Re: IPsec VPN question from Piotr Matusiak on 2010-10-31 (Ccielab archives 10/2010)

From: Piotr Matusiak <pitt2k_at_gmail.com>
Date: Sun, 31 Oct 2010 10:21:21 +0100

Hi,

IPSec does not support multicast traffic so that you cannot encrypt EIGRP
natively.
To solve that issue you must use GRE tunnel between two routers, enable
EIGRP on it and then specify GRE traffic in the Crypto ACL (or use tunnel
protection command on the tunnel).
Another solution would be to use DVTI (Dynamic Virtual Interface) which is
interface tunnel with IPSec encapsulation.

HTH,

--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com
blog: www.ccie1.com
If you can't explain it simply, you don't understand it well enough -
Albert Einstein
2010/10/31 Naufal Jamal <naufalccie_at_yahoo.in>
> Hi,
> I am trying to make ipsec over eigrp.  I am receiving the following error
> message. Can anyone tell me the possible cause for this please? Eigrp works
> fine otherwise.
> *Mar  1 00:21:27.563: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an
> IPSEC
> packet.        (ip) dest_addr= 224.0.0.10, src_addr= 1.1.1.2, prot= 88
> Config:
> crypto isakmp policy 1 hash md5 authentication pre-share group 2 lifetime
> 500crypto isakmp key cisco address 1.1.1.2crypto ipsec transform-set TEST
> esp-aes!crypto map VPN 10 ipsec-isakmp set peer 1.1.1.2 set transform-set
> TEST match address 101
> interface FastEthernet0/0 ip address 1.1.1.1 255.255.255.0 duplex auto
> speed
> auto crypto map VPN
> router eigrp 20 network 1.1.1.1 0.0.0.0 no auto-summary
> access-list 101 permit ip any any
> R2:
> crypto isakmp policy 1 hash md5 authentication pre-share group 2 lifetime
> 500crypto isakmp key cisco address 1.1.1.1
> crypto ipsec transform-set TEST esp-aes!crypto map VPN 10 ipsec-isakmp set
> peer 1.1.1.1 set transform-set TEST match address 101interface
> FastEthernet0/0 ip address 1.1.1.2 255.255.255.0 duplex auto speed auto
> crypto
> map VPN!router eigrp 20 network 1.1.1.2 0.0.0.0 no auto-summary
> access-list 101 permit ip any any
> Thank you,Naufal Jamal
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

Received on Sun Oct 31 2010 - 10:21:21 ART

This archive was generated by hypermail 2.2.0 : Mon Nov 01 2010 - 06:42:06 ART