hi Sergery,

It seems that summarizationn is enable under your eigrp process.

please do the following:

go under your eigrp 205 and type "no auto"

Regards,

Terence

Now you have to decide how you want to run your routing. There you have two routing-domains:

1) public routing

Thats where you make sure that your crypto-endpoints can reach each other. In your case you need to make sure that 10.10.10.13 can reach 10.10.10.14. As they are directly connected, no extra configuration is needed. But if your Endpoints are remote (i.e. reachalbe over the Internet) then you probably have just a static default-route or BGP with your provider. But you never have the same routing-process as the inner routing inside your tunnel because that could give you recursive routing.

2) The tunnel-routing

With that you make sure, that the remote network is reachable through the tunnel. There you can use static routing as well, or you can use dynamic routing.

Your routing-setup is mixed up. On R1 you have EIGRP on the public interface and on the tunnel, on R2 you have EIGRP and static routing on the tunnel.

How to solve that best:

- On R1 enable EIGRP only on the tunnel-interface

- On R2 also enable EIGRP only on the tunnel and remove the static default-route through the tunnel.

Sent from Cisco Technical Support iPad App

Thank EIGRP works. What is the default route should be on the R2? But now the problem with dhcp relay, hosts not receive dhcp-adress through R2, if we set the static everything works.

R1

crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key KEY_VPN address 10.10.10.14
!
!
crypto ipsec transform-set TS_VPN esp-des esp-md5-hmac
!
crypto map MAP_VPN 10 ipsec-isakmp
set peer 10.10.10.14
set transform-set TS_VPN
match address ACL
!
!
interface Tunnel0
ip address 10.10.10.41 255.255.255.252
tunnel source GigabitEthernet0/0.2
tunnel destination 10.10.10.14
!
interface GigabitEthernet0/0
ip address 10.10.11.11 255.255.255.248
ip flow ingress
ip nat inside
ip virtual-reassembly in
standby 0 ip 10.10.11.13
standby 0 priority 150
standby 0 preempt
ip policy route-map INTERNET-MAP
load-interval 30
duplex auto
speed auto
!
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 294
ip address 10.10.10.13 255.255.255.252
crypto map MAP_VPN
!
!
router eigrp 205

passive-interface GigabitEthernet0/0.2
network 10.10.11.8 0.0.0.7
network 10.10.10.12 0.0.0.3
!
ip route 0.0.0.0 0.0.0.0 213.130.27.193 track 3
!
ip access-list extended ACL
permit gre host 10.10.10.13 host 10.10.10.14

R2

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key KEY_VPN address 10.10.10.13

!

!

crypto ipsec transform-set TS_VPN esp-des esp-md5-hmac

!

crypto map MAP_VPN 10 ipsec-isakmp

set peer 10.10.10.13

set transform-set TS_VPN

match address ACL

!

!

interface Tunnel0

ip address 10.10.10.42 255.255.255.252

tunnel source GigabitEthernet0/0.2

tunnel destination 10.10.10.13

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

no mop enabled

!

!

interface GigabitEthernet0/0.2

encapsulation dot1Q 294

ip address 10.10.10.14 255.255.255.252

crypto map MAP_VPN

!

interface GigabitEthernet0/1

ip address 10.10.18.1 255.255.255.0

ip helper-address 10.11.10.2

ip helper-address 10.11.10.3

!

router eigrp 205

passive-interface GigabitEthernet0/0.2

network 10.0.0.0

!

!

ip access-list extended ACL

permit gre host 10.10.10.14 host 10.10.10.13

I don't see a network 10.11.10.x on your R1, so probably it's a remote network? Then you have to make sure that R1 learns that network through EIGRP.

I'm sure.

D        10.11.10.0/24

           [90/28672] via 10.10.11.9, 19:22:13, GigabitEthernet0/0

10.10.11.9 it's ASA, for 10.10.18.0/24 permit ip any.

If anyone is interested. Finished off the problem - for dhcp relay on the router must be close to the customer include the dhcp service. Thank you all for your help.