Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Routing protocol over IPSEC question.

1) This example explained how routing protocol such as OSPF can't run over IPSEC.

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml

2) This example is showing OSPF running over IPSEC.

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a0080094c1f.shtml

Am I missing something?

2 REPLIES
Silver

Re: Routing protocol over IPSEC question.

Yes, you are missing something..

In example 2) OSPF is not running over IPSEC.. the crypto map is only looking at traffic matched by ACL 101, which is the traffic between the 11.11.11.11 and 22.22.22.22 IP's (Loopback0's).

The OSPF traffic itself is NOT encrypted, therefore it's no problem... :)

You *can* however run BGP over IPSec if you want to...

Did it help? If so, please rate it.

Hall of Fame Super Gold

Re: Routing protocol over IPSEC question.

The interior routing protocols like OSPF and EIGRP or RIP use multicast or broadcast addressing for routing protocol traffic. Traditionally IPSec carries only unicast IP traffic. So we have not been able to run routing protocols over IPSec connections. The traditional solution has been to run IPSec with GRE which allows multicast and enables routing protocols. Cisco has introduced an enhancement in very recent code which enables running routing protocols over IPSec without needing GRE. If you are interested in this look for Virtual Tunnel Interface.

As a side note BGP runs over TCP and sends routing protocol traffic as unicast IP to specifically configured neighbors. This is why it has been possible to run BGP over IPSec. There is no dynamic neighbor discovery in BGP. One of the reasons that OSPF and EIGRP use multicast addressing is that it allows them to have dynamic neighbor discovery. And multicast addressing is the reason why they have not traditionally run over IPSec.

HTH

Rick

299
Views
13
Helpful
2
Replies
CreatePlease to create content