I've always been under the impression that plain IPsec only pass IP unicast traffic through the tunnel.
When I've needed to pass non-unicast or non-IP traffic, I've created a IPsec with GRE or VTI.
But, I am currently at a customer's site where all the EIGRP routes are being exchanged between two sites that communicate across a single plain IPsec tunnel.
I've added/modified/deleted routes on both sides, and the changes reflect on the other's routing table.
The neighbors are not statically configured on the router, the EIGRP configuration is just ''no auto-summary'' and then '' network 172.16.0.0''
My question is...
How come all the EIGRP traffic is passing through the tunnel with no problems?
Both are 2811s running 12.4(18)
Thank you for any help!
I do indeed believe that this is the case. It is pretty clear from the additional information that you posted that these two routers are directly connected (in this case connected via FastEthernet) and that the connecting interfaces are running EIGRP, so the EIGRP HELLOs are sent out the FastEthernet interfaces. The access list does not have permits for EIGRP so there is no effort to encrypt the HELLOs and they are sent in the clear. So the routers become neighbors and the EIGRP updates are sent over the FastEthernet interfaces. The data traffic to the destinations that are learned is sent over the FastEthernet interfaces and when the data traffic matches the access list then it is encrypted by IPSec.