How can I create GRE VPN tunnel with multiple sites?
Site A (Main Site) 192.168.0.0/24
Site B 192.168.1.0/24
Site C 10.10.13.0/24
Site A and B currently connected via GRE Tunnel over IPSEC 172.16.0.1 - 172.16.0.2
Site A and C currently connected via GRE Tunnel over IPSEC 172.17.0.1 - 172.17.0.2
Traffic from A to B is working fine.
Traffic from A to C is working fine.
How can I route traffic from Site B to Site without creating tunnel betweent the two.
I've attempted to create static route on B and C, yet no luck.
Router B -
ip route 10.10.13.0 255.255.255.0 tunnel 1
Router C -
ip route 192.168.1.0 255.255.255.0 tunnel 1
Does any one have any ideas?
1. Since there is IPSEC, I assume you are using firewall? If so, then you will need to make sure the Tunnel interfaces are assigned to a policy-class and have appropriate ACLs assigned to the policy-class. My assumption is that you have two tunnels on Site A (Tunnel 1, and Tunnel 2). Also make sure your NAT statement for internet is listed after any allow statements for the Tunnel interfaces in your policy-class.
example of relevant programming for router A:
interface ethernet 0/1
ip address <public ip> <subnet mask>
ip access-policy Public
crypto map VPN
no shutdown
!
interface vlan 1
ip address 192.168.0.1 255.255.255.0
ip access-policy Private
no shutdown
interface tunnel 1 gre ip
description Tunnel to Site B
ip address 172.16.0.1 255.255.255.252
ip mtu 1400
ip access-policy Tunnel
tunnel source <source ip>
tunnel destination <destination ip>
keepalive
no shutdown
interface tunnel 2 gre ip
description Tunnel to site C
ip address 172.17.0.1 255.255.255.252
ip mtu 1400
ip access-policy Tunnel
tunnel source <source ip>
tunnel destination <destination ip>
keepalive
no shutdown
router rip
version 2
network 172.16.0.0 255.255.255.252
network 172.17.0.0 255.255.255.252
network 192.168.0.0 255.255.255.0
ip access-list extended tunnel
remark GRE Tunnel
permit ip any any
!
ip policy-class Private
allow list VPN-20-vpn-selectors stateless * Automatically added by VPN
allow list VPN-10-vpn-selectors stateless * Automatically added by VPN
allow list tunnel policy Tunnel stateless * Allows traffic listed in ACL "tunnel" to the policy-class "Tunnel"
allow list self self
nat source list internet interface ethernet 0/1 overload policy Public
ip policy-class Tunnel
allow list self self
allow list tunnel policy Tunnel * allows traffic between Tunnel interfaces
allow list tunnel policy Private * allows traffic from tunnel to the Private/LAN network
!
You would apply the respective programming to routers B & C.
2. I would try using the address of the Tunnel interfaces VS the interface itself (Router B - ip route 10.10.13.0 255.255.255.0 172.16.0.1), or you can configure RIP which is one of the big advantages of using GRE tunnels over IPSEC.
I hope this helps, and hopefully and Adtran engineer can verify this for us. I know my way around the NetVanta, but am not quite a Guru.
1. Since there is IPSEC, I assume you are using firewall? If so, then you will need to make sure the Tunnel interfaces are assigned to a policy-class and have appropriate ACLs assigned to the policy-class. My assumption is that you have two tunnels on Site A (Tunnel 1, and Tunnel 2). Also make sure your NAT statement for internet is listed after any allow statements for the Tunnel interfaces in your policy-class.
example of relevant programming for router A:
interface ethernet 0/1
ip address <public ip> <subnet mask>
ip access-policy Public
crypto map VPN
no shutdown
!
interface vlan 1
ip address 192.168.0.1 255.255.255.0
ip access-policy Private
no shutdown
interface tunnel 1 gre ip
description Tunnel to Site B
ip address 172.16.0.1 255.255.255.252
ip mtu 1400
ip access-policy Tunnel
tunnel source <source ip>
tunnel destination <destination ip>
keepalive
no shutdown
interface tunnel 2 gre ip
description Tunnel to site C
ip address 172.17.0.1 255.255.255.252
ip mtu 1400
ip access-policy Tunnel
tunnel source <source ip>
tunnel destination <destination ip>
keepalive
no shutdown
router rip
version 2
network 172.16.0.0 255.255.255.252
network 172.17.0.0 255.255.255.252
network 192.168.0.0 255.255.255.0
ip access-list extended tunnel
remark GRE Tunnel
permit ip any any
!
ip policy-class Private
allow list VPN-20-vpn-selectors stateless * Automatically added by VPN
allow list VPN-10-vpn-selectors stateless * Automatically added by VPN
allow list tunnel policy Tunnel stateless * Allows traffic listed in ACL "tunnel" to the policy-class "Tunnel"
allow list self self
nat source list internet interface ethernet 0/1 overload policy Public
ip policy-class Tunnel
allow list self self
allow list tunnel policy Tunnel * allows traffic between Tunnel interfaces
allow list tunnel policy Private * allows traffic from tunnel to the Private/LAN network
!
You would apply the respective programming to routers B & C.
2. I would try using the address of the Tunnel interfaces VS the interface itself (Router B - ip route 10.10.13.0 255.255.255.0 172.16.0.1), or you can configure RIP which is one of the big advantages of using GRE tunnels over IPSEC.
I hope this helps, and hopefully and Adtran engineer can verify this for us. I know my way around the NetVanta, but am not quite a Guru.
Thanks vmaxdawg05, you're a genius.