Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
830
Views
0
Helpful
4
Replies

tunnel without default gateway not connecting

clxadmin1
Level 1
Level 1

‎02-13-2012 06:32 AM - edited ‎03-07-2019 04:53 AM

Hi,

I'm trying to configure an IPSEC VPN + tunnel for multicast data. When the default gateway is set on the router (1841) it works fine but if I only set a route to the IPSEC peer via our gateway then the tunnel fails to come up. The end point is to a 3rd party.

interface Tunnel0

  ip address 10.23.0.6 255.255.255.252

  tunnel source 10.23.6.2

  tunnel destination 10.23.4.2

I found that if I add a static route for the tunnel destination via fa0/0, the public facing interface, the tunnel comes up..

  ip route 10.23.4.2 255.255.255.255 FastEthernet0/0

and I can then ping the tunnel IP at the far end - 10.23.0.5

Why would that be? Is there a better way to do this without using a default route??

Thanks,

Alan

Labels:
0 Helpful
4 Replies 4

Ton V Engelen
Level 3
Level 3

‎02-13-2012 06:52 AM

Hi,

i think that because the tunnel destination is in a different subnet than the tunnel source, you ll need a least a route to reach this destination.

0 Helpful

Neeraj Arora
Level 3
Level 3

‎02-13-2012 06:58 AM

Alan,

Tunnel destination has to be reachable from both ends for the tunnel to come up or become pingable.

So either a default route or host route towards the tunnel destination is required on the router for things to work properly.

I hope I understood your question properly, if your query was something else, do post that in little more detail if possible

Neeraj

0 Helpful

clxadmin1
Level 1
Level 1

‎02-13-2012 07:32 AM

I think at first I thought it would work in a similar way to a client VPN where the remote routes woud get pushed to to remote end.

We also have a similar config to another provider and that one works fine without the need to specify an additional route. But having looked over the tunnel configurations it turns out that it uses the remote peer IP addresses for the tunnel destinations which would avoid this additional route requirement.

The tunnel source is locally defined as

interface Loopback0

ip address 10.23.6.2 255.255.255.255

So what you're both saying would explain it, it just stumped me at first as I was trying to apply it with the other providers config in place and I wasn't sure if that was responsible for it not working.

FastEthernet0/0 is connected directly to the internet with a public IP, what I suppose I don't understand is that how by having the following makes it work then it's a private IP address? The crypto map is on that interface so would it route it over the IPSEC VPN in this instance?

  ip route 10.23.4.2 255.255.255.255 FastEthernet0/0

Is there a prefered way to add these kind of routes in this situation?

Thanks,

Alan

0 Helpful

Neeraj Arora
Level 3
Level 3
In response to clxadmin1

‎02-14-2012 12:20 PM

Alan,

As you've not pasted the config I cannot be sure whether the crypto-map is encrypting the traffic to reach till 10.23.4.2 but yes it will make sense that this traffic is first sent through the Site-2-Site tunnel (as both the source and destination are private ip addresses) towards the other end and then GRE tunnel is established

And regarding your other question about any preferred way of adding route: Well manual addition is required for GRE or should I say the reachability to the tunnel destination is mandatory to bring the tunnel interface, so it does not necessarily has to be a static route, if you have a private network and learning this route through a dynamic routing protocol even then it's okay. Its just that the ROUTE has to be there

Neeraj

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card