11-14-2008 12:14 PM - edited 03-04-2019 12:20 AM
Hi
I have to sites (Site A Site B) we are using leased line to connect both sites. I would like to encrypt my data for security reasons. I am running eigrp between both sites.
How can I accomplish this task?
Thanks
11-14-2008 12:45 PM
Leonardo
If you want to encrypt the data for security reasons then you want to run an IPSec VPN over the links and IPSec (with ESP) will provide the encryption. If you run the IPSec with GRE then you can run EIGRP over the tunnel and have the advantages of a dynamic routing protocol along with IPSec.
I would suggest that first you set up the GRE tunnel and get it working (configure the tunnel interface, specify the tunnel source, the tunnel destination, and put IP addresses on the tunnel interface). Then enable EIGRP to run over the tunnel (just put a network statement in EIGRP that incldes the IP subnet of the tunnel. The issue to watch out for here is to be sure that the tunnel source or destination are not advertised by EIGRP because that leads to a problem with recursion. Once you get the tunnel working ok with EIGRP then configure IPSec. In configuring the IPSec the access list for interesting traffic to be protected by IPSec is just to permit the GRE traffic.
I have configured this type of thing quite a few times and it works well.
HTH
Rick
11-14-2008 12:52 PM
Hi rick thanks for your response, can you post to me an example of this config please?
Thanks a lot
11-14-2008 01:05 PM
Hi have the following
interface Tunnel1
ip address 1.1.1.2 255.255.255.252
tunnel source GigabitEthernet2/21
tunnel destination 10.75.48.81
On my eigrp I have this
router eigrp 1
redistribute static
network 10.75.48.80 0.0.0.3
...
no auto-summary
Is that correct?
Thanks
11-14-2008 01:17 PM
Leonardo
There is a problem with this. In particular the EIGRP network statement for network 10.75.48.80 0.0.0.3 indicates that the tunnel destination might be advertised by EIGRP. The router needs to know how to get to the tunnel destination independent of the EIGRP. So I suggest that you remove network 10.75.48.80 0.0.0.3. You would want a network statement for 1.1.1.0/30 so that EIGRP will become active on the tunnel.
The router needs to know how to get to 10.75.48.81. If it will know that from a static route then the redistribute static under router EIGRP is problematic. You would need a distribute list or some other filter to prevent 10.75.48.80 0.0.0.3 from being redistributed into EIGRP.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: