I have followed the pdf's on doing this and cannot get all the VPN tunnels nor the GRE tunnels to come up, and when I turn on the firewall's on some of
them I lose connectivity to the box, even though I have created a public policy allowing admin (telnet,snmp, https) access to the boxes. Running the latest code, and tested this in a lab first before deploying. Need some help;
I have had this same issue when using the pdf's from the support page. I contacted support and they would resolve the issue by using cli to change ACL's. Apparently when using the GUI to configure the GRE/IPsec tunnels appropriate ACL's are not confiugred correctly. I have started using the CLI to configure these tunnels and have not had further trouble. This may not pertain to you but it certainly brought back memories so I thought I would mention this.
@dakotatim - Thank you for posting your question on the forum. Could you attach the current configurations from the two routers you are attempting to bring up the GRE over IPSec tunnel between? Please remember to remove any information that may be sensitive to your network.
Thanks,
Noor
@dakotatim - Thanks for posting your configurations. Based on what I saw, it appears you are trying to create GRE tunnels between switches that are on the same LAN. I think it would be a first good step to try and get the GRE over IPSec tunnels up without the firewall on.
Your current configuration shows all tunnel interfaces are currently "shutdown". I'm not sure if that was done as a preventative measure. Please follow the following steps and gather the following information that will help us troubleshoot:
- Enable tunnel 4 on the 'pw19' router and tunnel 1 on the 'pw20' router. This can be done in the web interface by navigating to Data -> Router/Bridge -> GRE tunnels from the panel on the left. Click on the appropriate tunnel interface and make sure that the "Enable" box is checked. In the CLI, the following commands will enable the tunnel interface:
router(config)# interface tunnel <tunnel ID>
router(config-tunnel)# no shutdown
- Are 10.250.1.1 and 10.250.1.2 able to ping eachother?
- Please provide the output to "show interface tunnel 1" on router 'pw20' and "show interface tunnel 4" on router 'pw19'. You can also provide a screenshot of the tunnel statistics located at the bottom of the tunnel configuration page.
- Please provide the output to "debug crypto ike" from both routers while attempting to send traffic from the 10.100.10.0 /24 network to the 10.100.0.0 /24 network or vice-versa. It would be a good idea to log the output as there will be a lot of information that is provided with this debug.
This information will help us troubleshoot where the negotiation is failing.
Thanks,
Noor
So I don't need the Firewalls turned on for this to work.
@dakotatim - Based on the configurations you sent, it appears that all the VPN peers are located on the same private subnet. Usually, in these setups, the GRE over IPSec tunnel goes over an internet connection so it requires that the firewall be enabled in that scenario. The only concern I have on whether the firewall is required in your scenario is if the NetVanta devices need to NAT any traffic to go out to the internet. If that is being done by an external firewall, then it is not necessary to have the firewall enabled on the NetVanta devices. At the very least, I do not believe the firewall will be required in your scenario for getting the GRE over IPSec tunnels up and passing traffic.
Please do not hesitate to let us know if you have any questions.
Thanks,
Noor
I have had this same issue when using the pdf's from the support page. I contacted support and they would resolve the issue by using cli to change ACL's. Apparently when using the GUI to configure the GRE/IPsec tunnels appropriate ACL's are not confiugred correctly. I have started using the CLI to configure these tunnels and have not had further trouble. This may not pertain to you but it certainly brought back memories so I thought I would mention this.
I did a retype of the VPN adn GRE tunnels and have everything working correctly. Fully meshed 9 sites on Metro-E using GRE over IPSEC and OSPF for routing. Kind of a pain to trouble shoot as the existing configs would not owkr unless I got rid of everything and from the CLI put it back in. Not sure if it is me going to fast i nthe WEB interface or what but it is now working.
Thnaks for the help and comments.