EIGRP thru site-to-site IPSec VPN

Answered Question
Apr 15th, 2010

having trouble getting EIGRP to work through a IOS (2ea. 2811s) site to site IPSec VPN peer connection.  IPSec VPN is working with tunneled static route statements.  Using the basic IPSec policy and VTI interface:

crypto isakmp policy 1

authentication pre-share

group 2

crypto isakmp key "  " address 192.168.x.66


crypto ipsec transform-set vpn esp-3des esp-sha-hmac

crypto ipsec df-bit set


crypto map static-crypt 6 ipsec-isakmp

set peer 192.168.x.66

set transform-set vpn

match address 101


interface tunnel1

ip address 1xx.33.20.226

no ip redirects

ip mtu 1400

ip tcp adjust-mss 1360

qos pre-classify

tunnel source FastEthernet 0/0

tunnel destination 192.168.x.66

crypto map static-crypto


interface FastEthernet 0/0

ip add....

crypto map static-crypto


router eigrp 10

passive-interface default

no passive-interface FastEthernet 0/1

no passive-interface Tunnel1

network ....


no auto-summary


ip route Tunnel1

ip route <-- peer's default-gateway is VPN peer router on other side of satelite conection.

must be something simple, but I don't see it.

thanks, kevin

I have this problem too.
0 votes
Correct Answer by droeun141 about 6 years 6 months ago

Not familiar with VTI's, but I think you're missing:

tunnel mode ipsec ipv4

tunnel protection ipsec profile

Also don't think you need crypto map on tunnel since it's already on fa0/0.  What does access-list 101 look like? Take a look at this doc:


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)


This Discussion