Hello,

krystianstrycharz · ‎02-08-2017

Could someone help me with troubleshooting?

PC1 can't reach PC2 via IPSec/GRE

R1:

int tun 1

ip add 172.0.0.1 255.255.255.252

tun sou 160.0.0.2

tun des 160.0.1.2

tun mode gre ip

!

int g0/0

ip add 10.0.0.1 255.0.0.0

no shut

!

int p1/0

ip add 160.0.0.2 255.255.255.252

access-list 101 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255

!

crypto isakmp policy 101

encr aes

authentication pre-share

group 5

crypto isakmp key #TAJNEhaslo@ address 160.0.1.2

!

crypto ipsec transform-set R1_Set esp-aes esp-sha-hmac

mode tunnel

!

crypto map R1_Map 101 ipsec-isakmp

set peer 160.0.1.2

set transform-set R1_Set

match address 101

ip route 192.168.0.0 255.255.0.0 172.0.0.2

ip route 0.0.0.0 0.0.0.0 160.0.0.1

!

int p1/0

crypto map R1_Map

R2:

int tun 1

ip add 172.0.0.2 255.255.255.252

tun sou 160.0.1.2

tun des 160.0.0.2

tun mode gre ip

!

int g0/0

ip add 192.168.0.1 255.255.0.0

no shut

!

int p1/0

ip add 160.0.1.2 255.255.255.252

access-list 101 permit ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255

!

crypto isakmp policy 101

encr aes

authentication pre-share

group 5

crypto isakmp key #TAJNEhaslo@ address 160.0.0.2

!

crypto ipsec transform-set R2_Set esp-aes esp-sha-hmac

mode tunnel

!

crypto map R2_Map 101 ipsec-isakmp

set peer 160.0.0.2

set transform-set R2_Set

match address 101

ip route 10.0.0.0 255.0.0.0 172.0.0.1

ip route 0.0.0.0 0.0.0.0 160.0.1.1

no ip route 160.0.0.0 255.255.255.252 160.0.1.1

!

int p1/0

crypto map R2_Map

R3:

int p1/0

ip add 160.0.0.1 255.255.255.252

int p2/0

ip add 160.0.1.1 255.255.255.252

Georg Pauwen · ‎02-08-2017

Hello,

on R2, you are missing a default route. Try and add:

ip route 0.0.0.0 0.0.0.0 160.0.1.1

Masoud Pourshabanian · ‎02-08-2017

Hello,

Can you ping 172.0.0.2 from R1?

PCs have gateways?

Masoud

krystianstrycharz · ‎02-08-2017

R1 can ping 172.0.0.2

PCs have gateways.

Georg Pauwen · ‎02-09-2017

Hello,

I have labbed your exact setup in GNS3, and I can ping both hosts.

Can you ping when you use the GigabitEthernet0/0 interfaces as source ?

R1#ping 192.168.0.10 source GigabitEthernet0/0

krystianstrycharz · ‎02-09-2017

No, i can't

Georg Pauwen · ‎02-09-2017

Hello,

the problem is the way VPCS uses traceroutes (it uses UDP). Try TCP:

PC1> trace 192.168.0.10 -P 6
trace to 192.168.0.10, 8 hops max (TCP), press Ctrl+C to stop
1 10.0.0.1 15.758 ms 15.638 ms 15.621 ms
2 172.0.0.2 78.128 ms 78.243 ms 78.039 ms
3 * * *
4 192.168.0.10 62.489 ms 4294951.803 ms 4294936.029 ms

krystianstrycharz · ‎02-09-2017

I have another results:

PC1> trace 192.168.0.10 -P 6
trace to 192.168.0.10, 8 hops max (TCP), press Ctrl+C to stop
1 10.0.0.1 10.186 ms 9.113 ms 10.139 ms
2 *10.0.0.1 10.070 ms (ICMP type:3, code:1, Destination host unreachable)

PC1 can ping R2 tunnel interface, but can't local network of R2,

but PC2 can't ping tunnel interface of R1.

Georg Pauwen · ‎02-09-2017

Hello,

post the output of 'show ip route' from all three routers. Something is missing...

krystianstrycharz · ‎02-09-2017

Ok, GNS removed some 'ip route' and changed ip addresses, it's crazy..

R1

Gateway of last resort is 160.0.0.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 160.0.0.1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/8 is directly connected, GigabitEthernet0/0
L 10.0.0.1/32 is directly connected, GigabitEthernet0/0
160.0.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 160.0.0.0/30 is directly connected, POS1/0
L 160.0.0.2/32 is directly connected, POS1/0
172.0.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.0.0.0/30 is directly connected, Tunnel1
L 172.0.0.1/32 is directly connected, Tunnel1
S 192.168.0.0/16 [1/0] via 172.0.0.2

R2

Gateway of last resort is 160.0.1.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 160.0.1.1
S 10.0.0.0/8 [1/0] via 172.0.0.1
160.0.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 160.0.1.0/30 is directly connected, POS1/0
L 160.0.1.2/32 is directly connected, POS1/0
172.0.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.0.0.0/30 is directly connected, Tunnel1
L 172.0.0.2/32 is directly connected, Tunnel1
C 192.168.0.0/16 is directly connected, GigabitEthernet0/0
192.168.0.0/32 is subnetted, 1 subnets
L 192.168.0.1 is directly connected, GigabitEthernet0/0

R3

Gateway of last resort is not set

160.0.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 160.0.1.0/30 is directly connected, POS1/0
L 160.0.1.2/32 is directly connected, POS1/0

now PC1 can ping R2 int g0/0 but can't ping PC2, PC2 has good ip add and DG

Georg Pauwen · ‎02-09-2017

Hello,

check the configuration of R3, there is only one interface active, POS1/0. You should see an output for POS2/0 as well (like below):

160.0.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 160.0.1.0/30 is directly connected, POS1/0
L 160.0.1.2/32 is directly connected, POS1/0

C 160.0.0.0/30 is directly connected, POS2/0
L 160.0.0.1/32 is directly connected, POS2/0

krystianstrycharz · ‎02-09-2017

Ok, i was lost totally so i reconfigured once again all devices.
Now PCs can ping mutually

Thank you for help! :)

I attache good configuration

Georg Pauwen · ‎02-09-2017

Good stuff, glad you got it resolved !

krystianstrycharz · ‎02-08-2017

This line is included in R2 configuration, it's sth else

krystianstrycharz · ‎02-09-2017

When I use ping from PCs then it seems to be right, but when i try to trace then host is unreachable

Troubleshooting VPN IPSec/GRE