IPsec, GNS3 and CCP

Hello.

I am configuring a VPN IPsec tunnel between two routers in GNS3 via Cisco Config teacher for my studies.

I already did some research. While they inspected tutorials, rip, ospf or eigrp is always configured first between routers before proceeding with the configuration of IKE phase 1 and phase 2. The link below is an example.

http://commonerrors.blogspot.com/2011/09/site-to-site-VPN-CLI-configuration-on.html

I watched the video of Keith Barker of CBT for "IPsec Site to Site VPN" and noticed that it did not need to configure routing between two sites.

He used Cisco CP for the entire configuration which crossed directly in IKE ph1 and ph2 configs and no routing was involved.

This is the topology.

Is it really necessary to configure routing first?

How can I emulate the internet connection between R1 and R2 using GNS3?

Thanks in advance.

They don't necessarily need to know routes of eachother, but these networks are to be sent to the WAN interface, either through a default route or the more specific routes. When traffic goes out one interface with a card encryption applied, it will then match the interesting traffic and encrypting through the tunnel.

Hope that clarifies things.

Kind regards

Mike

Tags: Cisco Security

Similar Questions

XCP and CCP Master add-on for NI VeriStand feedback.

Please use this thread for questions and comments on XCP and CCP Master add-on for NI VeriStand.

Termination of IPSEC Services and anonymous logon

Ending IPSEC Services

, I receive the following event in the log to start. I also have a message of success for a logon by ANONYMOUS. I realize that this account peut be an issue of access network system using the (intentionally by MS?) Scary ID of ANONYMOUS but I am concerned about the fact that it could be something nasty.

Details

Product: Windows Operating System

ID: 7023

Source: Service Control Manager

Version: 5.2

Symbolic name: EVENT_SERVICE_EXIT_FAILED

Message: The %1 service is stopped with the following error:

%2

Explanation

The specified service has stopped unexpectedly with the error specified in the message. The service closed safely.

User action

To fix the error:

Check the error information displayed in the message.

To view error WIN32_EXIT_CODE SCM met, at the command prompt, type

SC query service name

The displayed information can help you troubleshoot the possible causes of the error.

I tried every combo of syntax, that I can think of, but I can't this query to run.

I got up and down from behind firewall router firewall protection more live Superantispyware more live Winpatrol and regularly scan with Malwarebytes and Microsoft Security Essentials. Secunia PSI keep an eye on the status of my programs. In this case, I ran additional full scans with all that I have more than 3 online scanners known. All say CLEAN but I still get these messages. BTW account 'Guest' is disabled.

Any help please?

Hello

Have you made changes on the computer before this problem?

The following articles could be useful.
IPSec tools and settings
http://TechNet.Microsoft.com/en-us/library/cc738298%28WS.10%29.aspx
IPSec troubleshooting tools
http://TechNet.Microsoft.com/en-us/library/cc784300%28WS.10%29.aspx

IPsec site2sitevpn and DMVPN on a single WAN port

Hi Experts,

can you please it is possible to use IPsec site2sitevpn and DMVPN on WAN port unique until I apply the two vpn on a single wan link connection please give your comments it's ok or not.

Thanks in advance,

ciscolearner

Hello

Yes you can, there is no conflict. I just tested and confirmed in a laboratory.

Kind regards

Tim

Please don't forget to rate helpful messages and mark the answers accurate.

IPsec vpn and Anyconnect is denied by the ACL (unknown)

I am trying to configure IPsec VPN and I used the wizard of asdm (asdm version 8.4, ASA version 8.4). At the moment he is not in production and is in a test environment. Whenever I try to VPN in I get an error on the asdm syslog saying "TCP access denied by ACL from x.x.x.122 to outside:x.x.x.225/443. So I allowed all VPN traffic to this IP address that is currently the IP address as the external interface. My acl is as follows:

outside_in list extended access permit tcp any interface outside eq https

outside_in list extended access permit tcp any host x.x.x.225 eq https

Access-group outside_in in external interface

Yet, I still get the same exact error. The strange thing about this error is that it does not give me the specific ACL that denies access. There is no other access lists that could possibly block this traffic.

No idea what could be the cause this problem because I am confused.

