GRE tunneling with keepalive + ip access-list

[AntoineC]

Hi everybody,

Being security addicted, I've setup the following:

A GRE tunnel between 2 router (let's call them A and B). Each got its own loopback (loA and LoB). Now, i've set an ip access-list on each interface permitting only LoA to reach LoB and vice versa. It worked. Now, when I try to implement a keepalive on both side of the tunnel, the access-list prevent it. My question : Is there any standard way to let the keepalive go through in a nice way? So far, I've permitted in the access-list of the tunnel the adress of the physical interface so the keepalive goes through the tunnel and comes back via the line directly. Is that the correct way to do it ? could anyone point me a good reference?

Thanks

 

[AntoineC]

Here's the relevant info for 1 router. Swap .1 with .2 and you got the 2nd router config

interface FastEthernet0/1
ip address 10.10.14.2 255.255.255.0
ip access-group physical-in in
ip access-group physical-out out
speed 100
full-duplex
interface Loopback10
ip address 10.10.17.1 255.255.255.255

interface Tunnel1
ip address 10.10.15.2 255.255.255.0
ip access-group tunnel-in in
keepalive 10 3
tunnel source 10.10.14.2
tunnel destination 10.10.14.1

ip route 10.10.16.0 255.255.255.0 Tunnel1
ip access-list extended physical-in
permit gre host 10.10.14.1 host 10.10.14.2 log
ip access-list extended physical-out
permit gre host 10.10.14.2 host 10.10.14.1 log
ip access-list extended tunnel-in
permit ip host 10.10.16.1 host 10.10.17.1 log
permit gre host 10.10.14.2 host 10.10.14.1 log


NB Loopback for the second router is 10.10.17.1