GRE IPsec + eigrp question

Unanswered Question
Nov 14th, 2008

Hi

I have to sites (Site A Site B) we are using leased line to connect both sites. I would like to encrypt my data for security reasons. I am running eigrp between both sites.

How can I accomplish this task?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Fri, 11/14/2008 - 12:45

Leonardo

If you want to encrypt the data for security reasons then you want to run an IPSec VPN over the links and IPSec (with ESP) will provide the encryption. If you run the IPSec with GRE then you can run EIGRP over the tunnel and have the advantages of a dynamic routing protocol along with IPSec.

I would suggest that first you set up the GRE tunnel and get it working (configure the tunnel interface, specify the tunnel source, the tunnel destination, and put IP addresses on the tunnel interface). Then enable EIGRP to run over the tunnel (just put a network statement in EIGRP that incldes the IP subnet of the tunnel. The issue to watch out for here is to be sure that the tunnel source or destination are not advertised by EIGRP because that leads to a problem with recursion. Once you get the tunnel working ok with EIGRP then configure IPSec. In configuring the IPSec the access list for interesting traffic to be protected by IPSec is just to permit the GRE traffic.

I have configured this type of thing quite a few times and it works well.

HTH

Rick

Leonardo A Pena... Fri, 11/14/2008 - 12:52

Hi rick thanks for your response, can you post to me an example of this config please?

Thanks a lot

Leonardo A Pena... Fri, 11/14/2008 - 13:05

Hi have the following

interface Tunnel1

ip address 1.1.1.2 255.255.255.252

tunnel source GigabitEthernet2/21

tunnel destination 10.75.48.81

On my eigrp I have this

router eigrp 1

redistribute static

network 10.75.48.80 0.0.0.3

...

no auto-summary

Is that correct?

Thanks

Richard Burts Fri, 11/14/2008 - 13:17

Leonardo

There is a problem with this. In particular the EIGRP network statement for network 10.75.48.80 0.0.0.3 indicates that the tunnel destination might be advertised by EIGRP. The router needs to know how to get to the tunnel destination independent of the EIGRP. So I suggest that you remove network 10.75.48.80 0.0.0.3. You would want a network statement for 1.1.1.0/30 so that EIGRP will become active on the tunnel.

The router needs to know how to get to 10.75.48.81. If it will know that from a static route then the redistribute static under router EIGRP is problematic. You would need a distribute list or some other filter to prevent 10.75.48.80 0.0.0.3 from being redistributed into EIGRP.

HTH

Rick

Actions

This Discussion