Re: site to site vpn and routing protocol

Can you show the output of sh IP EIGRP neigh?

Can you configure the interesting traffic for TCP traffic only in ACL 111?
You'll notice that the EIGRP isn't getting encrypted. It's peering outside of
the tunnel, and this ACL change will verify for you. Also, when you remove the
peer keys and the tunnel goes down, do you lose your EIGRP neighbor?

Great question, and a hard one to explain.

Regards,
Jay McMickle- CCIE #35355 (RS)
Sent from my iPhone 5

On Dec 9, 2012, at 8:10 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com> wrote:

> I will share the topology here,
>
>
----------R1(10.0.0.1)(Fasteth0/0)---------------------------------(Fasteth0/
0)(10.0.0.2)R2----------
>
> R1 and R2 are connected back to back over Fas0/0. Routers are 1841 running
12.4 adv security. I configured following on R1 and replica to R2 (which i
wont show since it will be just a repetition)
>
> R1
> crypto isakmp key 0 cisco address 10.0.0.2
> crypto isakmp policy 1
> auth pre-share
> encry des
> hash md5
> group 2
>
> access-list 111 permit ip any any
>
> crypto ipsec transform-set R1toR2 esp-des esp-md5-hmac
> crypto map R1toR2 10 ipsec-isakmp
> match address 111
> set peer 10.0.0.2
> set transform-set R1toR2
>
> interface Fastethernet 0/0
> ip address 10.0.0.1 255.255.255.0
> crypto map R1toR2
>
> router eigrp 1
> no auto
> network 10.0.0.0 0.0.0.255
>
> Now eigrp successfully forms the neighborship, i can see the packets being
encrypted/decrypted while there is no other communication then eigrp. This is
surprising for me since i remembered for sure that protocols didnt work over
ipsec since ipsec has issues with multicast packets.
>
> From: Jay McMickle <jay.mcmickle_at_yahoo.com>
> To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
> Sent: Sunday, December 9, 2012 6:55 PM
> Subject: Re: site to site vpn and routing protocol
>
> You'll have to see how that's happening. Most likely the peering is going a
different direction that you think (not over the tunnel). Type "show IP EIGRP
neigh or OSPF neigh" and see what IP address and what route it's taking to get
there.
>
> Regards,
> Jay McMickle- CCIE #35355 (RS)
> Sent from my iPhone 5
>
> On Dec 9, 2012, at 7:52 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com> wrote:
>
>> No there are no tunnel interfaces thats why i am surprised that why
eigrp/ospf are able to run over ipsec ?
>>
>> From: Jay McMickle <jay.mcmickle_at_yahoo.com>
>> To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
>> Cc: "ccielab_at_groupstudy.com" <ccielab_at_groupstudy.com>
>> Sent: Sunday, December 9, 2012 6:01 PM
>> Subject: Re: site to site vpn and routing protocol
>>
>> All you need is a L3 interface on each end for the adjacencies. That's why
GRE over IPSEC enables dynamic protocols.
>>
>> If you are peering over IPSEC, what L3 interfaces is it using? Is it going
over the tunnel for the peering?
>>
>> Regards,
>> Jay McMickle- CCIE #35355 (RS)
>> Sent from my iPhone 5
>>
>> On Dec 9, 2012, at 3:35 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com> wrote:
>>
>> > Hi all,
>> >
>> >
>> > I was under the impression that if i have 2 routers connected back to
back and i run ipsec over it, routing protocols wont work. That was the main
reason we use GRE. But now when i reconfigured it on GNS3 and on real routers
(1841), i saw that neighbor adjcancies are working fine for all protocols. So
its a bit surprising for me
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sun Dec 09 2012 - 08:56:30 ART