GRE IPsec + eigrp question

Unanswered Question
Nov 14th, 2008
User Badges:
  • Community Spotlight Award,

    Spanish Member's Choice: May 2016

Hi

I have to sites (Site A Site B) we are using leased line to connect both sites. I would like to encrypt my data for security reasons. I am running eigrp between both sites.

How can I accomplish this task?

Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Fri, 11/14/2008 - 12:45
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Leonardo


If you want to encrypt the data for security reasons then you want to run an IPSec VPN over the links and IPSec (with ESP) will provide the encryption. If you run the IPSec with GRE then you can run EIGRP over the tunnel and have the advantages of a dynamic routing protocol along with IPSec.


I would suggest that first you set up the GRE tunnel and get it working (configure the tunnel interface, specify the tunnel source, the tunnel destination, and put IP addresses on the tunnel interface). Then enable EIGRP to run over the tunnel (just put a network statement in EIGRP that incldes the IP subnet of the tunnel. The issue to watch out for here is to be sure that the tunnel source or destination are not advertised by EIGRP because that leads to a problem with recursion. Once you get the tunnel working ok with EIGRP then configure IPSec. In configuring the IPSec the access list for interesting traffic to be protected by IPSec is just to permit the GRE traffic.


I have configured this type of thing quite a few times and it works well.


HTH


Rick

Leonardo A Pena... Fri, 11/14/2008 - 12:52
User Badges:
  • Community Spotlight Award,

    Spanish Member's Choice: May 2016

Hi rick thanks for your response, can you post to me an example of this config please?

Thanks a lot

Leonardo A Pena... Fri, 11/14/2008 - 13:05
User Badges:
  • Community Spotlight Award,

    Spanish Member's Choice: May 2016

Hi have the following

interface Tunnel1

ip address 1.1.1.2 255.255.255.252

tunnel source GigabitEthernet2/21

tunnel destination 10.75.48.81

On my eigrp I have this


router eigrp 1

redistribute static

network 10.75.48.80 0.0.0.3

...

no auto-summary


Is that correct?

Thanks




Richard Burts Fri, 11/14/2008 - 13:17
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Leonardo


There is a problem with this. In particular the EIGRP network statement for network 10.75.48.80 0.0.0.3 indicates that the tunnel destination might be advertised by EIGRP. The router needs to know how to get to the tunnel destination independent of the EIGRP. So I suggest that you remove network 10.75.48.80 0.0.0.3. You would want a network statement for 1.1.1.0/30 so that EIGRP will become active on the tunnel.


The router needs to know how to get to 10.75.48.81. If it will know that from a static route then the redistribute static under router EIGRP is problematic. You would need a distribute list or some other filter to prevent 10.75.48.80 0.0.0.3 from being redistributed into EIGRP.

HTH


Rick

Actions

This Discussion