So far, if you have configured following does not require an acl.
```
ciscoasa(config)#webvpn
ciscoasa(config-webvpn)#enable outside
ciscoasa(config-webvpn)#svc enable
You can post configuration here someone can have a look on that.
Thanks
Ajay
```

DMVPN/IPSEC, GRE and IPSEC Multi Point

Hi all

I have a project of construction of 50 locations connectivity to my data center 2. Each location has Internet with router 877 with image dry.

my DC has 1900 router. Now I want what tunnel I go with. DMVPN IPSEC or IPSEC GRE.

The data will come from DC locations only. No inter connections location. I want to know the pros and cons as well as any change of required equipment.

Kind regards

Satya.M

Given your criteria, I would say THAT DMVPN would be best suited

Cisco - Configuration dynamic Multipoint Virtual Private Networks DMVPN

Implementation in DMVPN GDOI

Pete

Simple IOS VPN IPsec HUB and Spoke failover HUB

Hi all

I have a nd architecture VPN Hub spoke with Asit, IKEv1 and IPsec.

My hub is connected to a single service provider.

I wish I had a hardware redundancy for my hub.

Instead of creating a double tunnel in each Department, I would like to use my router 4000ISR failover protocol.

Is it possible to simply achieve?

If I use IOS IPsec failover that I need to deploy my changes on the two router or (such as ASA) I can set the active router and allow the watch to receive the chenges?

Thanks to you all.

Johnny

If your ISP connection is one that has a routed block and you can connect two routers same in it, you can then configure HSRP.

The source of the Tunnel becomes the HSRP address. Rays may not know that there are two routers.

Easy failover.

Alternatively, you can have a single tunnel with hubs double (if you do not use HSRP). You don't have to borrow the double tunnels.

IPSec tunnel and NetFlow packets

I have a router 1841 IPSec running with an ASA. F0/0 is the source interface. I also set up NetFlow, which must be sent through the IPSec tunnel to the parser. The acl setting the IPSec interesting traffic covers addresses, source and destination of NetFlow. But NetFlow Traffic is not captured by the tunnel. When I ping the destination router, icmp traffic is picked up and goes through the tunnel. Are there ways to force NetFlow traffic to go to the tunnel?

Thank you.

Y at - it a route to the destination address of netflow? I have noted problems with traffic heading towards a destination that was not in the routing table is not made down a VPN.

Protection of IPSEC Tunnel and tunnel QOS shaping does no formatting.

I have an implosion of the little brain as to why it won't work.

I tried the QOS policy on tunnel interfaces and the ATM interface. No formatting occurs. Interfaces to transmit at their leisure.

Please can someone have a better day me to tell me what I am doing wrong?

Here is the config relevant (and standard). without the political order applied anywhere. Any help appreciated.

---------------------------------------------------------------------------------

class-map correspondence-everything APPSERVEURS
match the name of group-access TERMINALSERVERS
class-map correspondence-any VOICE
sip protocol game
match Protocol rtp
match dscp ef
!
!
Policy-map QOSPOLICY
class VOICE
priority 100
class APPSERVEURS
33% of bandwidth
class class by default
Fair/salon-tail 16
Policy-map of TUNNEL
class class by default
form average 350000
QOSPOLICY service-policy
!
!
interface Tunnel0
bandwidth 350
IP 172.20.58.2 255.255.255.0
IP mtu 1420
load-interval 30
QoS before filing
source of Dialer0 tunnel
destination tunnel X.X.X.X
ipv4 ipsec tunnel mode
tunnel path-mtu-discovery
Tunnel IPSECPROFILE ipsec protection profile
!
Tunnel1 interface
bandwidth 350
IP 172.21.58.2 255.255.255.0
IP mtu 1420
load-interval 30
delay 58000
QoS before filing
source of Dialer0 tunnel
destination tunnel Y.Y.Y.Y
ipv4 ipsec tunnel mode
tunnel path-mtu-discovery
Tunnel IPSECPROFILE ipsec protection profile
!
!
ATM0/0/0 interface
no ip address
load-interval 30
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 0/38
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface Dialer0
bandwidth 400
the negotiated IP address

---------------------------------------------------------------------------------------------------------

Thank you

Paul

Paul,

One of the reasons could be because of the VTI overload.

That being said I don't know which is the way to go with your QoS:

https://Tools.Cisco.com/bugsearch/bug/CSCsz63683/?reffering_site=dumpcr

My suggestion: give it a try with 15.2 M/T and prosecute TAC with discount people rather than VPN QoS ;-)

M.

communications between IPSec VPN and AnyConnect SSLVPN

Hi all

I have 2 ASAs and interconnected with ipsec VPN.

one of the ASA has SSLVPN users to access intranet resources.

but do not know how to get inside the network on an another ASA

my network architecture is less to:

192.168.1.0/24---ASA1---Internet---ASA2---172.24.0.0/16

SSLVPN use 192.168.55.0/24 ip on the external interface

L2L IPSec VPN is established between ASA1 and ASA2

192.168.1.x could access 172.24.0.0/16 via NATing to of ASA2 inside the ip interface

But now I want 192.168.55.0/24 access 172.24.0.0/16, some set up but does not work...

Are there any suggestions?

Thank you very much

Hi the split tunnel, you add with the ASA2 network should allow vpn clients send the traffic through the tunnel when they want to reach the remote subnet.

Can add you this too

nonat_outside ip access list allow

NAT (outside) 0-list of access nonat_outside

Also in the config you have not added the crypto to ASA1 acl entry. who is 192.168.55.0 to 172.24.0.0

See if that helps

IPSec tunnel and join a LAN router

I have to tunnel MikroTik IPSec Cisco ASA.

Cisco WAN: xxx.xxx.xxx.xxx

Cisco LAN: 172.27.0.0/20

MikroTik WAN: .yyy

MikroTik LAN: 172.27.128.0/20

This acts to Cisco configuration:

access extensive list ip 172.27.0.0 acl_encrypt allow 255.255.240.0 172.27.128.0 255.255.240.0

access extensive list ip 172.27.0.0 acl_no_nat_inside allow 255.255.240.0 172.27.128.0 255.255.240.0

NAT-control
Global 1 interface (outside)
NAT (inside) 0-list of access acl_no_nat_inside
NAT (inside) 1 0.0.0.0 0.0.0.0

Crypto ipsec transform-set esp-aes-256 ts_esp_aes_256_sha, esp-sha-hmac

card crypto cm_outside 10 correspondence address acl_encrypt
card crypto cm_outside pfs set 10 group5
card crypto cm_outside 10 peers set.yyy
card crypto cm_outside 10 transform-set ts_esp_aes_256_sha
3600 seconds, duration of life card crypto cm_outside 10 set - the security association
card crypto cm_outside 10 set security-association life 1048576 kilobytes

cm_outside interface card crypto outside

crypto ISAKMP policy 10
preshared authentication
aes-256 encryption
sha hash
Group 5
life 3600

tunnel - group.yyy type ipsec-l2l
tunnel - group.yyy ipsec-attributes
pre-shared-key *.

Tunnel works fine, when I try to ping from a PC behind Cisco to another PC behind MikroTik.

(e.g. 172.27.1.1 to 172.27.129.1), it works fine (except the first two lost packages which is OK
due to the delay of its ISAKMP/IPsec negotiation).

But I need to be able to access a PC behind Cisco's MikroTik.

If I try for example

ping 172.27.129.1

Cisco, all packets are lost.

I guess that Cisco does not use its LAN interface but the WAN interface.

What can I do to make it work?

Not sure why you want to do.

Yes, ASA use the IP address on the outgoing interface as source IP address. So when you ping the remote of the SAA, it will WAN IP.

You can add the following entry in your ACL to see if it works

access-list allowed acl_encrypt ip xxx.xxx.xxx.xxx host 172.27.129.1

Make the changes to the ACL on the remote site as well.

You may or may not add a NAT 0 as well. I don't know because this traffic is started from ASA itself. You can check the log to see what's happening and then make the decision.

client ipSec VPN and NAT on the router Cisco = FAIL

I have a Cisco 3825 router that I have set up for a Cisco VPN ipSec client. The same router is NAT.

ipSec logs, but can not reach the internal network unless NAT is disabled on the inside interface. But I need both at the same time.

