Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
343
Views
0
Helpful
4
Replies

GRE IPsec + eigrp question

Leonardo Pena Davila
Spotlight
Spotlight

‎11-14-2008 12:14 PM - edited ‎03-04-2019 12:20 AM

Hi

I have to sites (Site A Site B) we are using leased line to connect both sites. I would like to encrypt my data for security reasons. I am running eigrp between both sites.

How can I accomplish this task?

Thanks

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎11-14-2008 12:45 PM

Leonardo

If you want to encrypt the data for security reasons then you want to run an IPSec VPN over the links and IPSec (with ESP) will provide the encryption. If you run the IPSec with GRE then you can run EIGRP over the tunnel and have the advantages of a dynamic routing protocol along with IPSec.

I would suggest that first you set up the GRE tunnel and get it working (configure the tunnel interface, specify the tunnel source, the tunnel destination, and put IP addresses on the tunnel interface). Then enable EIGRP to run over the tunnel (just put a network statement in EIGRP that incldes the IP subnet of the tunnel. The issue to watch out for here is to be sure that the tunnel source or destination are not advertised by EIGRP because that leads to a problem with recursion. Once you get the tunnel working ok with EIGRP then configure IPSec. In configuring the IPSec the access list for interesting traffic to be protected by IPSec is just to permit the GRE traffic.

I have configured this type of thing quite a few times and it works well.

HTH

Rick

HTH

Rick
0 Helpful

Leonardo Pena Davila
Spotlight
Spotlight
In response to Richard Burts

‎11-14-2008 12:52 PM

Hi rick thanks for your response, can you post to me an example of this config please?

Thanks a lot

0 Helpful

Leonardo Pena Davila
Spotlight
Spotlight

‎11-14-2008 01:05 PM

Hi have the following

interface Tunnel1

ip address 1.1.1.2 255.255.255.252

tunnel source GigabitEthernet2/21

tunnel destination 10.75.48.81

On my eigrp I have this

router eigrp 1

redistribute static

network 10.75.48.80 0.0.0.3

...

no auto-summary

Is that correct?

Thanks

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Leonardo Pena Davila

‎11-14-2008 01:17 PM

Leonardo

There is a problem with this. In particular the EIGRP network statement for network 10.75.48.80 0.0.0.3 indicates that the tunnel destination might be advertised by EIGRP. The router needs to know how to get to the tunnel destination independent of the EIGRP. So I suggest that you remove network 10.75.48.80 0.0.0.3. You would want a network statement for 1.1.1.0/30 so that EIGRP will become active on the tunnel.

The router needs to know how to get to 10.75.48.81. If it will know that from a static route then the redistribute static under router EIGRP is problematic. You would need a distribute list or some other filter to prevent 10.75.48.80 0.0.0.3 from being redistributed into EIGRP.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card