Can you post your complete config? It would be SO much easier.

--John

You only need to apply the crypto map on the outside interface.

In your acl, you would permit gre, esp, and udp eq isakmp (500) into your public interface.

You don't need to include your internal network in the acl that's applied on the outside interface. You WILL need to, of course, apply it to the acl to match the traffic in your crypto map though.

--John

No because EIGRP will advertise all networks it is aware of to a neighbor. The key thing i am saying is that EIGRP will not run across a VPN tunnel without GRE but i don't believe EIGRP is running across the VPN tunnel.

Because this is a leased line you can run private addressing across it. So i suspect that the serial interfaces are just forming an EIGRP neighborship - nothing to do with the VPN tunnel. And the routing updates exchanged between these 2 routers do not go down the VPN tunnel at all. You could remove the VPN configuration and you would still get an EIGRP peering.

Of course this is partly guesswork because we still don't know what the serial interfaces addressing is.

Jon

R1:

internal network 10.10.0.0/24

s0/0 192.168.10.1/30

R2:

internal network 10.20.0.0/24

s0/0 192.168.10.2/30

This makes sense now .. Jon was right about the leased line and the private IP's I'm no longer confused...

Thanks Jon.

then will this configuration cause any problem ???

Brent

At the risk of confusing the issue what i explained only makes sense if the serial interfaces addressing has a network statement under the EIGRP config.

The partial config supplied by Mohammed only has

router eigrp 1

network 10.0.0.0

so EIGRP should not be running on the serial interfaces.

Mohammed can you confirm whether you have a network statement for 192.168.x.x addressing under your EIGRP config.

Also, why are you running a VPN across a leased line - is it for security reasons.

Jon

Can you show us your routing table? Remove any public addresses. I'd be interested in seeing it.

I totally agree Jon, my confusion stems from thinking that EIGRP was working over an IPSEC VPN L2L tunnel.

I have the clear vision now.

sorry the IP address of the serial interface is included under eigrp

router eigrp 1

network 10.0.0.0

network 192.168.10.1 0.0.0.0

the vpn is required for security reasons

please John can you answer my question regarding the configuations of GRE over IPsec:

- where shall I apply crypto map?

- access list required??

That would explain why your routes are showing up :-)

You only need to apply the crypto map on the outside interface.

In your acl, you would permit gre, esp, and udp eq isakmp (500) into your public interface.

Since you're on a leased line, you don't need an ACL, but I would think you would want one.

Have you done a sh crypt session to see if you have an SA established with the other side? Your tunnels may not even be up. You could also do a sh crypt isakmp sa to check.

You don't need to include your internal network in the acl that's applied on the outside interface. You WILL need to, of course, apply it to the acl to match the traffic in your crypto map though.

--John

**so the routing protocol works over the leased line without vpn and the traffic that I'm interested to be encrypted will be send over the ipsec vpn....

**j.blakley the vpn is up and working I verified that using the different commands....

** for gre over ipsec I see some example on cisco site that apply crypto on the tunnel & physical interface???

"**so the routing protocol works over the leased line without vpn and the traffic that I'm interested to be encrypted will be send over the ipsec vpn...."

Yes, exactly. But then if you are securing the data with a VPN tunnel for security reasons do you need to secure EIGRP updates as well ?

If so run GRE as suggested by John. If not you can either

1) run EIGRP as it is now

2) Don't run EIGRP at all ie. remove the 192.168.x.x network statement from under the router eigrp config.

Note that you don't need a route for the interesting traffic of your VPN so if this is all that is going down the leased line you may not need a dynamic routing protocol.

Jon

You need to apply the crypto map on your serial interface. The tunnel interfaces are virtual.

--John