2 Replies Latest reply on May 16, 2013 12:30 PM by touristsis

    GRE over VPN tunnel with multiple sites

    touristsis Visitor

      How can I create GRE VPN tunnel with multiple sites?

      Site A (Main Site) 192.168.0.0/24

      Site B 192.168.1.0/24

      Site C 10.10.13.0/24

       

      Site A and B currently connected via GRE Tunnel over IPSEC 172.16.0.1 - 172.16.0.2

      Site A and C currently connected via GRE Tunnel over IPSEC 172.17.0.1 - 172.17.0.2


      Traffic from A to B is working fine.

      Traffic from A to C is working fine.

      How can I route traffic from Site B to Site without creating tunnel betweent the two.

      I've attempted to create static route on B and C, yet no luck.

      Router B -
      ip route 10.10.13.0 255.255.255.0 tunnel 1

      Router C -

      ip route 192.168.1.0 255.255.255.0 tunnel 1

       

      Does any one have any ideas?

        • Re: GRE over VPN tunnel with multiple sites
          vmaxdawg05 Past_Featured_Member

          1.  Since there is IPSEC, I assume you are using firewall?  If so, then you will need to make sure the Tunnel interfaces are assigned to a policy-class and have appropriate ACLs assigned to the policy-class.  My assumption is that you  have two tunnels on Site A (Tunnel 1, and Tunnel 2).  Also make sure your NAT statement for internet is listed after any allow statements for the Tunnel interfaces in your policy-class.

           

          example of relevant programming for router A:

           

          interface ethernet 0/1

             ip address  <public ip>  <subnet mask>

          ip access-policy Public

            crypto map VPN

            no shutdown

          !

           

          interface vlan 1

            ip address  192.168.0.1  255.255.255.0

            ip access-policy Private

            no shutdown

           

          interface tunnel 1 gre ip

            description Tunnel to Site B

            ip address  172.16.0.1  255.255.255.252

            ip mtu 1400

          ip access-policy Tunnel

            tunnel source <source ip>

            tunnel destination <destination ip>

            keepalive

            no shutdown

           

          interface tunnel 2 gre ip

            description Tunnel to site C

            ip address  172.17.0.1  255.255.255.252

            ip mtu 1400

            ip access-policy Tunnel

            tunnel source <source ip>

            tunnel destination <destination ip>

            keepalive

            no shutdown

           

          router rip

            version 2

            network 172.16.0.0 255.255.255.252

            network 172.17.0.0 255.255.255.252

            network 192.168.0.0 255.255.255.0

           

          ip access-list extended tunnel

            remark GRE Tunnel

            permit ip any  any   

          !

           

          ip policy-class Private

            allow list VPN-20-vpn-selectors stateless  * Automatically added by VPN

            allow list VPN-10-vpn-selectors stateless  * Automatically added by VPN

              allow list tunnel policy Tunnel stateless  * Allows traffic listed in ACL "tunnel" to the policy-class "Tunnel"

            allow list self self 

            nat source list internet interface ethernet 0/1 overload policy Public

           

          ip policy-class Tunnel

            allow list self self

            allow list tunnel policy Tunnel  *  allows traffic between Tunnel interfaces

            allow list tunnel policy Private  *  allows traffic from tunnel to the Private/LAN network

          !

           

          You would apply the respective programming to routers B & C.

           

          2.  I would try using the address of the Tunnel interfaces VS the interface itself (Router B - ip route 10.10.13.0 255.255.255.0 172.16.0.1), or you can configure RIP which is one of the big advantages of using GRE tunnels over IPSEC.


          I hope this helps, and hopefully and Adtran engineer can verify this for us.  I know my way around the NetVanta, but am not quite a Guru.