GRE IPsec + eigrp question

Unanswered Question
Nov 14th, 2008


I have to sites (Site A Site B) we are using leased line to connect both sites. I would like to encrypt my data for security reasons. I am running eigrp between both sites.

How can I accomplish this task?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Fri, 11/14/2008 - 12:45


If you want to encrypt the data for security reasons then you want to run an IPSec VPN over the links and IPSec (with ESP) will provide the encryption. If you run the IPSec with GRE then you can run EIGRP over the tunnel and have the advantages of a dynamic routing protocol along with IPSec.

I would suggest that first you set up the GRE tunnel and get it working (configure the tunnel interface, specify the tunnel source, the tunnel destination, and put IP addresses on the tunnel interface). Then enable EIGRP to run over the tunnel (just put a network statement in EIGRP that incldes the IP subnet of the tunnel. The issue to watch out for here is to be sure that the tunnel source or destination are not advertised by EIGRP because that leads to a problem with recursion. Once you get the tunnel working ok with EIGRP then configure IPSec. In configuring the IPSec the access list for interesting traffic to be protected by IPSec is just to permit the GRE traffic.

I have configured this type of thing quite a few times and it works well.



Leonardo A Pena... Fri, 11/14/2008 - 12:52

Hi rick thanks for your response, can you post to me an example of this config please?

Thanks a lot

Leonardo A Pena... Fri, 11/14/2008 - 13:05

Hi have the following

interface Tunnel1

ip address

tunnel source GigabitEthernet2/21

tunnel destination

On my eigrp I have this

router eigrp 1

redistribute static



no auto-summary

Is that correct?


Richard Burts Fri, 11/14/2008 - 13:17


There is a problem with this. In particular the EIGRP network statement for network indicates that the tunnel destination might be advertised by EIGRP. The router needs to know how to get to the tunnel destination independent of the EIGRP. So I suggest that you remove network You would want a network statement for so that EIGRP will become active on the tunnel.

The router needs to know how to get to If it will know that from a static route then the redistribute static under router EIGRP is problematic. You would need a distribute list or some other filter to prevent from being redistributed into EIGRP.




This Discussion