Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
268
Views
0
Helpful
2
Replies

Unable to route outside router via GRE/IPsec tunnel

SteveG18
Level 1
Level 1

‎05-28-2024 12:54 PM - edited ‎05-28-2024 03:07 PM

I have a tunnel set up with a 10.22.32.1 address on one side, and 10.22.32.2 on the other.  So, a GRE/IPsec tunnel, sharing some routes, and that part is fine.  From the non-cisco side I can ping across the tunnel to the cicso, and if I traceroute, can see the traffic from the non-cisco device leaving and getting across the tunnel.  Its just not leaving out the cisco router to 8.8.8.8 and making its way back.

You can see the traceroute just stopping at the 10.22.32.1 address:

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 46 byte packets
1 10.22.32.1 (10.22.32.1) 22.370 ms 21.942 ms 22.274 ms
2 * * *
3 * * *
4 * * *

I've included the current router config.  If you see something that I'm missing, please let me know??  

Current configuration : 5810 bytes
!
! Last configuration change at 12:57:44 MDT Tue May 28 2024 by steve
! NVRAM config last updated at 10:01:16 MDT Wed May 22 2024 by steve
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime localtime
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname ttce_dmvpn
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
!
!
!
!
!
!
aaa session-id common
clock timezone MST -7 0
clock summer-time MDT recurring 1 Sun Mar 2:00 1 Sun Nov 2:00
!
ip domain name tg.local
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid ISR4321/K9 sn FDO214428GN
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
username ******** privilege 15 password 0 ********
username ******** privilege 15 password 0 ********
username ******** privilege 15 password 0 ********
!
redundancy
mode none
!
crypto ikev2 proposal IKEV2_PROPOSAL
encryption aes-cbc-256
integrity sha512
group 20
!
crypto ikev2 policy IKEV2_POLICY
proposal IKEV2_PROPOSAL
!
crypto ikev2 keyring IKEV2_KEYRING
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key UsMESGQcWqkdKvyNVIqy
!
!
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local IKEV2_KEYRING
!
crypto ikev2 dpd 30 15 on-demand
crypto ikev2 limit max-in-negotation-sa 1000
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
crypto ipsec security-association replay disable
crypto ipsec security-association replay window-size 512
!
crypto ipsec transform-set AES256/SHA512/TRANSPORT esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set AES256/SHA512/TRANSPORT
set pfs group20
set ikev2-profile IKEV2_PROFILE
!
!
!
!
!
!
!
!
!
!
interface Loopback0
description INTERNAL - Management Interface
ip address 10.118.0.7 255.255.255.255
no ip redirects
!
interface Loopback1
description EXTERNAL - DMVPN Hub Interface
ip address 123.195.127.16 255.255.255.255
no ip redirects
!
interface Loopback2
description Anycast for C_P route tracking
ip address 10.118.0.193 255.255.255.255
no ip redirects
!
interface Loopback3
description Test Interface
ip address 10.128.0.10 255.128.0.0
!
interface Tunnel100
description INTERNAL - DMVPN Inside Interface
ip address 10.22.32.2 255.255.240.0
no ip redirects
ip mtu 1300
ip nhrp authentication 1234
ip nhrp map multicast 65.111.237.229
ip nhrp map 10.22.32.2 65.111.237.229
ip nhrp network-id 1
ip nhrp nhs 10.22.32.1
ip nhrp redirect
no ip split-horizon
ip tcp adjust-mss 1260
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 1234
tunnel protection ipsec profile IPSEC_PROFILE
!
interface GigabitEthernet0/0/0
ip address dhcp
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.25
encapsulation dot1Q 25
ip address 10.100.100.11 255.255.255.0
vrrp 2 ip 10.100.100.12
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
interface Vlan1
no ip address
!
interface Vlan30
description C_P Management Interface
ip address 12.0.0.4 255.255.252.0
!
router bgp 65501
bgp router-id 10.118.0.7
bgp log-neighbor-changes
bgp listen range 10.22.32.0/20 peer-group BBR_C_P
bgp listen limit 2500
neighbor BBR_C_P peer-group
neighbor BBR_C_P remote-as 65005
!
address-family ipv4
bgp redistribute-internal
network 10.0.0.0
network 10.22.32.0 mask 255.255.240.0
network 10.118.0.193 mask 255.255.255.255
redistribute static
neighbor BBR_C_P activate
neighbor BBR_C_P route-map FROM_DMVPN_PEERS in
neighbor BBR_C_P route-map TO_DMVPN_PEERS out
default-information originate
exit-address-family
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 200.0.0.0 255.255.255.252 10.100.100.10
!
ip ssh version 2
!
!
ip prefix-list DEFAULT_ROUTE seq 10 permit 0.0.0.0/0
!
ip prefix-list DMVPN_ANYCAST_LOOPBACK seq 10 permit 10.118.0.193/32
!
ip prefix-list DMVPN_C_P seq 10 permit 10.22.32.0/20 le 32
!
ip prefix-list STORES seq 10 permit 10.128.0.0/9 le 32
!
logging trap debugging
logging source-interface GigabitEthernet0/1/0
logging host 10.100.0.5
!
!
route-map RIP_TO_BGP permit 10
match ip address prefix-list STORES
!
route-map FROM_DMVPN_PEERS permit 10
match ip address prefix-list STORES
!
route-map TO_DMVPN_PEERS permit 10
match ip address prefix-list DEFAULT_ROUTE
set as-path prepend 65501 65501
!
route-map prepend_outbound permit 10
set as-path prepend 65501 65501
!
route-map TO_DMPVPN_PEERS permit 20
match ip address prefix-list DMPVPN_ANYCAST_LOOPBACK
!
!
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input ssh
!
ntp server time.google.com
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

ttce_dmvpn#

0 Helpful
2 Replies 2

liviu.gheorghe
Spotlight
Spotlight

‎05-28-2024 03:38 PM

Hello @SteveG18 ,

if this router, ttce_dmvpn, is the DMVPN hub, then the configuration on the Tunnel 100 is not right - on the DMVPN hub you don't need to map anything - this is only done on the spokes.

You should remove the following commands from interface Tunnel 100:

ip nhrp map multicast 65.111.237.229
ip nhrp map 10.22.32.2 65.111.237.229
ip nhrp nhs 10.22.32.1

Hope this helps.

Regards, LG
*** Please Rate All Helpful Responses ***
0 Helpful

MHM Cisco World
VIP
VIP

‎05-29-2024 03:48 AM

interface Tunnel100
description INTERNAL - DMVPN Inside Interface
ip address 10.22.32.2 255.255.240.0
no ip redirects
ip mtu 1300
ip nhrp authentication 1234
ip nhrp map multicast 65.111.237.229
ip nhrp map 10.22.32.2 65.111.237.229 <<-10.22.32.1 correct this
ip nhrp network-id 1
ip nhrp nhs 10.22.32.1
ip nhrp redirect
no ip split-horizon
ip tcp adjust-mss 1260
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 1234
tunnel protection ipsec profile IPSEC_PROFILE

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card