Re: site to site vpn and routing protocol

It has to do with directly connected interfaces. Put another layer 3 hop in between them and you'll see that it won't peer through the tunnel without GRE.

Regards,
Jay McMickle- CCIE #35355 (RS)
Sent from my iPhone 5

On Dec 9, 2012, at 1:45 PM, "Sidney D'Souza" <mail.sidney_at_gmail.com> wrote:

> Just labbed it up and it does set up a neighbour ship. Strange indeed.
>
> Regards,
> Sid
> Nobody's really listening, until you make a mistake...
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Jay
> McMickle
> Sent: 09 December 2012 23:05
> To: Adesh Chaudhary
> Cc: Ovais Iqbal; ccielab_at_groupstudy.com
> Subject: Re: site to site vpn and routing protocol
>
> That is a good summary!
>
>
>
> Regards,
> Jay McMickle- 3x CCNP
> (R&S,Security,Design), CCIE #35355 (R&S)
>
>
> From: Adesh Chaudhary
> <er.adeshchaudhary_at_gmail.com>
> To: Jay McMickle <jay.mcmickle_at_yahoo.com>
> Cc:
> Ovais Iqbal <ovais.iqball_at_yahoo.com>; "ccielab_at_groupstudy.com"
> <ccielab_at_groupstudy.com>
> Sent: Sunday, December 9, 2012 12:01 PM
> Subject: Re:
> site to site vpn and routing protocol
>
> As I think, IPSEC is mostly deployed
> over Public Internet. IP Subnet is
> generally different over both sides,
> causing issues with Routing Protocols.
> So GRE over IPSEC is used to address
> this issue. I might be wrong, as I
> havent dealt much with them.
>
>
> On Sun, Dec
> 9, 2012 at 8:26 PM, Jay McMickle <jay.mcmickle_at_yahoo.com> wrote:
>
>> Can you
> show the output of sh IP EIGRP neigh?
>>
>> Can you configure the interesting
> traffic for TCP traffic only in ACL 111?
>> You'll notice that the EIGRP isn't
> getting encrypted. It's peering outside
>> of
>> the tunnel, and this ACL change
> will verify for you. Also, when you remove
>> the
>> peer keys and the tunnel
> goes down, do you lose your EIGRP neighbor?
>>
>> Great question, and a hard one
> to explain.
>>
>> Regards,
>> Jay McMickle- CCIE #35355 (RS)
>> Sent from my
> iPhone 5
>>
>> On Dec 9, 2012, at 8:10 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com>
> wrote:
>>
>>> I will share the topology here,
> ----------R1(10.0.0.1)(Fasteth0/0)---------------------------------(Fasteth0
> /
>> 0)(10.0.0.2)R2----------
>>>
>>> R1 and R2 are connected back to back over
> Fas0/0. Routers are 1841
>> running
>> 12.4 adv security. I configured following
> on R1 and replica to R2 (which i
>> wont show since it will be just a
> repetition)
>>>
>>> R1
>>> crypto isakmp key 0 cisco address 10.0.0.2
> crypto isakmp policy 1
>>> auth pre-share
>>> encry des
>>> hash md5
> group 2
>>>
>>> access-list 111 permit ip any any
>>>
>>> crypto ipsec
> transform-set R1toR2 esp-des esp-md5-hmac
>>> crypto map R1toR2 10
> ipsec-isakmp
>>> match address 111
>>> set peer 10.0.0.2
>>> set
> transform-set R1toR2
>>>
>>> interface Fastethernet 0/0
>>> ip address
> 10.0.0.1 255.255.255.0
>>> crypto map R1toR2
>>>
>>> router eigrp 1
>>> no
> auto
>>> network 10.0.0.0 0.0.0.255
>>>
>>> Now eigrp successfully forms the
> neighborship, i can see the packets
>> being
>> encrypted/decrypted while there
> is no other communication then eigrp. This
>> is
>> surprising for me since i
> remembered for sure that protocols didnt work
>> over
>> ipsec since ipsec has
> issues with multicast packets.
>>>
>>> From: Jay McMickle
> <jay.mcmickle_at_yahoo.com>
>>> To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
> Sent: Sunday, December 9, 2012 6:55 PM
>>> Subject: Re: site to site vpn and
> routing protocol
>>>
>>> You'll have to see how that's happening. Most likely
> the peering is
>> going a
>> different direction that you think (not over the
> tunnel). Type "show IP
>> EIGRP
>> neigh or OSPF neigh" and see what IP address
> and what route it's taking to
>> get
>> there.
>>>
>>> Regards,
>>> Jay
> McMickle- CCIE #35355 (RS)
>>> Sent from my iPhone 5
>>>
>>> On Dec 9, 2012,
> at 7:52 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com> wrote:
>>>
>>>> No there are
> no tunnel interfaces thats why i am surprised that why
>> eigrp/ospf are able
> to run over ipsec ?
>>>>
>>>> From: Jay McMickle <jay.mcmickle_at_yahoo.com>
> To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
>>>> Cc: "ccielab_at_groupstudy.com"
> <ccielab_at_groupstudy.com>
>>>> Sent: Sunday, December 9, 2012 6:01 PM
> Subject: Re: site to site vpn and routing protocol
>>>>
>>>> All you need is a
> L3 interface on each end for the adjacencies. That's
>> why
>> GRE over IPSEC
> enables dynamic protocols.
>>>>
>>>> If you are peering over IPSEC, what L3
> interfaces is it using? Is it
>> going
>> over the tunnel for the peering?
>>>>
>>>> Regards,
>>>> Jay McMickle- CCIE #35355 (RS)
>>>> Sent from my iPhone 5
>>
>>>
>>>> On Dec 9, 2012, at 3:35 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com>
> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>>
>>>>> I was under the impression
> that if i have 2 routers connected back to
>> back and i run ipsec over it,
> routing protocols wont work. That was the
>> main
>> reason we use GRE. But now
> when i reconfigured it on GNS3 and on real
>> routers
>> (1841), i saw that
> neighbor adjcancies are working fine for all protocols.
>> So
>> its a bit
> surprising for me
>>>>>
>>>>>
>>>>> Blogs and organic groups at
> http://www.ccie.net
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>> Blogs and organic
> groups at http://www.ccie.net/
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at
> http://www.ccie.net/
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> --
> Thanks &
> Regards,
> Adesh
> +91 99996 10511 (Delhi)
> +91 99860 10511 (Banglore)
>
>
> Blogs and
> organic groups at http://www.ccie.net/
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sun Dec 09 2012 - 14:25:45 ART