Adtran
Help
The Adtran community holiday season is starting next week! The holiday period will span from December 21, 2024 to January 6, 2025. During this time, responses to feedback form submissions may be delayed. If you are encountering product issues, you can reach out to Adtran support at any time.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable
‎05-16-2013 12:09 AM

GRE over VPN tunnel with multiple sites

Jump to solution

How can I create GRE VPN tunnel with multiple sites?

Site A (Main Site) 192.168.0.0/24

Site B 192.168.1.0/24

Site C 10.10.13.0/24

Site A and B currently connected via GRE Tunnel over IPSEC 172.16.0.1 - 172.16.0.2

Site A and C currently connected via GRE Tunnel over IPSEC 172.17.0.1 - 172.17.0.2


Traffic from A to B is working fine.

Traffic from A to C is working fine.

How can I route traffic from Site B to Site without creating tunnel betweent the two.

I've attempted to create static route on B and C, yet no luck.

Router B -
ip route 10.10.13.0 255.255.255.0 tunnel 1

Router C -

ip route 192.168.1.0 255.255.255.0 tunnel 1

Does any one have any ideas?

0 Kudos
Reply
1 Solution

Accepted Solutions
Anonymous
Not applicable
‎05-16-2013 08:25 AM

Re: GRE over VPN tunnel with multiple sites

Jump to solution

1.  Since there is IPSEC, I assume you are using firewall?  If so, then you will need to make sure the Tunnel interfaces are assigned to a policy-class and have appropriate ACLs assigned to the policy-class.  My assumption is that you  have two tunnels on Site A (Tunnel 1, and Tunnel 2).  Also make sure your NAT statement for internet is listed after any allow statements for the Tunnel interfaces in your policy-class.

example of relevant programming for router A:

interface ethernet 0/1

   ip address  <public ip>  <subnet mask>

ip access-policy Public

  crypto map VPN

  no shutdown

!

interface vlan 1

  ip address  192.168.0.1  255.255.255.0

  ip access-policy Private

  no shutdown

interface tunnel 1 gre ip

  description Tunnel to Site B

  ip address  172.16.0.1  255.255.255.252

  ip mtu 1400

ip access-policy Tunnel

  tunnel source <source ip>

  tunnel destination <destination ip>

  keepalive

  no shutdown

interface tunnel 2 gre ip

  description Tunnel to site C

  ip address  172.17.0.1  255.255.255.252

  ip mtu 1400

  ip access-policy Tunnel

  tunnel source <source ip>

  tunnel destination <destination ip>

  keepalive

  no shutdown

router rip

  version 2

  network 172.16.0.0 255.255.255.252

  network 172.17.0.0 255.255.255.252

  network 192.168.0.0 255.255.255.0

ip access-list extended tunnel

  remark GRE Tunnel

  permit ip any  any   

!

ip policy-class Private

  allow list VPN-20-vpn-selectors stateless  * Automatically added by VPN

  allow list VPN-10-vpn-selectors stateless  * Automatically added by VPN

    allow list tunnel policy Tunnel stateless  * Allows traffic listed in ACL "tunnel" to the policy-class "Tunnel"

  allow list self self 

  nat source list internet interface ethernet 0/1 overload policy Public

ip policy-class Tunnel

  allow list self self

  allow list tunnel policy Tunnel  *  allows traffic between Tunnel interfaces

  allow list tunnel policy Private  *  allows traffic from tunnel to the Private/LAN network

!

You would apply the respective programming to routers B & C.

2.  I would try using the address of the Tunnel interfaces VS the interface itself (Router B - ip route 10.10.13.0 255.255.255.0 172.16.0.1), or you can configure RIP which is one of the big advantages of using GRE tunnels over IPSEC.


I hope this helps, and hopefully and Adtran engineer can verify this for us.  I know my way around the NetVanta, but am not quite a Guru. 



View solution in original post

0 Kudos
Reply
2 Replies
Anonymous
Not applicable
‎05-16-2013 08:25 AM

Re: GRE over VPN tunnel with multiple sites

Jump to solution

1.  Since there is IPSEC, I assume you are using firewall?  If so, then you will need to make sure the Tunnel interfaces are assigned to a policy-class and have appropriate ACLs assigned to the policy-class.  My assumption is that you  have two tunnels on Site A (Tunnel 1, and Tunnel 2).  Also make sure your NAT statement for internet is listed after any allow statements for the Tunnel interfaces in your policy-class.

example of relevant programming for router A:

interface ethernet 0/1

   ip address  <public ip>  <subnet mask>

ip access-policy Public

  crypto map VPN

  no shutdown

!

interface vlan 1

  ip address  192.168.0.1  255.255.255.0

  ip access-policy Private

  no shutdown

interface tunnel 1 gre ip

  description Tunnel to Site B

  ip address  172.16.0.1  255.255.255.252

  ip mtu 1400

ip access-policy Tunnel

  tunnel source <source ip>

  tunnel destination <destination ip>

  keepalive

  no shutdown

interface tunnel 2 gre ip

  description Tunnel to site C

  ip address  172.17.0.1  255.255.255.252

  ip mtu 1400

  ip access-policy Tunnel

  tunnel source <source ip>

  tunnel destination <destination ip>

  keepalive

  no shutdown

router rip

  version 2

  network 172.16.0.0 255.255.255.252

  network 172.17.0.0 255.255.255.252

  network 192.168.0.0 255.255.255.0

ip access-list extended tunnel

  remark GRE Tunnel

  permit ip any  any   

!

ip policy-class Private

  allow list VPN-20-vpn-selectors stateless  * Automatically added by VPN

  allow list VPN-10-vpn-selectors stateless  * Automatically added by VPN

    allow list tunnel policy Tunnel stateless  * Allows traffic listed in ACL "tunnel" to the policy-class "Tunnel"

  allow list self self 

  nat source list internet interface ethernet 0/1 overload policy Public

ip policy-class Tunnel

  allow list self self

  allow list tunnel policy Tunnel  *  allows traffic between Tunnel interfaces

  allow list tunnel policy Private  *  allows traffic from tunnel to the Private/LAN network

!

You would apply the respective programming to routers B & C.

2.  I would try using the address of the Tunnel interfaces VS the interface itself (Router B - ip route 10.10.13.0 255.255.255.0 172.16.0.1), or you can configure RIP which is one of the big advantages of using GRE tunnels over IPSEC.


I hope this helps, and hopefully and Adtran engineer can verify this for us.  I know my way around the NetVanta, but am not quite a Guru. 



0 Kudos
Reply
Anonymous
Not applicable
‎05-16-2013 02:30 PM

Re: GRE over VPN tunnel with multiple sites

Jump to solution

Thanks vmaxdawg05, you're a genius.

0 Kudos
Accept as Solution Reply