Suggestions?

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

!

ISAKMP crypto client configuration group myclient

key password!

DNS 1.1.1.1

Domain name

pool myVPN

ACL 111

!

!

Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

!

Crypto-map dynamic dynmap 10

Set transform-set RIGHT

market arriere-route

!

!
list of card crypto clientmap client VPN - AAA authentication
card crypto clientmap AAA - VPN isakmp authorization list
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!

interface Loopback0
IP 10.88.0.1 255.255.255.0
!
interface GigabitEthernet0/0
/ / DESC it's external interface

IP 192.168.168.5 255.255.255.0
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
media type rj45
clientmap card crypto
!
interface GigabitEthernet0/1

/ / DESC it comes from inside interface
10.0.1.10 IP address 255.255.255.0
IP nat inside<=================ipSec client="" connects,="" but="" cannot="" reach="" interior="" network="" unless="" this="" is="">
IP virtual-reassembly
the route cache same-interface IP
automatic duplex
automatic speed
media type rj45

!

IP local pool myVPN 10.88.0.2 10.88.0.10

p route 0.0.0.0 0.0.0.0 192.168.168.1
IP route 10.0.0.0 255.255.0.0 10.0.1.4
!

IP nat inside source list 1 interface GigabitEthernet0/0 overload
!
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 111 allow ip 10.0.0.0 0.0.255.255 10.88.0.0 0.0.0.255
access-list 111 allow ip 10.88.0.0 0.0.0.255 10.0.0.0 0.0.255.255

Hello

I think that you need to configure the ACL default PAT so there first statemts 'decline' for traffic that is NOT supposed to be coordinated between the local network and VPN pool

For example, to do this kind of configuration, ACL and NAT

Note access-list 100 NAT0 customer VPN

access-list 100 deny ip 10.0.1.0 0.0.0.255 10.88.0.0 0.0.0.255

Note access-list 100 default PAT for Internet traffic

access-list 100 permit ip 10.0.1.0 0.0.0.255 ay

overload of IP nat inside source list 100 interface GigabitEthernet0/0

EDIT: seem to actually you could have more than 10 networks behind the router

Then you could modify the ACL on this

Note access-list 100 NAT0 customer VPN

access-list 100 deny ip 10.0.1.0 0.0.255.255 10.88.0.0 0.0.0.255

Note access-list 100 default PAT for Internet traffic

access-list 100 permit ip 10.0.1.0 0.0.255.255 ay

Don't forget to mark the answers correct/replys and/or useful answers to rate

-Jouni

IPSEC tunnel and Routing Support protocols

Hello world

I read that IPSEC does not support routing with VPN's Site to the other protocols because both are Layer4.

This means that if Site A must reach the B Site over a WAN link, we use static IP on the Site A and Site B router?

In my lab at home I config Site to Site VPN systems and they work correctly using OSPF does that mean that IPSEC supports the routing protocol?

IF someone can explain this please?

OSPF config one side

router ospf 1

3.4.4.4 router ID

Log-adjacency-changes

area 10-link virtual 10.4.4.1

passive-interface Vlan10

passive-interface Vlan20

3.4.4.4 to network 0.0.0.0 area 0

network 192.168.4.0 0.0.0.255 area 10

network 192.168.5.0 0.0.0.255 area 0

network 192.168.10.0 0.0.0.255 area 0

network 192.168.20.0 0.0.0.255 area 0

network 192.168.30.0 0.0.0.255 area 0

network 192.168.98.0 0.0.0.255 area 0

network 192.168.99.0 0.0.0.255 area 0

3550SMIA #sh ip route

Code: C - connected, S - static, mobile R - RIP, M-, B - BGP

D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone

N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2

E1 - OSPF external type 1, E2 - external OSPF of type 2

i - IS - Su - summary IS, L1 - IS - IS level 1, L2 - IS level - 2

-IS inter area, * - candidate failure, U - static route by user

o - ODR, P - periodic downloaded route static

Gateway of last resort is 192.168.5.3 to network 0.0.0.0

192.168.12.0/24 [13/110] through 192.168.5.3, 3d17h, FastEthernet0/11

100.0.0.0/32 is divided into subnets, subnets 1

O 100.100.100.100 [110/3] through 192.168.5.3, 3d17h, FastEthernet0/11

3.0.0.0/8 is variably divided into subnets, 2 subnets, 2 masks

O 3.3.3.3/32 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11

C 3.4.4.0/24 is directly connected, Loopback0

C 192.168.30.0/24 is directly connected, Vlan30

64.0.0.0/32 is divided into subnets, subnets 1

O E2 64.59.135.150 [110/300] through 192.168.5.3, 1d09h, FastEthernet0/11

4.0.0.0/32 is divided into subnets, subnets 1

O 4.4.4.4 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11

C 192.168.10.0/24 is directly connected, Vlan10

172.31.0.0/24 is divided into subnets, 4 subnets

O E2 172.31.3.0 [110/300] through 192.168.5.3, 3d17h, FastEthernet0/11

O E2 172.31.2.0 [110/300] through 192.168.5.3, 3d17h, FastEthernet0/11

O E2 172.31.1.0 [110/300] through 192.168.5.3, 3d17h, FastEthernet0/11

O E2 172.31.0.0 [110/300] through 192.168.5.3, 3d17h, FastEthernet0/11

O 192.168.11.0/24 [110/3] through 192.168.5.3, 3d17h, FastEthernet0/11

O 192.168.98.0/24 [110/2] via 192.168.99.1, 3d17h, FastEthernet0/8

C 192.168.99.0/24 is directly connected, FastEthernet0/8

192.168.20.0/24 C is directly connected, Vlan20

192.168.5.0/31 is divided into subnets, subnets 1

C 192.168.5.2 is directly connected, FastEthernet0/11

C 10.0.0.0/8 is directly connected, Tunnel0

192.168.6.0/31 is divided into subnets, subnets 1

O 192.168.6.2 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11

192.168.1.0/24 [13/110] through 192.168.5.3, 3d17h, FastEthernet0/11

O * E2 0.0.0.0/0 [110/1] via 192.168.5.3, 1d09h, FastEthernet0/11

B side Config

Side A

router ospf 1

Log-adjacency-changes

network 192.168.97.0 0.0.0.255 area 0

network 192.168.98.0 0.0.0.255 area 0

network 192.168.99.0 0.0.0.255 area 0

1811w # sh ip route

Code: C - connected, S - static, mobile R - RIP, M-, B - BGP

D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone

N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2

E1 - OSPF external type 1, E2 - external OSPF of type 2

i - IS - Su - summary IS, L1 - IS - IS level 1, L2 - IS level - 2

-IS inter area, * - candidate failure, U - static route by user

o - ODR, P - periodic downloaded route static

Gateway of last resort is 192.168.99.2 to network 0.0.0.0

192.168.12.0/24 [110/14] through 192.168.99.2, 3d17h, FastEthernet0

100.0.0.0/32 is divided into subnets, subnets 1

O 100.100.100.100 [110/4] through 192.168.99.2, 3d17h, FastEthernet0

3.0.0.0/32 is divided into subnets, 2 subnets

O 3.3.3.3 [110/3] through 192.168.99.2, 3d17h, FastEthernet0

O 3.4.4.4 [110/2] via 192.168.99.2, 3d17h, FastEthernet0

O 192.168.30.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0

64.0.0.0/32 is divided into subnets, subnets 1

O E2 64.59.135.150 [110/300] through 192.168.99.2, 1d09h, FastEthernet0

4.0.0.0/32 is divided into subnets, subnets 1

O 4.4.4.4 [110/3] through 192.168.99.2, 3d17h, FastEthernet0

O 192.168.10.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0

172.31.0.0/24 is divided into subnets, 4 subnets

O E2 172.31.3.0 [110/300] through 192.168.99.2, 3d17h, FastEthernet0

O E2 172.31.2.0 [110/300] through 192.168.99.2, 3d17h, FastEthernet0

O E2 172.31.1.0 [110/300] through 192.168.99.2, 3d17h, FastEthernet0

O E2 172.31.0.0 [110/300] through 192.168.99.2, 3d17h, FastEthernet0

O 192.168.11.0/24 [110/4] through 192.168.99.2, 3d17h, FastEthernet0

C 192.168.98.0/24 is directly connected, BVI98

C 192.168.99.0/24 is directly connected, FastEthernet0

O 192.168.20.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0

192.168.5.0/31 is divided into subnets, subnets 1

O 192.168.5.2 [110/2] via 192.168.99.2, 3d17h, FastEthernet0

192.168.6.0/31 is divided into subnets, subnets 1

O 192.168.6.2 [110/3] through 192.168.99.2, 3d17h, FastEthernet0

192.168.1.0/24 [110/14] through 192.168.99.2, 3d17h, FastEthernet0

O * E2 0.0.0.0/0 [110/1] via 192.168.99.2, 1d09h, FastEthernet0

Thank you

Mahesh

Mahesh.

Indeed, solution based purely crypto-card are not compatible with a routing protocol. Crypto card however is the legacy config we support on IOS. The best practice is to use the protection of tunnel. Any routing protocol would work then.

for example

https://learningnetwork.Cisco.com/docs/doc-2457

It's the best solution we currenty have

The IPSec VPN and routing

Hello

I was polishing my PSAB on since I am currently in a job where I can't touch a lot of this stuff. By a laboratory set up a site to IPSec VPN between two routers IOS.

For example:

https://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080ba1d0a.shtml

The routers must specify how to route to the protected network. Although I guess they could just use a default route to 172.17.1.2 as well.

for example IP road 10.10.10.0 255.255.255.0 172.17.1.2

172.17.1.2 won't have the slightest clue as to how to route for 10.10.10.0

Even in an example with a tunnel between the ASA and the router IOS ASA failed to indicate a direct route to the subnet protected from 10.20.10.0, but it must still have a default route configuration. (https://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml#CLI)

So it is basically saying, to reach the protected subnet to resolve the next hop on a device that has no idea where this subnet is anyway. Shouldn't all the peer IP-based routing, and not on a subnet that routers between the two should have no idea they exist?

The main hypothesis that I have here is that the protected subnets are not accessible unless the VPN tunnel is up. Most of my experience of the VPN site-to-site is with PIX / ASA, and I've never had to specify a route towards the protected subnet (for example 172.16.228.0). I guess he just used his default gateway that has an Internet IP belonging to the ISP. However the ISP has no idea where is 172.16.228.0.

Edit: I found a thread, do not report with Cisco but IPSec in general, this seems to be the question in case I don't have a lot of sense:

http://comments.Gmane.org/Gmane.OS.OpenBSD.misc/192986

He still does not seem logical to me. If I have a tunnel linking the two class C networks by internet, the only routers having knowledge of these networks are the two counterparts. Why a course should be (static, dynamic, default etc,) which seems to send traffic to a device that do not know where is the class C networks? Although I have to take in my example with the 172.17.228.0 my ASA was not actually sends out packets to my ISP gateway with 172.17.228.0 in them.

The purpose of the trail is * not * to send traffic to your next jump. You are right that the next hop router has no idea what to do with this package. This way is important for the local operation. The router must find the interface of output for the package. 'S done it with the road to the next-hop-router. If you remember that the road to your peer IPSec, your router must do a recursive search routing. After the outging interface is found, traffic is sent to this interface, the card encryption on this interface jumps and protects your traffic that is routed to your IPSec peer.

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

A Site at IOS IPSEC VPN and EIGRP

Hello

I have a connection of remote site to base via a VPN IPSEC router. I don't want to run EIGRP accoss VPN. Howerver I want adverstise the rest of the network from the router of core of the subnet to the remote site.

The remote VPN subnet is managed as a route connected on the router base?

Configuriguring a statement of network to the remote site on the router base will cause EIGRP announce the road?

You are right.

RRI (reverse Route Injection) is the correct way to announce remote routes as static routes on the HUB, and all what you need to do is redistribute static in EIGRP, so she is redistributed in your EIGRP.

Here is an example configuration:

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00809d07de.shtml

(It's about OSPF and IPSec VPN dynamics, however, the concept is the same for ipsec site-to-site and redistribution in EIGRP)

Hope that helps.

IPsec, GNS3 and CCP

Similar Questions

Maybe you are looking for