Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1861
Views
15
Helpful
9
Replies

IPSEC Implementation with EIGRP

Go to solution
snarayanaraju
Level 4
Level 4

‎05-20-2018 10:45 AM - edited ‎03-05-2019 10:29 AM

Experts - It is a design question. I am implementing IPSEC VPN. Offices are connected using Internet.

I am aware EIGRP don't work in IPSEC because of Multicast requirement. So i have following approaches. Interested to know which is the best one to choose and use.

 

Option 1:

a. Configure GRE Tunnel (tunnel mode gre)

b. For interesting traffic to be encrypted create ACL with source and destination IP used for GRE Tunnel and use it in Cryto-map

c. Create Crypto-map and apply it in the Physical Interface

d. EIGRP on interfaces LAN and GRE tunnel interfaces

what is the advantages and disadvantages of this implementation?

 

Option 2:

a. Configure IPSEC tunnel (tunnel mode ipsec ipv4)

b. Apply IPSEC Profile in tunnel interface

c. EIGRP on Tunnel interface and LAN interface

what is the advantages and disadvantages of this implementation?

 

Option 3:

Will EIGRP work if i configure Crypto-map and apply it in the Physical Interface without any Tunnel interfaces like GRE or IPSEC ipv4?

 

Thanks in advance

Sairam

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎05-21-2018 09:51 AM

The original poster makes a correct observation that EIGRP does not work in a pure IPSEC environment. IPSEC was designed to process unicast traffic. So if a crypto map is applied to the physical interface it will process unicast traffic but not multicast, and so EIGRP would not work in that situation. Which addresses Option 3.

 

Georg makes the good point that IPSEC in conjunction with a GRE tunnel works well and does support multicast traffic and therefore would work with EIGRP. That is basically what Option 1 discusses and would work.

 

Joseph discusses VTI. While it is perhaps a bit ambiguous I believe that Option 2 is really about VTI and would work.

 

Both options 1 and 2 use a common approach of using a tunnel which can carry both unicast and multicast traffic and then encrypting the traffic flowing through the tunnel. option 1 with the GRE tunnel does require a crypto map which requires an access list to identify the traffic to be encrypted. option 2 with VTI simplifies the configuration since it does not require either a crypto map or an access list.

 

Both Options 1 and 2 would work. My preference is for Option 2 using VTI. I like the simplified approach  to configuration and I believe that this is the direction that Cisco is taking as they make improvements in their code.

 

HTH

 

Rick

HTH

Rick

View solution in original post

9 Replies 9

Go to solution
Georg Pauwen
VIP
VIP

‎05-20-2018 11:35 AM

Hello,

 

to start out with, EIGRP does work with IPSec/GRE VPNs. Have a look at the sample config in the link below:

 

http://www.angelcool.net/tutorials/cisco/GRE_over_IPsec_EIGRP.pdf

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Georg Pauwen

‎05-21-2018 08:05 AM

VTI (IPSec) tunnel should work too. (I.e. no GRE needed.)
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎05-21-2018 09:51 AM

The original poster makes a correct observation that EIGRP does not work in a pure IPSEC environment. IPSEC was designed to process unicast traffic. So if a crypto map is applied to the physical interface it will process unicast traffic but not multicast, and so EIGRP would not work in that situation. Which addresses Option 3.

 

Georg makes the good point that IPSEC in conjunction with a GRE tunnel works well and does support multicast traffic and therefore would work with EIGRP. That is basically what Option 1 discusses and would work.

 

Joseph discusses VTI. While it is perhaps a bit ambiguous I believe that Option 2 is really about VTI and would work.

 

Both options 1 and 2 use a common approach of using a tunnel which can carry both unicast and multicast traffic and then encrypting the traffic flowing through the tunnel. option 1 with the GRE tunnel does require a crypto map which requires an access list to identify the traffic to be encrypted. option 2 with VTI simplifies the configuration since it does not require either a crypto map or an access list.

 

Both Options 1 and 2 would work. My preference is for Option 2 using VTI. I like the simplified approach  to configuration and I believe that this is the direction that Cisco is taking as they make improvements in their code.

 

HTH

 

Rick

HTH

Rick

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Richard Burts

‎05-21-2018 10:56 AM

Rick was correct, in that I wasn't clear - as I wasn't referencing the options noted in the OP.

I was trying to point out that VTI tunnels don't have the overhead of GRE, but they also support IPSec. I would also like to mention, except for "old" Cisco GRE/IPSec, you don't need a crypto map and supporting ACLs to define a tunnel using GRE/IPSec as described for option number 1.
0 Helpful

Go to solution
snarayanaraju
Level 4
Level 4
In response to Richard Burts

‎05-25-2018 11:04 AM

Thanks Richard, George & All 

 

By the way, you said "if a crypto map is applied to the physical interface it will process unicast traffic but not multicast, and so EIGRP would not work in that situation"

 

What is the effect of applying CRYPTO-MAP on Tunnel Interface itself instead of Physical Interface

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to snarayanaraju

‎05-25-2018 11:30 AM

Sairam

 

When I talked about applying the crypto map to the physical interface it was in the context of your option 3 which specified that there was no tunnel. This is the pure IPSEC implementation and it can process only unicast traffic and not multicast. If you introduce a tunnel it is no longer just the pure IPSEC. You have options to send multicast traffic through the tunnel and to encrypt all tunnel traffic and at that point you are talking about either GRE tunnel or VTI tunnel.

 

HTH

 

Rick

HTH

Rick

Go to solution
snarayanaraju
Level 4
Level 4
In response to Richard Burts

‎05-26-2018 10:48 AM

Thank you Rick and everyone you responded my question and clarified my doubt

 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to snarayanaraju

‎05-26-2018 11:26 AM

Sairam

 

You are welcome. I am glad that our explanations have been helpful. Thank you for marking this question as solved. This will help other participants in the forum to identify discussions that have helpful information.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Meheretab Mengistu
Level 7
Level 7

‎05-21-2018 03:33 PM

If you have multiple offices (more than 2), consider DMVPN as well.

 

HTH,

Meheretab

HTH,
Meheretab
0 Helpful
Customers Also Viewed These Support Documents