing anything painfully obivious. The head office has around 14 different connections coming off all setup the same way with an IPSec VPN with a GRE tunnel to encrypt the data.
Headoffice#sh run int t52
interface Tunnel52
description Primary
bandwidth 1024
ip address 172.29.0.209 255.255.255.252
ip access-group pla_in in
no ip unreachables
ip rip advertise 15
tunnel source Loopback0
tunnel destination 172.28.0.33
tunnel path-mtu-discovery
!
Headoffice#sh ip int t52
Tunnel52 is up, line protocol is down
Internet address is 172.29.0.209/30
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1476 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is not set
Inbound access list is pla_in
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are never sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP Feature Fast switching turbo vector
IP Feature CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
interface Loopback0
ip address 172.28.255.1 255.255.255.255
!
remoteoffice#sh run int t52
Building configuration...
Current configuration : 206 bytes
!
interface Tunnel52
description Plastica primary P2P GRE tunnel over IPsec VPN
ip address 172.29.0.210 255.255.255.252
ip rip advertise 15
tunnel source Loopback1
tunnel destination 172.28.255.1
end
remoteoffice#sh ip int t52
Tunnel52 is up, line protocol is up
Internet address is 172.29.0.210/30
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1476 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
interface Loopback1
ip address 172.28.0.33 255.255.255.255
!
I can post more information if needed but I'm a tad stuck on this one, the routing I believe is correct as are the ACL's.
I would be most greatful for any help!
01-30-2012 02:27 AM
Hello,
Do a simple test first,
From the HQ to Remote office, can you ping the tunnel destination using tunnel source?
e.g. ping 172.28.0.33 source 172.28.255.1
You can try also viceversa, but if you don't have some fancy firewall in place one direction should be enough to test.
If it's not working, then here is your first step to troubleshoot.
Let us know and we can continue to give you some advices.
HTH,
Calin
01-30-2012 02:47 AM
Thank you,
this is from HQ
#ping 172.28.0.33 source 172.28.255.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.28.0.33, timeout is 2 seconds:
Packet sent with a source address of 172.28.255.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/58/60 ms
this is from the remote office
#ping 172.28.255.1 source 172.28.0.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.28.255.1, timeout is 2 seconds:
Packet sent with a source address of 172.28.0.33
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/60/64 ms
Looks like they can ping but the tunnel still shows as down at the HQ?
Thanks
Chris
01-30-2012 02:55 AM
Hello,
On HQ, what do you have here in ACL pla_in ?
Take it out for some seconds. Is the interface coming up?
Calin
01-30-2012 03:01 AM
Hi,
The pla_in ACL has the following in it,
ip access-list extended pla_in
remark 1 Permit traffic between associated networks
remark 1 na
remark 2 Permit return traffic berween connected networks
permit icmp 172.29.0.0 0.0.255.255 172.29.0.0 0.0.255.255 echo-reply
permit tcp 172.29.0.0 0.0.255.255 172.29.0.0 0.0.255.255 established
remark 3 Permit GRE between tunnel endpoints
permit gre 172.28.0.0 0.0.255.255 172.28.0.0 0.0.255.255
remark 4 Permit RIP from tunnel networks to RIP routers
permit udp 172.29.0.0 0.0.255.255 host 224.0.0.9 eq rip
remark 5 Deny traffic to non hosted private networks
deny ip any 10.1.2.0 0.0.1.255
deny ip any 172.16.0.0 0.15.255.255
remark 6 Permit traffic from associated and connected networks to hosted networks
permit ip 172.19.18.32 0.0.0.7 10.0.0.0 0.255.255.255
permit ip 172.29.0.0 0.0.255.255 10.0.0.0 0.255.255.255
remark 7 Permit traffic from associated networks to Internet
remark 7 na
remark 8 Deny (or log) everything else
deny ip any any
I've removed the ACL but its still not coming back up.
Thanks
Chris
01-30-2012 03:33 AM
Hi,
on your tun interface on router the description says GREoIPsec. So, are you running GREoIPsec?
Does your encryption domain have the appropriate subnets in there. Is the interresting traffic configured properly
can you so a sh cryp ipsec sa
Might be good idea to attach the ful config here
Regards
Kishore
01-30-2012 04:10 AM
Think so, the IPSec VPN terminates on a firewall prior to letting the interesting traffic through to the router where the GRE tunnel terminates.
