Re: Tunnel is up, line protocol is down

Andrzej95 · ‎02-12-2022

Hi,
I have a LAN where BGP routing is configured. And I wanted to create a VPN GRE over IPsec between two computers. But I have a problem that I cannot solve. Tunnel1 is up, line protocol is down

The configuration of BPG and VPN is as follows:
router bgp 65010
no synchronization
bgp log-neighbor-changes
network 172.16.1.0
network 192.168.12.0
network 192.168.13.0
neighbor 10.0.0.5 remote-as 65007
no auto-summary

ip access-list extended GRE-VPN-ACL
permit gre host 10.0.0.6 host 8.8.8.2

interface GigabitEthernet1/0
ip address 10.0.0.6 255.255.255.252
negotiation auto
crypto map GRE-CMAP

interface Tunnel1
bandwidth 4000
ip address 172.16.1.1 255.255.255.252
ip mtu 1400
tunnel source 10.0.0.6
tunnel destination 8.8.8.2

crypto isakmp key **** address 8.8.8.2

crypto ipsec transform-set GRE-VPN esp-aes 256 esp-sha-hmac
mode transport

crypto map GRE-CMAP 10 ipsec-isakmp
set peer 8.8.8.2
set transform-set GRE-VPN
match address GRE-VPN-ACL

The same configuration is on the second router, only with the IP swapped.

MHM Cisco World · ‎02-12-2022

....

MHM Cisco World · ‎02-12-2022

...

Richard Burts · ‎02-12-2022

The usual state for a regular GRE tunnel is up/up whether the peer address is reachable or not. If a regular GRE tunnel was up/down I would expect to find keepalives configured and the remote peer not reachable. But that is not the case here. If it were an encrypted tunnel using VTI I would expect to find that the crypto negotiations had not been successful. But that is not the case here.

We do not have enough information to be able to identify the issue or to make good suggestions. As a start can you verify that the remote peer address responds to ping sourced from G1/0? Also can you post the output of show crypto isakmp sa and show crypto ipsec sa? I do not see obvious issues in the very partial config that was posted. It would be helpful if we could see the complete config.

HTH

Rick

Georg Pauwen · ‎02-12-2022

Hello,

it is difficult to see what is going on without seeing the full configs of BOTH VPN ends, can you post the running configs of both routers ?

Andrzej95 · ‎02-13-2022

Of course, I already share everything you asked for.

R3 is it router A and R10 is it router B.

Here is the router A configuration

https://www.codepile.net/pile/XZkmMo2y

and here is the configuration of router B

https://www.codepile.net/pile/DNyLo2AZ

Richard also requested show crypto isakmp sa and show crypto ipsec sa. Here they are from router A and from router B. https://www.codepile.net/pile/gvM65Kw3

Thanks for your help

Georg Pauwen · ‎02-13-2022

Hello,

the routers are not directly connected. What is in between both routers, can you post the configuration of that device as well ?

Andrzej95 · ‎02-13-2022

Of course I can give the configuration of the routers that are in between.

Here they are:

https://www.codepile.net/pile/JwdJoPgP

https://www.codepile.net/pile/wNdXMRN0

https://www.codepile.net/pile/Rn7y5gVr

https://www.codepile.net/pile/MDYY6QDp

Georg Pauwen · ‎02-13-2022

Hello,

can 8.8.8.2 ping 10.0.0.6 ?

Andrzej95 · ‎02-13-2022

I cannot ping from 8.8.8.2 router to 10.0.0.6 router, but I can ping from computers that are connected to these routers and have LAN addressing. More precisely, the ping goes from 192.168.1.2 to 192.168.12.2.

MHM Cisco World · ‎02-13-2022

friend ping without specify source is not accurate,
so ping 10.0.0.6 source 8.8.8.2
share result,

Andrzej95 · ‎02-13-2022

Yes, I know that when pinging from the router, you have to enter the source.

Here is the result:

R3#ping 10.0.0.6 source 8.8.8.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.6, timeout is 2 seconds:
Packet sent with a source address of 8.8.8.2
.....
Success rate is 0 percent (0/5)

Georg Pauwen · ‎02-13-2022

Hello,

the tunnel will never come up if the source and the destination cannot reach each other. You need to figure out the routing first.

Try and add a static default route to both routers:

ip route 0.0.0.0 0.0.0.0 GigabitEthernet1/0

MHM Cisco World · ‎02-13-2022

...

MHM Cisco World · ‎02-13-2022

....