GRE/IPSEC when one side under NAT

sellentuch · ‎11-05-2006

I'm trying to tunnel a GRE under an IPSec session. When I configure both sides using a config like the included c3640-1-3-confg.txt, it works perfectly.

When I need to put one side under a NAT (You can see http://www.tucs-beachin-obx-house.com/NYNJ2.jpg { Don't blame me for the public IPs in the NAT, its the deck I've been dealt}). The public side is the c3640-1-3-nat-confg.txt, and the side behind is c3640-3-1-nat-confg.txt .

It seems like the IPSec side is working fine, but I can't get the GRE working.

Is there a way to do this, or am I out of luck due to the situation?

Thanks, Tuc

spremkumar · ‎11-05-2006

Hi

Can you post the output of show interface tunnel 0 from both the routers ?

regds

sellentuch · ‎11-06-2006

Below... The only thing I want to say is that when I brought the first router up, it claimed the tunnel was up/up with the other side not even being there.... I've also opened telnet on both ends, you can use "TELNET" as the password...

R1:

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Internet address is 192.168.4.1/30

MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 192.136.64.117 (Ethernet0/0), destination 69.249.95.230

Tunnel protocol/transport GRE/IP

Key disabled, sequencing disabled

Checksumming of packets disabled

Tunnel TTL 255

Fast tunneling enabled

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Last input never, output 00:03:05, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 5

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

5 packets output, 620 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

R3:

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Internet address is 192.168.4.2/30

MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 129.11.8.11 (Ethernet0/0), destination 192.136.64.117

Tunnel protocol/transport GRE/IP

Key disabled, sequencing disabled

Checksumming of packets disabled

Tunnel TTL 255

Fast tunneling enabled

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

spremkumar · ‎11-06-2006

Hi

Do enable keepalive on your tunnel interface and check. At present keepalive is off thats the reason your tunnel is showing up/up.

I dont think so you can make a tunnel up with different source/destination.

Tunnel source 192.136.64.117 (Ethernet0/0), destination 69.249.95.230

Tunnel source 129.11.8.11 (Ethernet0/0), destination 192.136.64.117

In your case the destination/source (69.249.95.230/129.11.8.11) is different in which you wont be able to bring the tunnel up..

regds

sellentuch · ‎11-07-2006

Ok, done.... The tunnel config on -3 shows :

interface Tunnel0

ip address 192.168.4.2 255.255.255.252

keepalive 10 3

tunnel source 69.249.95.230

tunnel destination 192.136.64.117

end

And now the tunnel is up/down .

What next?

Thanks, Tuc