remote office#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
195.200.145.227 81.5.131.153 QM_IDLE 1001 0 ACTIVE
#sh crypto ipsec sa
interface: Dialer1
Crypto map tag: vpnmap, local addr 81.5.131.153
protected vrf: (none)
local ident (addr/mask/prot/port): (172.28.0.33/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.28.255.0/255.255.255.0/0/0)
current_peer 195.200.145.227 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 265, #pkts encrypt: 265, #pkts digest: 265
#pkts decaps: 210, #pkts decrypt: 210, #pkts verify: 210
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
local crypto endpt.: 81.5.131.153, remote crypto endpt.: 195.200.145.227
path mtu 1500, ip mtu 1500
current outbound spi: 0xC5DB17A9(3319469993)
inbound esp sas:
spi: 0xABF5BC53(2885008467)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: C87X_MBRD:3, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4493568/823)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC5DB17A9(3319469993)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: C87X_MBRD:4, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4493553/822)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access2
Crypto map tag: vpnmap, local addr 81.5.131.153
protected vrf: (none)
local ident (addr/mask/prot/port): (172.28.0.33/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.28.255.0/255.255.255.0/0/0)
current_peer 195.200.145.227 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 265, #pkts encrypt: 265, #pkts digest: 265
#pkts decaps: 210, #pkts decrypt: 210, #pkts verify: 210
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
local crypto endpt.: 81.5.131.153, remote crypto endpt.: 195.200.145.227
path mtu 1500, ip mtu 1500
current outbound spi: 0xC5DB17A9(3319469993)
inbound esp sas:
spi: 0xABF5BC53(2885008467)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: C87X_MBRD:3, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4493568/821)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC5DB17A9(3319469993)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: C87X_MBRD:4, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4493553/820)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Please see the attached file for the remote office.
Thanks
Chris
01-30-2012 04:20 AM
Hi,
You need to allow GRE on the firewall. Please check if port 47 is allowed on the firewall
Cheers
Kishore
01-30-2012 04:23 AM
I mean protocol 47 not port ;)
01-30-2012 04:32 AM
Thank you,
I believe it's allowed through because as i say atleast 14 other sites are working fine using the same setup,
This is all the information relating to the remote office on the firewall
access-list outside_cryptomap_9000_remote office extended permit ip 172.28.255.0 255.255.255.0 host 172.28.0.33
crypto map outside_map 9000 match address outside_cryptomap_9000_remote office
crypto map outside_map 9000 set pfs group5
crypto map outside_map 9000 set peer 81.5.131.153
crypto map outside_map 9000 set transform-set AES256
I'm still at a loss of what could be wrong here.
01-30-2012 04:43 AM
just checking your remote site confguration.
interface Loopback1
description terminates GRE tunnels over IPsec
ip address 172.28.0.33 255.255.255.252 <<<< shouldnt this be a /32??
because in your interesting traffic on the frewall your remote subnet in encryption domain is host 172.28.0.33 which is a /32 address
Also the ACL on the remote site is
ip access-list extended protected
permit ip host 172.28.0.33 172.28.255.0 0.0.0.255 <<< your saying host but your loopback is configured as /30
change the loopback address to a /32 and see if that helps
HTH
Kishore
01-30-2012 05:57 AM
Thanks Kishore,
I've changed both of those addresses to be /32
so they now read
ip address 172.28.0.33 255.255.255.255
permit ip host 172.28.0.33 172.28.255.0
I still can;t even ping the inside interface (172.19.18.37) from the HQ router.
Thanks again
Chris
01-30-2012 06:15 AM
Is the Tunnel up on both ends. ? Can you ping the Tunnel interfaces from each site?
can you see the RIP routes being advertised at both ends?
Also is the vlan 1 interface up on the remote router?? because on some low end routers if nothing is plugged into the ethernet ports then the Vlan1 remains down (line protocol)
can you execute the below commands on HQ and Remote router paste the results here
HQ
sh ip rip database 172.19.18.37
sh ip route 172.19.18.37
Remote
sh ip int brief
sh ip rip database 172.19.18.37
sh ip route 172.19.18.37
Just out of curiosity is this a Cisco 837 or a 877?
Cheers
01-30-2012 07:07 AM
Thanks again for your reply.
The tunnel is only up up on the remote end, at HQ its only showing as up down. The remote end router isa cisco 877.
I can ping successfully 172.28.255.1 from 172.28.0.33 and vice a versa.
The vlan is up (I did have to go check though)
HQ
HQ#sh ip rip database 172.19.18.37 255.255.255.252
%Route not in database
HQ#sh ip route 172.19.18.37
Routing entry for 172.16.0.0/12, supernet
Known via "static", distance 1, metric 0
Redistributing via ospf 1024, rip
Advertised by ospf 1024 subnets
rip
Routing Descriptor Blocks:
* 10.3.2.254
Route metric is 0, traffic share count is 1
Remote
Remote#sh ip int brief
Interface IP-Address OK? Method Status Prot
ocol
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
ATM0 unassigned YES NVRAM up up
Vlan1 172.19.18.37 YES NVRAM up up
Tunnel52 172.29.0.210 YES NVRAM up up
Loopback1 172.28.0.33 YES NVRAM up up
Loopback0 unassigned YES NVRAM up up
Dialer1 81.5.131.153 YES NVRAM up up
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
Remote#sh ip rip database 172.19.18.37 255.255.255.252
%Route not in database
Remote#sh ip route 172.19.18.37
Routing entry for 172.19.18.0/24
Known via "connected", distance 0, metric 0 (connected, via interface)
Redistributing via rip
Advertised by rip
Routing Descriptor Blocks:
* directly connected, via Vlan1
Route metric is 0, traffic share count is 1
Thanks again for your help!
Chris
02-01-2012 02:47 AM
Thanks for all your help.
The problem has now been resolved.
The issue was an incorrect subnet mask placed on the VLAN interface at the remote end, once it was changed to a /28 rip learned the proper network and started to transmit data.
Thanks for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide