cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

GRE over VPN tunnel with multiple sites

Jump to solution

How can I create GRE VPN tunnel with multiple sites?

Site A (Main Site) 192.168.0.0/24

Site B 192.168.1.0/24

Site C 10.10.13.0/24

Site A and B currently connected via GRE Tunnel over IPSEC 172.16.0.1 - 172.16.0.2

Site A and C currently connected via GRE Tunnel over IPSEC 172.17.0.1 - 172.17.0.2


Traffic from A to B is working fine.

Traffic from A to C is working fine.

How can I route traffic from Site B to Site without creating tunnel betweent the two.

I've attempted to create static route on B and C, yet no luck.

Router B -
ip route 10.10.13.0 255.255.255.0 tunnel 1

Router C -

ip route 192.168.1.0 255.255.255.0 tunnel 1

Does any one have any ideas?

0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: GRE over VPN tunnel with multiple sites

Jump to solution

1.  Since there is IPSEC, I assume you are using firewall?  If so, then you will need to make sure the Tunnel interfaces are assigned to a policy-class and have appropriate ACLs assigned to the policy-class.  My assumption is that you  have two tunnels on Site A (Tunnel 1, and Tunnel 2).  Also make sure your NAT statement for internet is listed after any allow statements for the Tunnel interfaces in your policy-class.

example of relevant programming for router A:

interface ethernet 0/1

   ip address  <public ip>  <subnet mask>

ip access-policy Public

  crypto map VPN

  no shutdown

!

interface vlan 1

  ip address  192.168.0.1  255.255.255.0

  ip access-policy Private

  no shutdown

interface tunnel 1 gre ip

  description Tunnel to Site B

  ip address  172.16.0.1  255.255.255.252

  ip mtu 1400

ip access-policy Tunnel

  tunnel source <source ip>

  tunnel destination <destination ip>

  keepalive

  no shutdown

interface tunnel 2 gre ip

  description Tunnel to site C

  ip address  172.17.0.1  255.255.255.252

  ip mtu 1400

  ip access-policy Tunnel

  tunnel source <source ip>

  tunnel destination <destination ip>

  keepalive

  no shutdown

router rip

  version 2

  network 172.16.0.0 255.255.255.252

  network 172.17.0.0 255.255.255.252

  network 192.168.0.0 255.255.255.0

ip access-list extended tunnel

  remark GRE Tunnel

  permit ip any  any   

!

ip policy-class Private

  allow list VPN-20-vpn-selectors stateless  * Automatically added by VPN

  allow list VPN-10-vpn-selectors stateless  * Automatically added by VPN

    allow list tunnel policy Tunnel stateless  * Allows traffic listed in ACL "tunnel" to the policy-class "Tunnel"

  allow list self self 

  nat source list internet interface ethernet 0/1 overload policy Public

ip policy-class Tunnel

  allow list self self

  allow list tunnel policy Tunnel  *  allows traffic between Tunnel interfaces

  allow list tunnel policy Private  *  allows traffic from tunnel to the Private/LAN network

!

You would apply the respective programming to routers B & C.

2.  I would try using the address of the Tunnel interfaces VS the interface itself (Router B - ip route 10.10.13.0 255.255.255.0 172.16.0.1), or you can configure RIP which is one of the big advantages of using GRE tunnels over IPSEC.


I hope this helps, and hopefully and Adtran engineer can verify this for us.  I know my way around the NetVanta, but am not quite a Guru. 



View solution in original post

0 Kudos
2 Replies
Anonymous
Not applicable

Re: GRE over VPN tunnel with multiple sites

Jump to solution

1.  Since there is IPSEC, I assume you are using firewall?  If so, then you will need to make sure the Tunnel interfaces are assigned to a policy-class and have appropriate ACLs assigned to the policy-class.  My assumption is that you  have two tunnels on Site A (Tunnel 1, and Tunnel 2).  Also make sure your NAT statement for internet is listed after any allow statements for the Tunnel interfaces in your policy-class.

example of relevant programming for router A:

interface ethernet 0/1

   ip address  <public ip>  <subnet mask>

ip access-policy Public

  crypto map VPN

  no shutdown

!

interface vlan 1

  ip address  192.168.0.1  255.255.255.0

  ip access-policy Private

  no shutdown

interface tunnel 1 gre ip

  description Tunnel to Site B

  ip address  172.16.0.1  255.255.255.252

  ip mtu 1400

ip access-policy Tunnel

  tunnel source <source ip>

  tunnel destination <destination ip>

  keepalive

  no shutdown

interface tunnel 2 gre ip

  description Tunnel to site C

  ip address  172.17.0.1  255.255.255.252

  ip mtu 1400

  ip access-policy Tunnel

  tunnel source <source ip>

  tunnel destination <destination ip>

  keepalive

  no shutdown

router rip

  version 2

  network 172.16.0.0 255.255.255.252

  network 172.17.0.0 255.255.255.252

  network 192.168.0.0 255.255.255.0

ip access-list extended tunnel

  remark GRE Tunnel

  permit ip any  any   

!

ip policy-class Private

  allow list VPN-20-vpn-selectors stateless  * Automatically added by VPN

  allow list VPN-10-vpn-selectors stateless  * Automatically added by VPN

    allow list tunnel policy Tunnel stateless  * Allows traffic listed in ACL "tunnel" to the policy-class "Tunnel"

  allow list self self 

  nat source list internet interface ethernet 0/1 overload policy Public

ip policy-class Tunnel

  allow list self self

  allow list tunnel policy Tunnel  *  allows traffic between Tunnel interfaces

  allow list tunnel policy Private  *  allows traffic from tunnel to the Private/LAN network

!

You would apply the respective programming to routers B & C.

2.  I would try using the address of the Tunnel interfaces VS the interface itself (Router B - ip route 10.10.13.0 255.255.255.0 172.16.0.1), or you can configure RIP which is one of the big advantages of using GRE tunnels over IPSEC.


I hope this helps, and hopefully and Adtran engineer can verify this for us.  I know my way around the NetVanta, but am not quite a Guru. 



0 Kudos
Anonymous
Not applicable

Re: GRE over VPN tunnel with multiple sites

Jump to solution

Thanks vmaxdawg05, you're a genius.