Cisco GRE over IPSEC working, but can't ping through tunnel

Experts,

I have a working GRE over IPSEC tunnel.  it's working great, and I've been able to successfully get OSPF routes propegated through the tunnel from the routers. - Also - CDP.

The catch is, OSPF chooses the Tunnel interface for all the routes associated, and I'm unable to route through the tunnel.

To add complexity to the problem, I'm unable to ping the local/remote tunnel interface on both routers.

I've followed many guides, but am stuck at this point.  Would somebody happen to know if there's an ACL entry I need to make in order to hit up the tunnel ip?  From what I'm reading, it should be pingable automatically from the local router...
LVL 5
usslindstromAsked:
Who is Participating?
 
usslindstromConnect With a Mentor Author Commented:
****FIGURED IT OUT****

For anybody experiencing the same problem, please change the gre encapsulation.

Everything began working great when I entered the command under the Tunnel 0 interface on both sides:

tunnel mode ipip




Problem solved!
0
 
Istvan KalmarHead of IT Security Division Commented:
please show booth sides config, sh ip int brief, sh cry isa sa
0
 
usslindstromAuthor Commented:
Sorry for the delay here.

I've posted the current config and output debugs you were asking for on the local router in the code block below.

Getting the remote side config copied and pasted is becoming a small challenge at this second, as I can't hit the remote site over the tunnel any more...  The remote side looks almost 100% identical to the config pasted below, with the exception the device is sitting behind another NAT.  I have the same configuration, except I put the loopback address of the remote router to be the same as the NATs device's external IP.

Prior to bringing up the GRE tunnel, I had full connectivity with just IPSEC.  I needed the routing protocols to work though, so I did the Tunnel0 Configuration.  The catch being, on both sides, is that I can't ping the local Tunnel interface.  - Let alone the remote interface - so the route fails.

The link is working, I have an UP/UP status after using keepalives, also I'm able to see the routes propegated accross both routers, as well as CDP.  The link is working - until it comes to sending data accross it.  I can't ping accross, or do anything else that involves the Tunnel.

Any ideas?  I'm thinking it's as something as simple as an ACL mismatch, but I can't see anything off the top of my eye.

Thanks for the help, seriously.

Current configuration : 7889 bytes
!
! Last configuration change at 23:51:26 JST Mon Apr 5 2010 by *****
! NVRAM config last updated at 00:01:42 JST Tue Apr 6 2010 by *****
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname *****
!
boot-start-marker
boot-end-marker
!
enable secret *****
!
aaa new-model
!
!
aaa group server radius *****_DC
 server ***** auth-port 1645 acct-port 1646
 server ***** auth-port 1645 acct-port 1646
!
aaa group server radius *****_DC
 server ***** auth-port 1645 acct-port 1646
 server ***** auth-port 1645 acct-port 1646
!
aaa group server radius *****_DC
 server ***** auth-port 1645 acct-port 1646
 server ***** auth-port 1645 acct-port 1646
!
aaa authentication login *****_Access group *****_DC local
aaa authorization network *****_NetAuth if-authenticated
!
!
aaa session-id common
clock timezone JST 9
ip cef
!
!
!
!
ip domain name *****.com
ip name-server *****
ip name-server *****
!
multilink bundle-name authenticated
!
vpdn enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username ***** privilege 15 secret *****
username ***** privilege 15 secret *****
archive
 log config
  hidekeys
!
!
crypto isakmp policy 1
 encr aes 256
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ***** address *****
!
!
crypto ipsec transform-set ESP-AES esp-aes 256
!
crypto map *****_VPNMap 1 ipsec-isakmp
 description *****
 set peer *****
 set security-association lifetime seconds 86400
 set transform-set ESP-AES
 set pfs group2
 match address *****_VPNTraffic
!
!
!
!
class-map match-any P2P
 match protocol edonkey
 match protocol gnutella
 match protocol kazaa2
 match protocol winmx
 match protocol bittorrent
!
!
policy-map Drop_P2P
 class P2P
   drop
!
!
!
!
!
interface Tunnel0
 description *****
 ip address 172.16.0.1 255.255.255.252
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 *****
 ip ospf mtu-ignore
 keepalive 5 3
 cdp enable
 tunnel source Dialer1
 tunnel destination *****
 tunnel path-mtu-discovery
 crypto map *****_VPNMap
!
interface FastEthernet0/0
 description *****
 ip address 10.0.0.1 255.255.254.0
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 *****
 speed 100
 full-duplex
 service-policy input Drop_P2P
!
interface FastEthernet0/1
 description *****
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 no ip mroute-cache
 speed 100
 full-duplex
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dialer1
 description *****
 mtu 1424
 bandwidth 102400
 ip address negotiated
 no ip unreachables
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1396
 no ip mroute-cache
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 *****
 ip ospf mtu-ignore
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname *****
 ppp chap password *****
 ppp pap sent-username ***** password *****
 ppp ipcp route default
 crypto map *****_VPNMap
!
router ospf 1
 router-id 10.0.0.1
 log-adjacency-changes
 area 0 authentication
 redistribute rip
 network 10.0.0.0 0.0.1.255 area 0
 network 172.16.0.0 0.0.0.255 area 0
 default-information originate
!
ip local pool *****_PPTP 10.0.0.51 10.0.0.59
ip local pool *****_VPNRemoteAccess 10.0.12.0 10.0.13.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
no ip http secure-server
ip dns server
ip nat inside source list *****_NAT interface Dialer1 overload
ip nat inside source static tcp ***** 80 interface Dialer1 80
ip nat inside source static tcp ***** 443 interface Dialer1 443
ip nat inside source static tcp ***** 25 interface Dialer1 25
ip nat inside source static tcp ***** 110 interface Dialer1 110
ip nat inside source static udp ***** 20 interface Dialer1 20
ip nat inside source static tcp ***** 20 interface Dialer1 20
ip nat inside source static tcp ***** 21 interface Dialer1 21
ip nat inside source static udp ***** 21 interface Dialer1 21
ip nat inside source static tcp ***** 3389 interface Dialer1 3389
ip nat inside source static udp ***** 3389 interface Dialer1 3389
ip nat inside source static tcp ***** 8081 interface Dialer1 8081
ip nat inside source static udp ***** 8081 interface Dialer1 8081
ip nat inside source static tcp ***** 8443 interface Dialer1 8443
ip nat inside source static tcp ***** 8453 interface Dialer1 8453
!
ip access-list extended *****_NAT
 deny   ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 deny   ip 10.0.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 deny   ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 permit ip 10.0.0.0 0.0.255.255 any
 permit ip 172.16.0.0 0.0.255.255 any
ip access-list extended *****_SplitTunnel
 permit ip 10.0.0.0 0.0.15.255 10.0.12.0 0.0.1.255
 permit ip 10.0.224.0 0.0.15.255 10.0.12.0 0.0.1.255
ip access-list extended *****_VPNTraffic
 permit gre host ***** host *****
 permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 permit ip 10.0.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 permit icmp 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 permit icmp 10.0.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 permit icmp 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 permit icmp 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
!
snmp-server community ***** RO
!
!
!
!
radius-server host ***** auth-port 1645 acct-port 1646 key *****
radius-server host ***** auth-port 1645 acct-port 1646 key *****
radius-server host ***** auth-port 1645 acct-port 1646 key *****
radius-server host ***** auth-port 1645 acct-port 1646 key *****
radius-server host ***** auth-port 1645 acct-port 1646 key 7 *****
radius-server host ***** auth-port 1645 acct-port 1646 key 7 *****
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^C
*************************************************************
************  Unauthorized Access is Prohibited  ************
*************************************************************
 
  Access to this system is for the use of authorized
  personel only.
 
  You are hereby advised that all actions performed are
  subject to monitoring and are being recorded.  In the
  event of any possible criminal activity, evidence will
  be turned over to proper Law Enforcement personnel,
  and offenders will be prosecuted!
 
  You have accessed:  $(hostname).$(domain)
 
*************************************************************
************  Unauthorized Access is Prohibited  ************
*************************************************************
^C
!
line con 0
 privilege level 15
 logging synchronous
 login authentication *****_Access
line aux 0
 logging synchronous
 login authentication *****_Access
line vty 0 4
 logging synchronous
 login authentication *****_Access
line vty 5 181
 logging synchronous
 login authentication *****_Access
!
ntp clock-period 17180417
ntp master
ntp server *****
!
end



--------------------------------- 

Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.0.0.1        YES NVRAM  up                    up
FastEthernet0/1            unassigned      YES NVRAM  up                    up
NVI0                       10.0.0.1        YES unset  up                    up
Virtual-Access1            unassigned      YES unset  up                    up
Virtual-Access2            unassigned      YES unset  up                    up
Dialer1                    *****           YES IPCP   up                    up
Tunnel0                    172.16.0.1      YES NVRAM  up                    up

--------------------------------- 

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
*****          *****           QM_IDLE           1009    0 ACTIVE
*****          *****           QM_IDLE           1007    0 ACTIVE
*****          *****           QM_IDLE           1004    0 ACTIVE
*****          *****           QM_IDLE           1003    0 ACTIVE
*****          *****           QM_IDLE           1011    0 ACTIVE
*****          *****           QM_IDLE           1010    0 ACTIVE
*****          *****           QM_IDLE           1008    0 ACTIVE
*****          *****           QM_IDLE           1006    0 ACTIVE
*****          *****           QM_IDLE           1005    0 ACTIVE
*****          *****           QM_IDLE           1001    0 ACTIVE

---------------------------------

Open in new window

0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
usslindstromAuthor Commented:
Was finally able to grab a copy of the remote router...  Config posted below:
Current configuration : 6443 bytes
!
! Last configuration change at 07:51:18 MST Mon Apr 5 2010 by *****
! NVRAM config last updated at 08:01:47 MST Mon Apr 5 2010 by *****
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname *****
!
boot-start-marker
boot-end-marker
!
enable secret *****
!
aaa new-model
!
!
aaa group server radius *****_DC
 server ***** auth-port 1645 acct-port 1646
 server ***** auth-port 1645 acct-port 1646
!
aaa group server radius *****_DC
 server ***** auth-port 1645 acct-port 1646
 server ***** auth-port 1645 acct-port 1646
!
aaa group server radius *****_DC
 server ***** auth-port 1645 acct-port 1646
 server ***** auth-port 1645 acct-port 1646
!
!
!
aaa session-id common
clock timezone MST -7
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.208.1 10.0.208.50
!
ip dhcp pool *****_LocalNetwork
   network 10.0.208.0 255.255.254.0
   domain-name *****.com
   dns-server ***** *****
   netbios-name-server ***** *****
   default-router 10.0.208.1
   lease 0 8
!
!
ip domain list *****.com
ip domain name *****.com
ip name-server 192.168.0.1
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
username ***** privilege 15 secret *****
username ***** privilege 15 secret *****
archive
 log config
  hidekeys
!
!
crypto isakmp policy 1
 encr aes 256
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ***** address *****
!
!
crypto ipsec transform-set ESP-AES esp-aes 256
!
crypto map *****_VPNMap 1 ipsec-isakmp
 description *****
 set peer *****
 set security-association lifetime seconds 86400
 set transform-set ESP-AES
 set pfs group2
 match address *****_VPNTraffic
!
!
!
!
class-map match-any P2P
 match protocol edonkey
 match protocol gnutella
 match protocol kazaa2
 match protocol winmx
 match protocol bittorrent
!
!
policy-map Drop_P2P
 class P2P
   drop
!
bridge irb
!
!
!
interface Loopback0
 ip address ***** *****
!
interface Tunnel0
 description *****
 ip address 172.16.0.2 255.255.255.252
 no ip mroute-cache
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 *****
 ip ospf mtu-ignore
 keepalive 15 3
 cdp enable
 tunnel source Loopback0
 tunnel destination *****
 tunnel path-mtu-discovery
 crypto map *****_VPNMap
!
interface FastEthernet0/0
 description *****
 ip address 10.0.208.1 255.255.254.0
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 *****
 speed 100
 full-duplex
 service-policy input Drop_P2P
!
interface FastEthernet0/1
 ip address 192.168.0.2 255.255.255.0
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 *****
 ip ospf mtu-ignore
 speed 100
 full-duplex
 crypto map *****_VPNMap
!
interface ATM0/0/0
 no ip address
 no ip route-cache cef
 no ip route-cache
 shutdown
 no atm ilmi-keepalive
 dsl operating-mode auto
!
router ospf 1
 router-id 10.0.208.1
 log-adjacency-changes
 redistribute rip
 network 10.0.208.0 0.0.1.255 area 10.0.208.0
 network 172.16.0.0 0.0.0.255 area 0
 default-information originate
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
ip http server
no ip http secure-server
ip dns server
ip nat inside source list *****_NAT interface FastEthernet0/1 overload
!
ip access-list extended *****_NAT
 deny   ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 deny   ip 10.0.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 deny   ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 permit ip 10.0.0.0 0.0.255.255 any
 permit ip 172.16.0.0 0.0.255.255 any
ip access-list extended *****_VPNTraffic
 permit gre host ***** host *****
 permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 permit ip 10.0.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 permit icmp 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 permit icmp 10.0.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 permit icmp 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 permit icmp 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
!
snmp-server community ***** RO
!
!
!
!
!
radius-server host ***** auth-port 1645 acct-port 1646 key *****
radius-server host ***** auth-port 1645 acct-port 1646 key *****
radius-server host ***** auth-port 1645 acct-port 1646 key *****
radius-server host ***** auth-port 1645 acct-port 1646 key *****
radius-server host ***** auth-port 1645 acct-port 1646 key *****
radius-server host ***** auth-port 1645 acct-port 1646 key *****
!
control-plane
!
!
banner motd ^C

*************************************************************
************  Unauthorized Access is Prohibited  ************
*************************************************************

  Access to this system is for the use of authorized
  personel only.

  You are hereby advised that all actions performed are
  subject to monitoring and are being recorded.  In the
  event of any possible criminal activity, evidence will
  be turned over to proper Law Enforcement personnel,
  and offenders will be prosecuted!

  You have accessed:  $(hostname).$(domain)

*************************************************************
************  Unauthorized Access is Prohibited  ************
*************************************************************
^C
!
line con 0
 privilege level 15
 logging synchronous
 login authentication *****_Access
line aux 0
 logging synchronous
 login authentication *****_Access
line vty 0 4
 logging synchronous
 login authentication *****_Access
line vty 5 807
 logging synchronous
 login authentication *****_Access
!
scheduler allocate 20000 1000
ntp clock-period 17178598
ntp server *****
end





---------------------------------

Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.0.208.1      YES NVRAM  up                    up
FastEthernet0/1            192.168.0.2     YES NVRAM  up                    up
ATM0/0/0                   unassigned      YES NVRAM  administratively down down
NVI0                       unassigned      NO  unset  up                    up
Loopback0                  *****           YES NVRAM  up                    up
Tunnel0                    172.16.0.2      YES NVRAM  up                    up

--------------------------------- 

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
*****          192.168.0.2     QM_IDLE           1009    0 ACTIVE
*****          192.168.0.2     QM_IDLE           1007    0 ACTIVE
*****          192.168.0.2     QM_IDLE           1004    0 ACTIVE
*****          192.168.0.2     QM_IDLE           1003    0 ACTIVE
*****           *****          MM_NO_STATE          0    0 ACTIVE (deleted)
192.168.0.2     *****          QM_IDLE           1011    0 ACTIVE
192.168.0.2     *****          QM_IDLE           1010    0 ACTIVE
192.168.0.2     *****          QM_IDLE           1008    0 ACTIVE
192.168.0.2     *****          QM_IDLE           1006    0 ACTIVE
192.168.0.2     *****          QM_IDLE           1005    0 ACTIVE
192.168.0.2     *****          QM_IDLE           1001    0 ACTIVE

--------------------------------- 

Open in new window

0
 
usslindstromAuthor Commented:
To demo that the tunnel is infact working (except for sending traffic) - here is some commands from the local router.

---------------------------------

sh ip ospf neigh
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.0.208.1        0   FULL/  -        00:00:39    172.16.0.2        Tunnel0

---------------------------------

sh cdp neigh
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
*****.*****.com
                 Tunnel0            166         R S I     1841      Tunnel0

---------------------------------
0
 
usslindstromAuthor Commented:
However, the problem stems from here:

I can't ping either side of the tunnel (even local) on either router...

---------------------------------
**From the local router pinging the local Tunnel Interface**

ping 172.16.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

---------------------------------
**From the local router pinging the remote Tunnel Interface**

ping 172.16.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
0
All Courses

From novice to tech pro — start learning today.