Re: GRE over IPSec tunnel won't stay up.

mdipaolo · ‎07-10-2002

I'm trying to build a GRE tunnel across an existing IPSec tunnel so I can run OSPF for dynamic routing in a backup scenario.

I have an IPSec tunnel built across the internet between two firewalls (non-Cisco). Behind each firewall, I have a Cisco 7206 that I would like to build a GRE tunnel between to exchange dynamic routing info via OSPF.

I've read the Cisco configuration document and my config is identical. Unfortunately, the tunnel comes up for about 15 seconds and then dies.

Diagram.......

7206 <----------> Firewall <--------> Internet <--------> Firewall <----------> 7206

Any comments or suggestions regarding this problem would be greatly appreciated !!

paqiu · ‎07-10-2002

Sounds like a routing issue. I try once in the LAB and got similar situation as you got. The routes has been overrid by the OSPF then the GRE tunnel down.

So I use static route to keep the tunnel always up.

Here is the sample config I have done for the CCO:

http://www.cisco.com/warp/customer/707/gre_ipsec_ospf.html

In that case, I use following static route to keep the GRE tunnel always up:

In Rodney:

"ip route 0.0.0.0 0.0.0.0 192.168.4.1

ip route 10.10.10.0 255.255.255.0 Tunnel0"

In House:

"ip route 0.0.0.0 0.0.0.0 192.168.3.1

ip route 20.20.20.0 255.255.255.0 Tunnel0"

Best Regards,

mdipaolo · ‎07-11-2002

Thanks.....but I already have it configured like you suggested (and as suggested from the Cisco GRE / IPSec document).

I've already tested connectivity across the IPSec tunnel and I am not dropping packets.....so I know I have a good connection across the Internet.

gfullage · ‎07-15-2002

Do you have a one-to-one NAT translation in the firewall's? GRE won't work over PAT cause there's no port number for it to use, so make sure the router interfaces are statically NAT'd to a global IP address.

Do you see anything in the firewalls when the tunnels drop? Any syslog messages?