Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
364
Views
0
Helpful
3
Replies

RIP V2 Over IPSEC

gokulharindran
Level 1
Level 1

‎10-24-2023 01:54 AM

Router A- Cisco ISR4331
Router B -  CISCO1941

Router A and Router B are connected. they have ipsec Tunnel between them for encrypting the LAN traffic and WAN traffic will be passed between the link without encryption. Between these routers I have enabled RIP v2 but it seems the V2 updates are not received at both ends

Router A

router rip
version 2
redistribute connected
network 192.168.118.0
default-information originate

interface GigabitEthernet0/0/0.95
description test_router
encapsulation dot1Q 95
ip address 192.168.118.141 255.255.255.252
ip rip send version 2
crypto map IPSEC-PM-Test
end

crypto map IPSEC-PM-Test 10 ipsec-isakmp
set peer 192.168.118.142
set transform-set PetroMasla
set isakmp-profile PM-Test
match address PM_TEST-all

ip access-list extended PM_TEST-all
permit udp any any eq rip
permit ip 10.53.16.0 0.0.0.255 object-group RFC-1918
permit ip object-group RFC-1918 10.53.16.0 0.0.0.255

*********************************************************************************************
Router B

crypto map IPSEC-PM-Test 10 ipsec-isakmp
set peer 192.168.118.141
set transform-set ABC
set isakmp-profile PM-Test
match address PM-all

interface GigabitEthernet0/1
ip address 192.168.118.142 255.255.255.252
ip rip send version 2
ip rip receive version 2
duplex auto
speed auto
crypto map IPSEC-PM-Test
!
!
router rip
version 2
passive-interface GigabitEthernet0/0
network 10.0.0.0
network 91.0.0.0
network 192.168.118.0
no auto-summary
!

ip access-list extended PM-all
permit udp any any eq rip
permit ip 10.53.16.0 0.0.0.255 object-group RFC-1918
permit ip object-group RFC-1918 10.53.16.0 0.0.0.255

************************************************************************************\

Note TUnnel is working fine when we remove the command"permit udp any any eq rip"
then the RIP updates are learned by both routers without any encryption. 

 

 

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎10-24-2023 02:03 AM

@gokulharindran use a route based VPN (FlexVPN/DMVPN), which supports dynamic routing protocols over the tunnel interface, not a policy based VPN with a crypto map, as you are currently using.

0 Helpful

gokulharindran
Level 1
Level 1
In response to Rob Ingram

‎10-24-2023 02:12 AM - edited ‎10-24-2023 02:13 AM

Hi @Rob Ingram ,
Thank you for your suggestion but does this means RIP doesn't support in my scenario? I am not sure but client doesn't want any additional subinterface or Tunnel interface. they want the entire traffic through this outbound interface but with an encryption for Management and corporate traffic and without encrypting the internet traffic. 

Thank you in advance

 

0 Helpful

Rob Ingram
VIP
VIP
In response to gokulharindran

‎10-24-2023 02:28 AM

@gokulharindran the exchange of dynamic routing information (which includes RIP) is not supported in policy-based VPNs. Perhaps use Reverse Route Injection (RRI) to advertise the remote VPN networks to the local LAN (on both sides). https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/sec-vpn/b-security-vpn/m_sec-rev-rte-inject-0.html?bookSearch=true

FYI, crypto maps have been deprecicated in newer IOS-XE versions, route based VPN is the preferred solution.

0 Helpful
Customers Also Viewed These Support Documents