Is the EIGRP traffic being sent through IPsec? From the configuration I got the impression that it is not.
"H" @groupstudy.com em 11/21/2002 10:42:09 AM Favor responder a "H" Enviado Por: [EMAIL PROTECTED] Para: [EMAIL PROTECTED] cc: Assunto: GRE on Cisco routers [7:57836] I have 2 questions: 1) IPSec 172.16.1.1/24 ----- RTA ============== RTB ------ 172.16.2.1/24 | | 192.168.1.0/24 192.168.2.0/24 Here are more info:- RTA's Serial0 (connecting to RTB) - 10.64.10.13/27 RTB's Serial1 (connecting back to RTA) - 10.64.10.14/27 Both RTA & RTA are running EIGRP. As per CCO, IPSec (without GRE) does not transfer routing protocols such as EIGRP / OSPF etc. I have tested this on the above topology, but I can get the EIGRP routes across from RTA to RTB & vice versa. What am I missing?? And here are the configs:- And RTA:- crypto isakmp policy 15 hash md5 authentication pre-share ! crypto isakmp key 1234a address 10.64.10.14 ! ! crypto ipsec transform-set setOne esp-des esp-md5-hmac ! crypto map combined local-address Serial1 ! crypto map combined 8 ipsec-isakmp set peer 10.64.10.14 set transform-set setOne match address 101 ! ! interface Loopback0 ip address 192.168.1.1 255.255.255.0 ! ! interface Serial0 ip address 172.16.1.1 255.255.255.0 no fair-queue ! interface Serial1 ip address 10.64.10.13 255.255.255.224 no ip route-cache no ip mroute-cache clockrate 64000 crypto map combined ! router eigrp 1 network 10.0.0.0 network 172.16.1.0 0.0.0.255 network 192.168.1.0 no auto-summary ! ! access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 RTB:- crypto isakmp policy 5 hash md5 authentication pre-share ! ! crypto isakmp key 1234a address 10.64.10.13 ! crypto ipsec transform-set setTwo esp-des esp-md5-hmac ! crypto map combined local-address Serial0 ! crypto map combined 13 ipsec-isakmp set peer 10.64.10.13 set transform-set setTwo match address 101 ! ! interface Loopback0 ip address 192.168.2.1 255.255.255.0 ! interface Ethernet0 ip address 172.16.2.1 255.255.255.0 ! interface Serial0 ip address 10.64.10.14 255.255.255.224 no fair-queue crypto map combined ! ! router eigrp 1 network 10.0.0.0 network 172.16.2.0 0.0.0.255 network 192.168.2.0 no auto-summary no eigrp log-neighbor-changes ! ! access-list 101 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 *** So instead of getting the EIGRP routes via Tunnel 0 inteface, I'm getting it via the outgoing interface (serial 0), & the IPSec still works. So what am I missing, and how does it make a difference if I use GRE over IPSec? I also tested RIPv2 & getting similar results. RTA#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 2 subnets C 172.16.1.0 is directly connected, Serial0 D 172.16.2.0 [90/2195456] via 10.64.10.14, 00:36:16, Serial1 10.0.0.0/27 is subnetted, 1 subnets C 10.64.10.0 is directly connected, Serial1 C 192.168.1.0/24 is directly connected, Loopback0 D 192.168.2.0/24 [90/2297856] via 10.64.10.14, 01:24:52, Serial1 RTA# RTA#sh crypto engine connections act ID Interface IP-Address State Algorithm Encrypt Decrypt 1 Serial1 10.64.10.13 set HMAC_MD5+DES_56_CB 0 0 2000 Serial1 10.64.10.13 set HMAC_MD5+DES_56_CB 0 6 2001 Serial1 10.64.10.13 set HMAC_MD5+DES_56_CB 6 0 RTA# -- 2) Most configs / examples I found on CCO and books use: ccrypto ipsec transform-set setTwo esp-des so when would one use: ccrypto ipsec transform-set setTwo esp-des ?? Or is it generally not needed / recommended to use the mode transport? If anyone can give me some config e.g., that would be greatly appreciated. Thanks, HL Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57842&t=57836 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
