GRE Tunnel Help

rd228 · April 24, 2018, 6:51am

Hi all

I’m having some issues with a GRE Tunnel I have created to link two sites via VPN

For the sake of this post I will call the main site R1 and the secondary site R2

I have a GRE interface created at both ends

GRE Interface R1 - 172.28.22.1/30
GRE Interface R2 - 172.28.22.2/30

LAN

R1 - 172.28.0.0/16 (Servers are using 172.28.8.x and workstations 172.28.6.x)
R2 - 172.28.10.0/24

I have established a connection via the GRE Tunnel just fine. The problem lies with seeing the LAN side of each network.

I have static routes on both sides

R1 -
Dst Add - 172.28.10/0/24
Gateway - 172.28.22.2

R2 -
Dst Add - 172.28.0.0/16
Gateway - 172.28.22.1

I can ping everything on the LAN side of R1 from R2 terminal and also from a workstation on the LAN side of R2. So I can ping a server at 172.28.8.5 for example or a workstation at 172.28.6.3

However from R1 is where I am having the issue. From R1 terminal I can ping anything on the LAN side of R2 just fine. If I go to a workstation or a server on the LAN side of R1 and try to ping lets say 172.28.10.5 I get no reply back. I have checked firewall rules and nothing is being dropped, the firewall is also switched off on the workstation and AV disabled. I spent hours trying to work this out yesterday and cant figure out what the problem is.

I have attached a visual of the network if that helps. Naturally, I have substituted my own WAN addresses with randoms. Apologies that the image is upside down - I have tried rotating it but the forum still seems to be uploading it the wrong way around!

Can anyone help?

Thanks
Ross

CZFan · April 24, 2018, 11:16am

Your IP Design is incorrect, when you ping 172.28.10.5 from R1 LAN, it is in the same IP Subnet as your LAN 172.28.0.0/16 and never gets forwarded to gateway

rd228 · April 24, 2018, 11:39am

Hi CZFan

Thank you for the reply - so how would I go about altering this?

Can I not use 172.28.10.x on the R2 LAN and have to go with another range? I.e 192.168.1.x?

I need to have the /16 mask on the R1 side due to seperating Workstations / Servers into different subnets. I was hoping to still be able to use 172.28.0.0 on the R2 side…

CZFan · April 24, 2018, 11:50am

Will /21 work for you at R1?

rd228 · April 24, 2018, 12:03pm

/21 would only give me from 172.28.0.1 to 172.28.7.254.

My servers are already assigned static addresses in the 172.28.8.0 range and I dont want to go and have to re assign them. Workstations use 172.28.6.x and needs to be able to talk to the server range

If I used /20 at R1 that would give me a range of 172.28.0.1 - 172.28.15.254

I could then re assign the DHCP scope at R2 to give out workstations 172.28.16.0/24

Would that work?

CZFan · April 24, 2018, 12:35pm

Yup, that will work. But sit and plan a bit for the future to make sure if you change now, it will not be issue in future again

rd228 · April 25, 2018, 7:51pm

Thank you!

That solved my issue!