Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
628
Views
0
Helpful
2
Replies

BGP routing via VPN (Hub'n Spoke topologie)

h.groeger
Level 1
Level 1

‎06-11-2002 01:13 AM - edited ‎02-21-2020 11:47 AM

Hi all,

have here a Hub 'n Spoke VPN topology between three Rtrs (where RtrB is the hub site), VPN tunnels are build up between RtrB-RtrA and RtrB-RtrC, EBGP peering is the same as the VPN topology(RtrB 2 RtrA and RtrB 2 RtrC). Now my problem: BGP comes up the peers are send/receiving the routes, but a connection between RtrA-RtrC is not possible, although the routes from the private LAN A is in RtrC routing table. Is there an issue like Spilt-Horizon in VPN, may be its not possible to route traffic on the Hub site from on tunnel to the next tunnel. Many thanks in advance...

Labels:
0 Helpful
2 Replies 2

dhashamy
Level 1
Level 1

‎06-12-2002 08:32 AM

IPSEC will not transfer routing protocols if that is how your tunnels are setup, you will have to create GRE tunnels to transfer BGP, the following doc has a sample config using OSPF

www.cisco.com/warp/customer/707/gre_ipsec_ospf.html

hope this helps!

0 Helpful

gmiiller
Level 1
Level 1
In response to dhashamy

‎06-13-2002 06:19 PM

Actually, IPSec can be used to encrypt routing packets, and BGP is a protocol commonly used because it is unicast in nature and can work over multiple hops. There is some opinion that it is better to use BGP over IPSec than using BGP md5 authentication, although I don't know if it is being used much at the provider level (suspect not given performance overheads)

The reason that IPSec is incompatible with most interior protocols is that they are unicast/multicast (not supported by IPSec) and rely on the neighbor being directly attached. This is why GRE tunnels are commonly suggested as the solution. This also avoids the confusion that arises between the routing policy and crypto policy.

In a lot of different IOS versions, there were issues with same-interface switching and IPSec. It varies from IOS to IOS and model to model. One of the first things to try if this is happening to you is to turn off fast-switching on the relevant interfaces. Bear in mind that the more advanced features you try and combine on one router, the more likely you will find some issue. So if you're going to try to combine MPLS/CEF/IPSec/NAT/RPF/same interface routing be prepared to spend a lot of time talking to the TAC

0 Helpful
Customers Also Viewed These Support Documents