Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
638
Views
13
Helpful
2
Replies

Routing protocol over IPSEC question.

tin.ngo
Level 1
Level 1

‎03-31-2006 03:14 AM - edited ‎03-03-2019 12:15 PM

1) This example explained how routing protocol such as OSPF can't run over IPSEC.

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml

2) This example is showing OSPF running over IPSEC.

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a0080094c1f.shtml

Am I missing something?

Labels:
0 Helpful
2 Replies 2

johansens
Level 4
Level 4

‎03-31-2006 04:36 AM

Yes, you are missing something..

In example 2) OSPF is not running over IPSEC.. the crypto map is only looking at traffic matched by ACL 101, which is the traffic between the 11.11.11.11 and 22.22.22.22 IP's (Loopback0's).

The OSPF traffic itself is NOT encrypted, therefore it's no problem... :)

You *can* however run BGP over IPSec if you want to...

Did it help? If so, please rate it.

Richard Burts
Hall of Fame
Hall of Fame
In response to johansens

‎03-31-2006 06:26 AM

The interior routing protocols like OSPF and EIGRP or RIP use multicast or broadcast addressing for routing protocol traffic. Traditionally IPSec carries only unicast IP traffic. So we have not been able to run routing protocols over IPSec connections. The traditional solution has been to run IPSec with GRE which allows multicast and enables routing protocols. Cisco has introduced an enhancement in very recent code which enables running routing protocols over IPSec without needing GRE. If you are interested in this look for Virtual Tunnel Interface.

As a side note BGP runs over TCP and sends routing protocol traffic as unicast IP to specifically configured neighbors. This is why it has been possible to run BGP over IPSec. There is no dynamic neighbor discovery in BGP. One of the reasons that OSPF and EIGRP use multicast addressing is that it allows them to have dynamic neighbor discovery. And multicast addressing is the reason why they have not traditionally run over IPSec.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card