cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
162
Views
0
Helpful
1
Replies

Is it possible to build a tunnel from an internal interface?

emailsbecker
Beginner
Beginner

At one of our remote sites we have a /29 provided from our current ISP, and they're using a /30 as a bridge between us and the internet.  The /30 is not routed to the internet and all traffic to it appears to be blocked (TCP as well as UDP).  We need to configure an IPSEC over GRE tunnel back to our home office but all configuration examples I have show the tunnel as being built on the exterior most IP, which would be the /30.

I've labbed this up and I know for a fact that will work, however it doesn't in the real world due to the ISP's restrictions on the /30.  I've also labbed up multiple different ways to try and get the tunnel built from my /29 (including having the /29 as a secondary IP on the same port as the /30) but have't been able to find a way that works.  I've spent the better part of a week and a half on this.

I've opened a ticket with the ISP to see if they'll open up their /30 for me but in the mean time I thought I'd post here as a backup.  Also, it could handy to have this info in case I'm ever in a situation where the /30 cannot be routed for whatever reason.

If anyone can point me to an example of a tunnel built with a source other than the one facing the internet I would be much obliged. Thanks!

1 Reply 1

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

Actually, it's quite easy with tunnel-interfaces. Here the Routers are connected with private IPs to the ISP and both get a public /29:

hostname R-Left
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key SuperSecure address 192.0.2.9
!
crypto ipsec transform-set ESP-AES128-SHA1 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC-PROF
set transform-set ESP-AES128-SHA1
!
interface Tunnel0
ip address 10.255.255.0 255.255.255.254
tunnel source 192.0.2.1
tunnel destination 192.0.2.9
tunnel protection ipsec profile IPSEC-PROF
!
interface FastEthernet0/0
ip address 192.0.2.1 255.255.255.248 secondary
ip address 10.255.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.10.1.2 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 10.255.1.1
ip route 10.10.3.0 255.255.255.0 Tunnel0

hostname R-Right
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key SuperSecure address 192.0.2.1
!
!
crypto ipsec transform-set ESP-AES128-SHA1 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC-PROF
set transform-set ESP-AES128-SHA1
!
!
!
!
!
!
!
!
interface Tunnel0
ip address 10.255.255.1 255.255.255.254
tunnel source 192.0.2.9
tunnel destination 192.0.2.1
tunnel protection ipsec profile IPSEC-PROF
!
interface FastEthernet0/0
ip address 192.0.2.9 255.255.255.248 secondary
ip address 10.255.2.3 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.10.3.3 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 10.255.2.1
ip route 10.10.1.0 255.255.255.0 Tunnel0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: