03-21-2023 07:15 AM
Hi,
I'm trying to set up a simple P2P topology between 2 routers with iskamp encryption. and establish EIGRP between them. The setting of the P2P between both works but the EIGRP does not work. When I remove the encryption between the routers, EIGRP comes up ok. Below are the settings on the 2 routers.
Am I doing something wrong in the settings ?
ROUTER 1
crypto isakmp policy 1
encryption 256-aes
authentication pre-share
group 14
crypto isakmp key poalim address 192.114.1.10
crypto ipsec transform-set poalim esp-256-aes
crypto map pmap 1 ipsec-isakmp
set peer 192.114.1.10
set transform-set poalim
match address 110
access-list 110 permit ip any any
interface gi 0/0/0
no shut
ip address 192.114.1.9 255.255.255.252
delay 100
crypto map pmap
router eigrp 75
network 10.112.112.0 0.0.0.255
network 192.114.1.8 0.0.0.3
no auto-summary
ROUTER 2
crypto isakmp policy 1
encryption 256-aes
authentication pre-share
group 14
crypto isakmp key poalim address 192.114.1.9
crypto ipsec transform-set poalim esp-256-aes
!
crypto map pmap 1 ipsec-isakmp
set peer 192.114.1.9
set transform-set poalim
match address 110
access-list 110 permit ip any any
interface gi 0/0/0
no shut
ip address 192.114.1.10 255.255.255.252
delay 100
crypto map pmap
router eigrp 75
network 10.112.112.0 0.0.0.255
network 192.114.1.8 0.0.0.3
no auto-summary
Thanks
03-21-2023 07:31 AM - edited 03-21-2023 08:56 AM
network 10.112.112.0 0.0.0.255 <<- both side have same LAN ??
I think this is wrong
I wait you answer to go to next steps
nest steps is allow only LAN to LAN
this make EIGRP run between two routers and only traffic between LAN will encrypt.
access-list 110 permit ip <LAN local><remote LAN>
EIGRP work with IPsec in this case.
03-21-2023 09:23 AM
the simple lab and you see the success of ping from R3 to R4
R1-R2 run IPsec
R1/2/3/4 run EIGRP
03-21-2023 08:48 AM
Hi,
multicast is not supported over native IPSec (crypto map). You should use GRE+IPSec (interface tunnel mode gre with crypto profile or crypto map) or VTI IPSec (interface tunnel mode ipsec ipv4).
In your case, you can do static neighborship, below is the command under eigrp process:
neighbor [remote_IP] [local_exit_interface]
By this command eigrp hellos over mentioned interface will be unicast with can be encapsulated&encrypted by IPSec and decrypted&decapsulated on remote IPSec node.
03-22-2023 03:54 AM
Hi,
Thanks for your help, I was able to establish a neighbor relationship between the 2 routers, but will the networks I advertising between the 2 routers work?
Between the 2 routers there is a network 192.114.1.4 Router 1 with address 192.114.1.5
Router 2 with address 192.114.1.6
On router 1 I advertise
Network 10.112.112.0 0.0.0.255
And the second router advertises a network
network 21.2.2.0 0.0.0.255
Will the networks I post work between the 2 routers
Thanks
03-22-2023 03:59 AM
why you make it hard to you, config eigrp advertise the network
then config IPsec
the IPsec is policy based and must have route to destination through the interface you config with crypto-map,
BUT IPsec not support multicast!! Yes it not support multicast but here as I mention before you allow only LAN-LAN connection not allow any-any in ACL of IPsec, so IPsec + EIGRP in this case it work perfectly without any issue
03-22-2023 01:55 PM
Hello
Its you crypto access-list that negating the eigrp peering (any any) its encrypting everything even the eigrp process, so amend the access-list to negate eigrp from the encryption of be more specific in what traffic you wish to encrypt
example:
access-list 110 deny eigrp any any
access-list 110 permit ip any any
or
access-list 110 permit ip x.x.x.x y.y.y.y
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide