have here a Hub 'n Spoke VPN topology between three Rtrs (where RtrB is the hub site), VPN tunnels are build up between RtrB-RtrA and RtrB-RtrC, EBGP peering is the same as the VPN topology(RtrB 2 RtrA and RtrB 2 RtrC). Now my problem: BGP comes up the peers are send/receiving the routes, but a connection between RtrA-RtrC is not possible, although the routes from the private LAN A is in RtrC routing table. Is there an issue like Spilt-Horizon in VPN, may be its not possible to route traffic on the Hub site from on tunnel to the next tunnel. Many thanks in advance...
Actually, IPSec can be used to encrypt routing packets, and BGP is a protocol commonly used because it is unicast in nature and can work over multiple hops. There is some opinion that it is better to use BGP over IPSec than using BGP md5 authentication, although I don't know if it is being used much at the provider level (suspect not given performance overheads)
The reason that IPSec is incompatible with most interior protocols is that they are unicast/multicast (not supported by IPSec) and rely on the neighbor being directly attached. This is why GRE tunnels are commonly suggested as the solution. This also avoids the confusion that arises between the routing policy and crypto policy.
In a lot of different IOS versions, there were issues with same-interface switching and IPSec. It varies from IOS to IOS and model to model. One of the first things to try if this is happening to you is to turn off fast-switching on the relevant interfaces. Bear in mind that the more advanced features you try and combine on one router, the more likely you will find some issue. So if you're going to try to combine MPLS/CEF/IPSec/NAT/RPF/same interface routing be prepared to spend a lot of time talking to the TAC
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :