routing protocols over IPSEC

Answered Question
Sep 28th, 2007
User Badges:

why can't you run a routing protocol in IPSEC tunnel mode? why do you need GRE to run a routing protocol?

Correct Answer by Richard Burts about 9 years 9 months ago

Most of the dynamic routing protocols use multicast addressing or broadcast addressing for the destination address. IPSec processes unicast IP traffic. This is the reason that we have traditionally used GRE which can easily pass multicast and broadcast traffic within the tunnel as the way to run routing protocols over IPSec tunnels. With GRE the multicast routing protocol traffic is encapsulated in a GRE packet which has a unicast source and destination address.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Richard Burts Fri, 09/28/2007 - 09:04
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Most of the dynamic routing protocols use multicast addressing or broadcast addressing for the destination address. IPSec processes unicast IP traffic. This is the reason that we have traditionally used GRE which can easily pass multicast and broadcast traffic within the tunnel as the way to run routing protocols over IPSec tunnels. With GRE the multicast routing protocol traffic is encapsulated in a GRE packet which has a unicast source and destination address.


HTH


Rick

hi.622823 Fri, 09/28/2007 - 09:21
User Badges:

thanks for the response, rick.


just had a quick follow up. doesn't ipsec tunnel mode already encapsulate a unicast ip address? i figured we could trigger ipsec with some sort of "permit eigrp" statement in the crypto acl (assuming we're using eigrp). is this feasible?

Richard Burts Fri, 09/28/2007 - 09:32
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Yes ipsec already encapsulates a unicast IP address (this is part of what I said in my previous response). But ipsec does not encapsulate multicast. And EIGRP uses multicast packets.


HTH


Rick

Actions

This Discussion