Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1454
Views
5
Helpful
5
Replies

EIGRP Between Two Networks

Islam Nadim
Level 1
Level 1

‎02-06-2014 01:20 PM - edited ‎03-04-2019 10:16 PM

Hello All,

I have a network built on GNS3 where I have a router that acts as a Crypto Gateway that connects to another router on a different remote network.

topo.png

This is one portion of the network. I have EIGRP Running on both, the VPN and LAN Routers. I have the same on the other side.

The other side exists on a physical remote network and the VPN Routers on both ends communicate with the public IPs. I can reach LAN-to-LAN.

BUT, I have to create a default route on the LAN routers which I don't want to. I want the EIGRP Routes to traverse between the two VPN routers. Or at least, the VPN router sends a default route to the LAN Router.

I actually prefer if it is possible to traverse the EIGRP Routes.

Labels:
0 Helpful
5 Replies 5

willwetherman
Spotlight
Spotlight

‎02-06-2014 01:51 PM

Hi Islam,

An IPSec tunnel only transmits/receives unicast IP traffic so EIGRP messages (OSPF as well) will not be communicated between your VPN routers via IPSec alone.

You will need to create a GRE tunnel between the VPN routers (or LAN routers depending on the requirement) which will allow EIGRP packets to be encapsulated and sent between devices allowing them to establish an EIGRP adjacency. Once EIGRP has established then you will be able to propagate the required routes between your LAN routers.

Islam Nadim
Level 1
Level 1
In response to willwetherman

‎02-06-2014 10:20 PM

Thank you! I totally forgot about the GRE Tunnels .. I forgot how it was configured. Can you guide me? This is my current configuration:

VPN Router:


crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key  address 
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac 
!
crypto map CMAP 10 ipsec-isakmp 
 set peer 
 set transform-set TS 
 match address VPN-TRAFFIC
!
interface FastEthernet0/0
 ip address 10.10.2.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.1.250 255.255.255.0
 duplex auto
 speed auto
 crypto map CMAP
!
router eigrp 50
 network 10.10.2.0 0.0.0.255
 network 192.168.1.0
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 10.10.4.0 255.255.255.0  ! This is done to overcome the routing issue
!
!
ip access-list extended VPN-TRAFFIC
 permit ip 10.10.2.0 0.0.0.255 10.10.4.0 0.0.0.255
 permit ip 10.10.0.0 0.0.255.255 any
!
access-list 25 permit 10.10.0.0 0.0.255.255
!
line vty 0 4
 access-class 25 in
 login local

LAN Router:

interface FastEthernet0/0
 ip address 10.10.2.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router eigrp 50
 network 10.10.2.0 0.0.0.255
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 10.10.2.1
!
access-list 25 permit 10.10.0.0 0.0.255.255
!
line vty 0 4
 login local

Best Regards,
Islam M. Nadim.

0 Helpful

willwetherman
Spotlight
Spotlight
In response to Islam Nadim

‎02-07-2014 01:34 AM

Hi Islam,

Example configs below assuming GRE between the VPN routers. New config in bold

VPN Router 1:

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key address
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer
set transform-set TS
match address VPN-TRAFFIC
!

interface loopback 0

ip address 10.1.1.2 255.255.255.255

!

interface tunnel 0

ip address 10.10.24.1 255.255.255.0

tunnel source loopback 0

tunnel destination 10.1.1.4

!
interface FastEthernet0/0

description LAN
ip address 10.10.2.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description WAN

ip address 192.168.1.250 255.255.255.0
duplex auto
speed auto
crypto map CMAP
!
router eigrp 50
network 10.10.2.0 0.0.0.255
network 10.10.24.0 0.0.0.255

no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
ip access-list extended VPN-TRAFFIC
permit gre host 10.1.1.2 host 10.1.1.4

VPN Router 2:

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key address
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer
set transform-set TS
match address VPN-TRAFFIC
!

interface loopback 0

ip address 10.1.1.4 255.255.255.255

!

interface tunnel 0

ip address 10.10.24.2 255.255.255.0

tunnel source loopback 0

tunnel destination 10.1.1.2

!
interface FastEthernet0/0

description LAN
ip address 10.10.4.1 255.255.255.0

duplex auto
speed auto
!
interface FastEthernet0/1

description WAN
ip address
duplex auto
speed auto
crypto map CMAP
!
router eigrp 50
network 10.10.4.0 0.0.0.255
network 10.10.24.0 0.0.0.255

no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0

!
!
ip access-list extended VPN-TRAFFIC
permit gre host 10.1.1.4 host 10.1.1.2

0 Helpful

Islam Nadim
Level 1
Level 1
In response to willwetherman

‎02-20-2014 08:56 AM

Hello willwetherman,

     Apologies for the late reply, as per your updated config, will the data traffic pass between the routers, or shall I permit it to the access list?

ip access-list extended VPN-TRAFFIC

permit ip host 10.1.1.4 host 10.1.1.2

0 Helpful

willwetherman
Spotlight
Spotlight
In response to Islam Nadim

‎02-20-2014 09:08 AM

Hi Islam,

The data traffic will be encpsulated by GRE before encryption so you do not need to match the data traffic in the crypto access list.

Will

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card