Solved: Can EIGRP function normally through an IPsec tunnel?

jmaxwellUSAF · ‎01-10-2024

Hello tech gods.

I have heard unverified info that EIGRP can't adequately function through an IPsec tunnel. Perhaps it can't make adjacencies, or the multicast updates have some issue.

I don't see why there should be any problems at all, as long as the MTU config is adequately set.

QUESTIONS: Can EIGRP function normally through an IPsec tunnel? If configured correctly, is there anything EIGRP cannot do through an IPsec tunnel?

Thank you!

MHM Cisco World · ‎01-10-2024

Hmm

You have two choices here

Either use vti (asa and router) or gre (only router support it) instead of ipsec (crypto map)

Or

Allow host to eigrp multicast in acl of ipsec' it work for me as workaround.

MHM

View solution in original post

Georg Pauwen · ‎01-10-2024

Hello,

sorry about that, I wasn't realizing that you have ASAs. For these, the configs would indeed be a bit different, but EIGRP still basically works without problems:

Define the IPSec transform-set

crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac

Define the IPSec profile

crypto ipsec profile MY_IPSEC_PROFILE
set ikev1 transform-set MY_TRANSFORM_SET

Create a tunnel group for the remote peer

tunnel-group <Remote_Peer_IP> type ipsec-l2l
tunnel-group <Remote_Peer_IP> ipsec-attributes
ikev1 pre-shared-key <Pre-Shared-Key>
peer-id-validate nocheck
isakmp keepalive threshold 10 retry 2

Create the connection profile/Replace <Remote_Peer_IP> with the actual public IP address of the remote peer, and <Pre-Shared-Key> with your pre-shared key for authentication.

crypto map MY_CRYPTO_MAP 10 match address MY_ACL
crypto map MY_CRYPTO_MAP 10 set pfs
crypto map MY_CRYPTO_MAP 10 set peer <Remote_Peer_IP>
crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET

Apply the crypto map to the outside interface

crypto map MY_CRYPTO_MAP interface outside

EIGRP Configuration:

Enable EIGRP on the ASA

router eigrp <AS_Number>
eigrp router-id <Router_ID>
network <Inside_Network>
redistribute static

Configure the EIGRP neighbor

neighbor <Neighbor_IP> interface-name <Inside_Interface>

Allow EIGRP traffic through the VPN tunnel

access-list EIGRP_ACL extended permit eigrp any any

View solution in original post

MHM Cisco World · ‎01-10-2024

Hmm

You have two choices here

Either use vti (asa and router) or gre (only router support it) instead of ipsec (crypto map)

Or

Allow host to eigrp multicast in acl of ipsec' it work for me as workaround.

MHM

jmaxwellUSAF · ‎01-10-2024

The device will be an ASA Firepower. What do you mean "use vti"?

"Allow host to EIGRP multicast in ACL of IPSEC"-- This seems great. Is there a downside to this?

Do you recommend this as sound and stable for the enterprise architecture for each branch to the datacenter hub?

Thank you.

MHM Cisco World · ‎01-10-2024

Interface tunnel 0

Ip address xxxx

Tunnel source xxxx

Tunnel destination xxxx

Tunnel mode ipv4 ipsec

Tunnel protection ipsec profile xxx

This above is VTI tunnel that use instead of ipsec because of limitations of ipsec with multi cast.

MHM

jmaxwellUSAF · ‎01-10-2024

But then is this tunnel not secure because it's not encrypted?

MHM Cisco World · ‎01-10-2024

Tunnel protection by ipsec profile.

It secure friend.

MHM

jmaxwellUSAF · ‎01-10-2024

is "VTI" just same meaning as "route based" IPsec VPN?

MHM Cisco World · ‎01-10-2024

correct

MHM

Georg Pauwen · ‎01-10-2024

Hello,

what type of IPSec tunnel(s) are you talking about ? EIGRP is frequently used in DMVPN IPSec topologies. The sample config below shows that you simply add the tunnel networks to EIGRP (IPSec protection is also added to the tunnels).I have never heard of any issues using that setup...

Basic Configuration

Hub Configuration:

Hub(config)# interface Tunnel0
Hub(config-if)# ip address 172.16.1.1 255.255.255.0
Hub(config-if)# tunnel source <Hub_Public_IP>
Hub(config-if)# tunnel mode gre multipoint
Hub(config-if)# tunnel key 123

Spoke Configuration:

Spoke1(config)# interface Tunnel0
Spoke1(config-if)# ip address 172.16.1.2 255.255.255.0
Spoke1(config-if)# tunnel source <Spoke1_Public_IP>
Spoke1(config-if)# tunnel mode gre multipoint
Spoke1(config-if)# tunnel key 123

Configure EIGRP on Hub and Spokes:

Hub(config)# router eigrp <AS_Number>
Hub(config-router)# network 172.16.0.0 0.0.255.255
Hub(config-router)# eigrp router-id 1.1.1.1

Spoke1(config)# router eigrp <AS_Number>
Spoke1(config-router)# network 172.16.0.0 0.0.255.255
Spoke1(config-router)# eigrp router-id 2.2.2.2

DMVPN Configuration

Configure DMVPN on Hub:

Hub(config)# interface Tunnel0
Hub(config-if)# ip nhrp network-id 1
Hub(config-if)# ip nhrp authentication <NHRP_Auth_Key>
Hub(config-if)# ip nhrp map multicast dynamic
Hub(config-if)# ip nhrp redirect
Hub(config-if)# ip nhrp shortcut
Hub(config-if)# ip nhrp holdtime 300

Configure DMVPN on Spoke1:

Spoke1(config)# interface Tunnel0
Spoke1(config-if)# ip nhrp network-id 1
Spoke1(config-if)# ip nhrp authentication <NHRP_Auth_Key>
Spoke1(config-if)# ip nhrp nhs 172.16.1.1

IPSec Configuration

Configure IPSec on Hub:

Hub(config)# crypto isakmp policy 10
Hub(config-isakmp)# authentication pre-share
Hub(config-isakmp)# encryption aes
Hub(config-isakmp)# group 2
Hub(config-isakmp)# exit

Hub(config)# crypto isakmp key <Pre-Shared-Key> address 0.0.0.0 0.0.0.0

Hub(config)# crypto ipsec transform-set ESP-AES esp-aes
Hub(config)# crypto ipsec profile DMVPN
Hub(ipsec-profile)# set transform-set ESP-AES
Hub(ipsec-profile)# exit

Hub(config)# interface Tunnel0
Hub(config-if)# tunnel protection ipsec profile DMVPN

Configure IPSec on Spoke1:

Spoke1(config)# crypto isakmp policy 10
Spoke1(config-isakmp)# authentication pre-share
Spoke1(config-isakmp)# encryption aes
Spoke1(config-isakmp)# group 2
Spoke1(config-isakmp)# exit

Spoke1(config)# crypto isakmp key <Pre-Shared-Key> address <Hub_Public_IP>

Spoke1(config)# crypto ipsec transform-set ESP-AES esp-aes
Spoke1(config)# crypto ipsec profile DMVPN
Spoke1(ipsec-profile)# set transform-set ESP-AES
Spoke1(ipsec-profile)# exit

Spoke1(config)# interface Tunnel0
Spoke1(config-if)# tunnel protection ipsec profile DMVPN

jmaxwellUSAF · ‎01-10-2024

Hi Georg. Your reply is very helpful. DMVPN is not possible in this case, as the devices are ASAs.

In your 1st config (above DMVPN), it seems you use GRE, but it seems ASA cannot use GRE, so none of the configs will work. Is that true that ASA cannot use GRE?

MHM states to use either "vti" or "Allow host to eigrp multicast in acl of ipsec"-- May you please discuss these options as the enterprise solution?

Thank you.

Georg Pauwen · ‎01-10-2024

Hello,

sorry about that, I wasn't realizing that you have ASAs. For these, the configs would indeed be a bit different, but EIGRP still basically works without problems:

Define the IPSec transform-set

crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac

Define the IPSec profile

crypto ipsec profile MY_IPSEC_PROFILE
set ikev1 transform-set MY_TRANSFORM_SET

Create a tunnel group for the remote peer

tunnel-group <Remote_Peer_IP> type ipsec-l2l
tunnel-group <Remote_Peer_IP> ipsec-attributes
ikev1 pre-shared-key <Pre-Shared-Key>
peer-id-validate nocheck
isakmp keepalive threshold 10 retry 2

Create the connection profile/Replace <Remote_Peer_IP> with the actual public IP address of the remote peer, and <Pre-Shared-Key> with your pre-shared key for authentication.

crypto map MY_CRYPTO_MAP 10 match address MY_ACL
crypto map MY_CRYPTO_MAP 10 set pfs
crypto map MY_CRYPTO_MAP 10 set peer <Remote_Peer_IP>
crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET

Apply the crypto map to the outside interface

crypto map MY_CRYPTO_MAP interface outside

EIGRP Configuration:

Enable EIGRP on the ASA

router eigrp <AS_Number>
eigrp router-id <Router_ID>
network <Inside_Network>
redistribute static

Configure the EIGRP neighbor

neighbor <Neighbor_IP> interface-name <Inside_Interface>

Allow EIGRP traffic through the VPN tunnel

access-list EIGRP_ACL extended permit eigrp any any

jmaxwellUSAF · ‎01-10-2024

Thank you for your detailed reply.

I have good experience with policy-based VPN's, but none on route-based VPNs.

Is it even necessary to have an ACL for the EIGRP multicast traffic? Or are you saying that, if there is an ACLon the interface, then it must include EIGRP traffic?

Also regarding routing, when sending traffic through a route-based tunnel, is the next hop the private (inside) or public (outside) IP-address?

Thank you!

Georg Pauwen · ‎01-10-2024

Hello,

the next-hop for the traffic that needs to traverse the IPSec tunnel should be the private IP address of the remote peer (the device at the other end of the IPSec tunnel).

As for allowing EIGRP, you need to allow EIGRP (as in the sample config above), unless, for some reason, you have a 'permit ip any any' statement (which includes all multicast). That said, you probably don't want to allow all traffic, since that sort of defeats the purpose of a firewall...