03-31-2006 03:14 AM - edited 03-03-2019 12:15 PM
1) This example explained how routing protocol such as OSPF can't run over IPSEC.
2) This example is showing OSPF running over IPSEC.
Am I missing something?
03-31-2006 04:36 AM
Yes, you are missing something..
In example 2) OSPF is not running over IPSEC.. the crypto map is only looking at traffic matched by ACL 101, which is the traffic between the 11.11.11.11 and 22.22.22.22 IP's (Loopback0's).
The OSPF traffic itself is NOT encrypted, therefore it's no problem... :)
You *can* however run BGP over IPSec if you want to...
Did it help? If so, please rate it.
03-31-2006 06:26 AM
The interior routing protocols like OSPF and EIGRP or RIP use multicast or broadcast addressing for routing protocol traffic. Traditionally IPSec carries only unicast IP traffic. So we have not been able to run routing protocols over IPSec connections. The traditional solution has been to run IPSec with GRE which allows multicast and enables routing protocols. Cisco has introduced an enhancement in very recent code which enables running routing protocols over IPSec without needing GRE. If you are interested in this look for Virtual Tunnel Interface.
As a side note BGP runs over TCP and sends routing protocol traffic as unicast IP to specifically configured neighbors. This is why it has been possible to run BGP over IPSec. There is no dynamic neighbor discovery in BGP. One of the reasons that OSPF and EIGRP use multicast addressing is that it allows them to have dynamic neighbor discovery. And multicast addressing is the reason why they have not traditionally run over IPSec.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: