[c-nsp] Tunnel keepalive in NAT environment problem
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Tue Nov 18 08:03:08 EST 2008
Well, it looks like the linux NAT/firewall is not NAT'ing the keepalive
GRE packets correctly, otherwise they would not arrive with the
172.16.1.1 src address on router2. Not sure what's happening there, but
I would focus my attention on the NAT/firewall box.. I guess NAT for the
"other" GRE packets work just fine?
Maybe related to the different protocol type (0x0) or the lack of
payload in the GRE keepalive packet?
oli
Darren Yang <> wrote on Tuesday, November 18, 2008 13:39:
> Hi,
>
> You said right, the linux firewall already did NAT translate.
> The GRE tunnel worked ok when I did not configure "keepalive" command
> in tunnel interface. But when I configure "keepalive" that the tunnel
> would soon appear down status....
>
> Thanks
>
> pigsign
>
>
>
> 2008/11/18 Varaillon Jean Christophe <j.varaillon at cosmoline.com>:
>> Hi,
>>
>>> The routers can ping reachable each other.
>>
>> So the routing between the 172.16.1.1 and 1.1.1.1 is working.
>>
>>> But problem is Router01's ip address is private(172.16.1.1) and
>>> Router02
>> will not reply packet correctly.
>>
>> Is your firewall allowing GRE traffic to flow between both routers?
>> Did you configure your translation statement in your firewall so
>> that GRE traffic can be initiated from both sides?
>>
>> Christophe
>>
>>
>> 2008/11/18 Varaillon Jean Christophe <j.varaillon at cosmoline.com>:
>>> Hi
>>>
>>> For the tunnel to be operational, each router should be able to
>>> reach the destination IP of the tunnel from the source IP of the
>>> tunnel (extended ping command will help you).
>>>
>>> When this is done, meaning, ping from IP source of the tunnel to IP
>>> destination of the tunnel works, then you can set-up your keepalive
>>> functionality.
>>>
>>> Christophe
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net
>>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Darren Yang
>>> Sent: Tuesday, November 18, 2008 12:23 PM
>>> To: cisco-nsp at puck.nether.net
>>> Subject: [c-nsp] Tunnel keepalive in NAT environment problem
>>>
>>> Hi All,
>>>
>>> Because Cisco GRE tunnel keepalive mechanism that must have public
>>> IP
>>> on both site.
>>> But I have one Router in NAT environment that it's ip address is
>>> private IP address and another outside Router is public IP address,
>>> so when I configure "keepalive" on tunnel interface, the tuneel
>>> interface would show "line protocol down" message directly....
>>>
>>> If anyone have idea about this ?
>>>
>>> Thanks :)
>>>
>>> pigsign
>>> _______________________________________________
>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>>> __________ Information from ESET Smart Security, version of virus
>>> signature database 3620 (20081118) __________
>>>
>>> The message was checked by ESET Smart Security.
>>>
>>> http://www.eset.com
>>>
>>>
>>>
>>> __________ Information from ESET Smart Security, version of virus
>>> signature database 3620 (20081118) __________
>>>
>>> The message was checked by ESET Smart Security.
>>>
>>> http://www.eset.com
>>>
>>>
>>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>> __________ Information from ESET Smart Security, version of virus
>> signature database 3621 (20081118) __________
>>
>> The message was checked by ESET Smart Security.
>>
>> http://www.eset.com
>>
>>
>>
>> __________ Information from ESET Smart Security, version of virus
>> signature database 3621 (20081118) __________
>>
>> The message was checked by ESET Smart Security.
>>
>> http://www.eset.com
>>
>>
>>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list