cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
833
Views
0
Helpful
6
Replies

cisco 8200 router eigrp + iskamp

shlomoi
Level 1
Level 1

Hi,

I'm trying to set up a simple P2P topology between 2 routers with iskamp encryption. and establish EIGRP between them. The setting of the P2P between both works but the EIGRP does not work. When I remove the encryption between the routers, EIGRP comes up ok. Below are the settings on the 2 routers.

Am I doing something wrong in the settings ?

ROUTER 1


crypto isakmp policy 1
encryption 256-aes
authentication pre-share
group 14
crypto isakmp key poalim address 192.114.1.10


crypto ipsec transform-set poalim esp-256-aes

crypto map pmap 1 ipsec-isakmp
set peer 192.114.1.10
set transform-set poalim
match address 110

access-list 110 permit ip any any

interface gi 0/0/0
no shut
ip address 192.114.1.9 255.255.255.252
delay 100
crypto map pmap


router eigrp 75
network 10.112.112.0 0.0.0.255
network 192.114.1.8 0.0.0.3
no auto-summary

 

 

ROUTER 2


crypto isakmp policy 1
encryption 256-aes
authentication pre-share
group 14
crypto isakmp key poalim address 192.114.1.9


crypto ipsec transform-set poalim esp-256-aes
!
crypto map pmap 1 ipsec-isakmp
set peer 192.114.1.9
set transform-set poalim
match address 110

access-list 110 permit ip any any

interface gi 0/0/0
no shut
ip address 192.114.1.10 255.255.255.252
delay 100
crypto map pmap


router eigrp 75
network 10.112.112.0 0.0.0.255
network 192.114.1.8 0.0.0.3
no auto-summary

 

shlomoi_1-1679407974395.png

Thanks 

 

6 Replies 6

network 10.112.112.0 0.0.0.255 <<- both side have same LAN ??
I think this is wrong 
I wait you answer to go to next steps 
nest steps is allow only LAN to LAN 
this make EIGRP run between two routers and only traffic between LAN will encrypt. 

access-list 110 permit ip <LAN local><remote LAN>

EIGRP work with IPsec in this case.

the simple lab and you see the success of ping from R3 to R4 
R1-R2 run IPsec 
R1/2/3/4 run EIGRP 

Screenshot (423).png

Hi,

multicast is not supported over native IPSec (crypto map). You should use GRE+IPSec (interface tunnel mode gre with crypto profile or crypto map) or VTI IPSec (interface tunnel mode ipsec ipv4).

In your case, you can do static neighborship, below is the command under eigrp process:

neighbor [remote_IP] [local_exit_interface]

By this command eigrp hellos over mentioned interface will be unicast with can be encapsulated&encrypted by IPSec and decrypted&decapsulated on remote IPSec node.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Hi,

Thanks for your help, I was able to establish a neighbor relationship between the 2 routers, but will the networks I advertising  between the 2 routers work?

Between the 2 routers there is a network 192.114.1.4 Router 1 with address 192.114.1.5
Router 2 with address 192.114.1.6

On router 1 I advertise
Network 10.112.112.0 0.0.0.255

And the second router advertises a network
network 21.2.2.0 0.0.0.255

Will the networks I post work between the 2 routers

 

Thanks

 

 

 

why you make it hard to you, config eigrp advertise the network 
then config IPsec 
the IPsec is policy based and must have route to destination through the interface you config with crypto-map, 
BUT IPsec not support multicast!! Yes it not support multicast but here as I mention before you allow only LAN-LAN connection not allow any-any in ACL of IPsec, so IPsec + EIGRP in this case it work perfectly without any issue  

Hello
Its you crypto access-list that negating the eigrp peering (any any) its encrypting everything even the eigrp process, so amend the access-list to negate eigrp from the encryption of be more specific in what traffic you wish to encrypt

example:
access-list 110 deny eigrp any any

access-list 110 permit ip any any
or
access-list 110 permit ip x.x.x.x y.y.y.y


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul