Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

EIGRP over IPSEC

Is it true that in order to run EIGRP between site-to-site VPN, One must need to run GRE because what I read that IPSEC doesn't support multiprotocol?

But then, my headqurter has PIX Firewall, where I was thinking of terminating 8 IPSEC tunnels from the remote offices. What I read that PIX Firewall and VPN Concentrators don't support GRE. Is there any alternatives.

3 REPLIES
Cisco Employee

Re: EIGRP over IPSEC

You can terminate the ipsec tunnel on the pix but you still need to have a router behind the pix to terminate the GRE tunnel.

something similar to the sample configuration below:

http://www.cisco.com/warp/public/707/gre_ipsec_ospf.html

hope this helps,

-Nairi

New Member

Re: EIGRP over IPSEC

We build the GRE to the MSFC's on the 6500 inside the firewall. It works quite well as the previous post mentioned.

New Member

Re: EIGRP over IPSEC

GRE is needed as IPSec does not support multicast needed for dynamic routing protocols such as EIGRP.

Depending on your remotes and routing plan, Reverse Route Injection (RRI)may be an option if you don't need to run "full" dynamic routing on both endpoints. RRI is available on IOS VPN Routers and VPN3000 Concentrator.

Also, PIX Firewall is OK as a site-to-site VPN head-end, however IOS VPN Router at head-end more readily supports hub-and-spoke/site-to-site VPN topologies, especially when spoke-to-spoke traffic is required.

533
Views
0
Helpful
3
Replies
CreatePlease to create content