Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
299
Views
0
Helpful
2
Replies

Problem routing over links with IPsec enabled and EIGRP as routing protocol

dshettigar
Level 1
Level 1

‎08-18-2002 03:42 AM - edited ‎02-21-2020 12:00 PM

Hi All,

I am trying to implement a site to multisite WAN setup(HUB & Spoke in each region,in all total 5 regions,each regions having atleast 25 remote locations,all regions are interconnected).I have enabled EIGRP as routing protocol for exchanging routing information.I am testing IPsec over the links.I have enabled Dynamic crypto map on one regional HUB router(to avoid static peering with each remote router at Central router).I have configured LAN networks for each regional locations in that region as encryption domain(Access-list) on the HUB router.At remote end regional routers , I have configured IPsec with static crypto map peering with loopback in regional HUB router.At remote end any traffic originated from local lan is defined to get encrypted using access-list.Crypto map source at all remote routers is their loopback address.Similarly the Crypto map source at HUB router is also the loopback address configured.Crypto maps are applied at either end to Serial interface connecting the link between HUB and Spoke.Maps are also applied to Loopback interface.

Now the problem that I am facing is that,I am to communicate(Extended Ping with LAN IP as source) from remote end router 's LAN (Spoke Router) to the HUB router's LAN.I can see traffic getting encrypted by using sh crypto ipsec sa. But when I try to ping the one remote end router's LAN IP from other router in the same region (Using extended Ping and taking routers ethernet ip as source),i am unable to do so.i.e communiction from LAN to LAN within the same region is not happening.All remote end routers are peering only with Central HUB router in that region & LAN to LAN routing happens via Central router and EIGRP.This is the problem that I am facing.Can some one suggest solution on this? or a work arround ?

Thanks,

Nilesh.

Labels:
0 Helpful
2 Replies 2

paqiu
Level 1
Level 1

‎08-18-2002 05:20 AM

Hi,

If you use GRE tunnel with IPSEC to passing throug the EIGRP routing protocol, it will make your network design more simple. At least, the match address access-list will be much much more eaiser to config and it is recommended design in multiple regions and sites:

http://www.cisco.com/warp/customer/707/ipsec_gre.shtml

Best Regards,

0 Helpful

dshettigar
Level 1
Level 1
In response to paqiu

‎08-19-2002 10:31 PM

Hi,

I tried comfiguring the setup with tunnels as mentioned in the document.I can see the routing updates from Tunnel and traffic moving out via tunnel.But Still I am unable ping from one remote peer in a region to another remote peer in the same region via Central regional router.I am able to ping the LAN IP of the central router from all the remote router & Vice Versa,but it doesn't show any packets getting encrypted/decrypted through tunnel using "sh crypto ipsec sa int tu 0" as per the document.

Is there any standard config avilable for such hub & spoke senarios where we need to reach from one remote site to other remote site without actually statically peering with it.??

Regards,

Nilesh.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents