Re: Dynamic Routing protocol over IPsec ?

vsbastien · ‎11-17-2000

Hi,

I am going to implement IPsec between 2 Cisco routers, I'll use IPsec ESP with tunnel, and I want to run ospf between the 2 routers over the IPsec tunnel.

One of my colleague told me that this is possible, the IPsec tunnel doesn't support dynamic routing protocol, he told me that I have to use static routing, is that right ?

Thanks for your help,

Sebastien

vsbastien · ‎11-18-2000

The question was:

When running IPSec in tunnel mode, is dynamic routing protocols are supported across the 'tunnelled' link ??

Answer:

Most routing protocols require multicast/broadcast for routing update, and since ipsec can only encrypt unicast traffic, this typically will not work. The workaround is to run GRE tunnels over transport mode ipsec and run the routing protocol on the tunnel interfaces.

joels · ‎11-23-2000

You won't have to use static routes, you can create a GRE tunnel between the two routers and then run a dynamic protocol down that as well as your IPSec. I have done this, it works fine for IP & IPX too.

rbharania · ‎12-09-2000

Looks like you've got your answer already, so

this is mostly exterraneous. The question that I had was why you were doing this? If it's just routing authentication you're trying to do, remember that OSPF does do peer router authentication using the keyed MD5 one-way hash.

(You said ESP and tunnel, but never mentioned any cryptography, which is why I had the question)

-Rakesh