site-to site VPN +routing protocol

Unanswered Question
Nov 4th, 2008
User Badges:

I have two routers connected via leased line and site-to-site VPN is implemented on this link ,also I configure EIGRP between the two routers and it is working fine...

my question is that is it possible to configure EIGRP over IPsec applied on this leased line???because what I knew is that for routing protocols GRE must be used??!!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Tue, 11/04/2008 - 11:48
User Badges:
  • Purple, 4500 points or more

You have to use GRE to use EIGRP, and you have to have tunnel interfaces for this to work properly.


--John

mohammady Tue, 11/04/2008 - 11:54
User Badges:

but it is working properly without gre,this is confusing me!!!??I just configure normal site-to-site VPN over the lease line and I can see neighboring between the two routers.??!!!

John Blakley Tue, 11/04/2008 - 11:57
User Badges:
  • Purple, 4500 points or more

What does your config look like?

mohammady Tue, 11/04/2008 - 12:14
User Badges:

the two routers connected as:

R1(s0/0)<----leased line----->R2(s0/0)


R1:

-----

crypto isakmp policy 1

encryption 3des

authentication pre-share

crypto isakmp key < > address x.x.x.x


crypto ipsec transform-set mytransformset esp-3des esp-md5-hmac


access-list 101 permit ip 10.10.0.0 0.0.0.255 10.20.0.0 0.0.0.255


crypto map Cryptomap1 10 ipsec-isakmp

set peer x.x.x.x

set transform-set mytransformset

match address 101


int s0/0

crypto map Cryptomap1



router eigrp 1

network 10.0.0.0

no auto summ


Jon Marshall Tue, 11/04/2008 - 12:17
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

What is the addressing on your serial interfaces ?


Jon

John Blakley Tue, 11/04/2008 - 12:19
User Badges:
  • Purple, 4500 points or more

One of these days Jon, I may beat you to the punch. ;-) Good question!


--John

Jon Marshall Tue, 11/04/2008 - 12:26
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Think you already have in a couple of posts :-)


I was just wondering because if the serial interfaces fall into the 10.x.x.x range then over a leased line it will form an EIGRP neighborship which is nothing to do with the VPN tunnel.


Jon

John Blakley Tue, 11/04/2008 - 12:18
User Badges:
  • Purple, 4500 points or more

What is the result of:


sh ip eigrp neigh


sh ip route eigrp



mohammady Tue, 11/04/2008 - 12:59
User Badges:

the serial interface use a diffrent subnet

neighbor is the ip address of the serial interface of the remote router,,,and the all networks have the remote router ip address as next hop,..



Brent Rockburn Tue, 11/04/2008 - 13:06
User Badges:

I hate to say it but sometimes this site is little confusing... LOL


Are you saying that you've found a way to get a routing protocol to work across a VPN L2L IPSEC tunnel?


I was under the impression that this wouldn't work.

Jon Marshall Tue, 11/04/2008 - 13:53
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Yes but what is the exact addressing ie. if it is 10.x.x.x anything then EIGRP will run on that interface and will form a neighborship with the other router.


Jon

Brent Rockburn Tue, 11/04/2008 - 13:59
User Badges:

It will form a relationship but the routing table would be empty because of the multicast issues with EIGRP right?

mohammady Tue, 11/04/2008 - 14:09
User Badges:

the routing table is not empty all the network appear with next hop -->ip address of the remote router....

lets say I want to configure GRE over IPsec where shall I apply the crypto map..I see some document apply it to tunnel other apply to tunnel&physical and other applying it on physical only???...also the access list in most documents contains only the tunnel source and destination IP's ??is this right??what about the internal network shall I include it in the access-list or it is not necessary??see the below link:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml



Brent Rockburn Tue, 11/04/2008 - 14:13
User Badges:

Sorry I must have gotten lost somewhere in the thread. So you are using GRE over IPSEC?

mohammady Tue, 11/04/2008 - 14:17
User Badges:

Thanx for your reply....

no I'm not using GRE over IPSEC ,,only IPsec vpn

but if I want to use GRE over IPsec could you please answer to my questions above

John Blakley Tue, 11/04/2008 - 14:18
User Badges:
  • Purple, 4500 points or more

Can you post your complete config? It would be SO much easier.


--John

John Blakley Tue, 11/04/2008 - 14:16
User Badges:
  • Purple, 4500 points or more

You only need to apply the crypto map on the outside interface.


In your acl, you would permit gre, esp, and udp eq isakmp (500) into your public interface.


You don't need to include your internal network in the acl that's applied on the outside interface. You WILL need to, of course, apply it to the acl to match the traffic in your crypto map though.


--John



Jon Marshall Tue, 11/04/2008 - 14:15
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

No because EIGRP will advertise all networks it is aware of to a neighbor. The key thing i am saying is that EIGRP will not run across a VPN tunnel without GRE but i don't believe EIGRP is running across the VPN tunnel.


Because this is a leased line you can run private addressing across it. So i suspect that the serial interfaces are just forming an EIGRP neighborship - nothing to do with the VPN tunnel. And the routing updates exchanged between these 2 routers do not go down the VPN tunnel at all. You could remove the VPN configuration and you would still get an EIGRP peering.


Of course this is partly guesswork because we still don't know what the serial interfaces addressing is.


Jon

mohammady Tue, 11/04/2008 - 14:14
User Badges:

R1:

internal network 10.10.0.0/24

s0/0 192.168.10.1/30


R2:

internal network 10.20.0.0/24

s0/0 192.168.10.2/30


Brent Rockburn Tue, 11/04/2008 - 14:19
User Badges:

This makes sense now .. Jon was right about the leased line and the private IP's I'm no longer confused...


Thanks Jon.

mohammady Tue, 11/04/2008 - 14:22
User Badges:

then will this configuration cause any problem ???

Jon Marshall Tue, 11/04/2008 - 14:28
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Brent


At the risk of confusing the issue what i explained only makes sense if the serial interfaces addressing has a network statement under the EIGRP config.


The partial config supplied by Mohammed only has


router eigrp 1

network 10.0.0.0


so EIGRP should not be running on the serial interfaces.


Mohammed can you confirm whether you have a network statement for 192.168.x.x addressing under your EIGRP config.


Also, why are you running a VPN across a leased line - is it for security reasons.


Jon

John Blakley Tue, 11/04/2008 - 14:31
User Badges:
  • Purple, 4500 points or more

Can you show us your routing table? Remove any public addresses. I'd be interested in seeing it.

Brent Rockburn Tue, 11/04/2008 - 14:33
User Badges:

I totally agree Jon, my confusion stems from thinking that EIGRP was working over an IPSEC VPN L2L tunnel.


I have the clear vision now.



mohammady Tue, 11/04/2008 - 14:43
User Badges:

sorry the IP address of the serial interface is included under eigrp

router eigrp 1

network 10.0.0.0

network 192.168.10.1 0.0.0.0


the vpn is required for security reasons


please John can you answer my question regarding the configuations of GRE over IPsec:

- where shall I apply crypto map?

- access list required??

John Blakley Tue, 11/04/2008 - 14:47
User Badges:
  • Purple, 4500 points or more

That would explain why your routes are showing up :-)


You only need to apply the crypto map on the outside interface.


In your acl, you would permit gre, esp, and udp eq isakmp (500) into your public interface.


Since you're on a leased line, you don't need an ACL, but I would think you would want one.


Have you done a sh crypt session to see if you have an SA established with the other side? Your tunnels may not even be up. You could also do a sh crypt isakmp sa to check.


You don't need to include your internal network in the acl that's applied on the outside interface. You WILL need to, of course, apply it to the acl to match the traffic in your crypto map though.


--John

mohammady Tue, 11/04/2008 - 14:58
User Badges:

**so the routing protocol works over the leased line without vpn and the traffic that I'm interested to be encrypted will be send over the ipsec vpn....


**j.blakley the vpn is up and working I verified that using the different commands....


** for gre over ipsec I see some example on cisco site that apply crypto on the tunnel & physical interface???

Jon Marshall Tue, 11/04/2008 - 15:02
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

"**so the routing protocol works over the leased line without vpn and the traffic that I'm interested to be encrypted will be send over the ipsec vpn...."


Yes, exactly. But then if you are securing the data with a VPN tunnel for security reasons do you need to secure EIGRP updates as well ?


If so run GRE as suggested by John. If not you can either


1) run EIGRP as it is now

2) Don't run EIGRP at all ie. remove the 192.168.x.x network statement from under the router eigrp config.


Note that you don't need a route for the interesting traffic of your VPN so if this is all that is going down the leased line you may not need a dynamic routing protocol.


Jon

John Blakley Wed, 11/05/2008 - 06:42
User Badges:
  • Purple, 4500 points or more

You need to apply the crypto map on your serial interface. The tunnel interfaces are virtual.


--John

Actions

This Discussion