Would you please help me with this case?
When configuring spoke-to-spoke DMVPN with multiple hubs (GRE IPSEC EIGRP) what traffic should be permitted on the outside physical interface on a spoke router?
ip access-list Ðµxtended CRYPTO-ONLY
permit esp [IPSEC Reomote Peers] [IPSEC Local Peer]
permit udp [IPSEC Reomote Peers] [IPSEC Local Peer] eq isakmp
permit gre [IPSEC Reomote Peers] [IPSEC Local Peer]
ip access-group CRYPTO-ONLY in
If I remove the last line from the access-list, where "GRE" is permitted, the router never builds EIGRP neighbor relationships. Should this line be present? If yes, does any unencrypted GRE traffic is going out?
Thanks in advance,
The access list bound to outside interface is checked twice i.e before and after the decryption . That is why you need to permit the unencrypted gre packets also.
pls rate helpful posts