09-28-2007 08:47 AM - edited 02-21-2020 03:17 PM
why can't you run a routing protocol in IPSEC tunnel mode? why do you need GRE to run a routing protocol?
Solved! Go to Solution.
09-28-2007 09:04 AM
Most of the dynamic routing protocols use multicast addressing or broadcast addressing for the destination address. IPSec processes unicast IP traffic. This is the reason that we have traditionally used GRE which can easily pass multicast and broadcast traffic within the tunnel as the way to run routing protocols over IPSec tunnels. With GRE the multicast routing protocol traffic is encapsulated in a GRE packet which has a unicast source and destination address.
HTH
Rick
09-28-2007 09:04 AM
Most of the dynamic routing protocols use multicast addressing or broadcast addressing for the destination address. IPSec processes unicast IP traffic. This is the reason that we have traditionally used GRE which can easily pass multicast and broadcast traffic within the tunnel as the way to run routing protocols over IPSec tunnels. With GRE the multicast routing protocol traffic is encapsulated in a GRE packet which has a unicast source and destination address.
HTH
Rick
09-28-2007 09:21 AM
thanks for the response, rick.
just had a quick follow up. doesn't ipsec tunnel mode already encapsulate a unicast ip address? i figured we could trigger ipsec with some sort of "permit eigrp" statement in the crypto acl (assuming we're using eigrp). is this feasible?
09-28-2007 09:32 AM
Yes ipsec already encapsulates a unicast IP address (this is part of what I said in my previous response). But ipsec does not encapsulate multicast. And EIGRP uses multicast packets.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide