Re: enabling eigrp on PIX head end firewalls that house multi-ho

eisenberg · ‎10-23-2010

I currently have two VPN head end devices (PIX 515E running 8.04) , one at each datacenter . The upstream devices at each data center are cisco 6500s running eigrp. The two data centers are directly connected via these 6500s. All IPSec tunnels terminate to one of the two firewalls. Up to know I have added static routes to the 6500s at each data center letting them know where the remote L2L networks live. I would like this setup to be dynamic since I have the remote vpn device configured to initiate the IPSec connection to both two firewalls. My problem is when a remote site initiates the L2L connection with the one or the other firewall I have to manually change the static routes letting the trusted network know where the remote subnet lives. I am looking into enabling eigrp on the two firewalls....will enabling eigrp on the firewalls allow me to remove all of the static routes on the 6500s that let the 6500s know where the remote L2L subnets live?

Jitendriya Athavale · ‎10-23-2010

hi

well eigrp wont be the best thig to do here, as multicast packets wont go through the ipsec tunnel

you have 2 options going forwards

use routers if you have to termintae ipsec with gre, basically u r encrypting the gre tunnel and in the gre tunnel you can pass the routing updates plus the normal traffic
secondly move to ospf, using ospf neighbor command you have the option of sending updates as unicast packets and this can be encrypted using ipsec, if you still want to use eigrp, it will be a challenge becuase you might have to redistribute networks to ospf which again i think is some manual work, i think the best solution here is ospf, here is a link which will help you understand what i am saying

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

enabling eigrp on PIX head end firewalls that house multi-homed L2L remote sites