Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
275
Views
0
Helpful
1
Replies

Is it possible to build a tunnel from an internal interface?

emailsbecker
Level 1
Level 1

‎07-21-2016 08:52 AM

At one of our remote sites we have a /29 provided from our current ISP, and they're using a /30 as a bridge between us and the internet.  The /30 is not routed to the internet and all traffic to it appears to be blocked (TCP as well as UDP).  We need to configure an IPSEC over GRE tunnel back to our home office but all configuration examples I have show the tunnel as being built on the exterior most IP, which would be the /30.

I've labbed this up and I know for a fact that will work, however it doesn't in the real world due to the ISP's restrictions on the /30.  I've also labbed up multiple different ways to try and get the tunnel built from my /29 (including having the /29 as a secondary IP on the same port as the /30) but have't been able to find a way that works.  I've spent the better part of a week and a half on this.

I've opened a ticket with the ISP to see if they'll open up their /30 for me but in the mean time I thought I'd post here as a backup.  Also, it could handy to have this info in case I'm ever in a situation where the /30 cannot be routed for whatever reason.

If anyone can point me to an example of a tunnel built with a source other than the one facing the internet I would be much obliged. Thanks!

Labels:
0 Helpful
1 Reply 1

Karsten Iwen
VIP
VIP

‎07-21-2016 09:51 AM

Actually, it's quite easy with tunnel-interfaces. Here the Routers are connected with private IPs to the ISP and both get a public /29:

hostname R-Left
!
crypto isakmp policy 1
 encr aes 
 authentication pre-share
 group 5
crypto isakmp key SuperSecure address 192.0.2.9 
!
crypto ipsec transform-set ESP-AES128-SHA1 esp-aes esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile IPSEC-PROF
 set transform-set ESP-AES128-SHA1 
!
interface Tunnel0
 ip address 10.255.255.0 255.255.255.254
 tunnel source 192.0.2.1
 tunnel destination 192.0.2.9
 tunnel protection ipsec profile IPSEC-PROF
! 
interface FastEthernet0/0
 ip address 192.0.2.1 255.255.255.248 secondary
 ip address 10.255.1.2 255.255.255.0
 duplex auto
 speed auto
! 
interface FastEthernet0/1
 ip address 10.10.1.2 255.255.255.0
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 10.255.1.1
ip route 10.10.3.0 255.255.255.0 Tunnel0

hostname R-Right
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
crypto isakmp key SuperSecure address 192.0.2.1 
!
!
crypto ipsec transform-set ESP-AES128-SHA1 esp-aes esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile IPSEC-PROF
 set transform-set ESP-AES128-SHA1 
!
!
!
!
!
!
!
!
interface Tunnel0
 ip address 10.255.255.1 255.255.255.254
 tunnel source 192.0.2.9
 tunnel destination 192.0.2.1
 tunnel protection ipsec profile IPSEC-PROF
!
interface FastEthernet0/0
 ip address 192.0.2.9 255.255.255.248 secondary
 ip address 10.255.2.3 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.10.3.3 255.255.255.0
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 10.255.2.1
ip route 10.10.1.0 255.255.255.0 Tunnel0
0 Helpful
Customers Also Viewed These Support Documents