Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Routing protocol over IPSEC question.

1) This example explained how routing protocol such as OSPF can't run over IPSEC.

2) This example is showing OSPF running over IPSEC.

Am I missing something?


Re: Routing protocol over IPSEC question.

Yes, you are missing something..

In example 2) OSPF is not running over IPSEC.. the crypto map is only looking at traffic matched by ACL 101, which is the traffic between the and IP's (Loopback0's).

The OSPF traffic itself is NOT encrypted, therefore it's no problem... :)

You *can* however run BGP over IPSec if you want to...

Did it help? If so, please rate it.

Hall of Fame Super Gold

Re: Routing protocol over IPSEC question.

The interior routing protocols like OSPF and EIGRP or RIP use multicast or broadcast addressing for routing protocol traffic. Traditionally IPSec carries only unicast IP traffic. So we have not been able to run routing protocols over IPSec connections. The traditional solution has been to run IPSec with GRE which allows multicast and enables routing protocols. Cisco has introduced an enhancement in very recent code which enables running routing protocols over IPSec without needing GRE. If you are interested in this look for Virtual Tunnel Interface.

As a side note BGP runs over TCP and sends routing protocol traffic as unicast IP to specifically configured neighbors. This is why it has been possible to run BGP over IPSec. There is no dynamic neighbor discovery in BGP. One of the reasons that OSPF and EIGRP use multicast addressing is that it allows them to have dynamic neighbor discovery. And multicast addressing is the reason why they have not traditionally run over IPSec.



CreatePlease to create content