Solved: Announce OSPF inside IPSec

SubaruSama · ‎04-08-2019

Hello everyone, how are you going?

I need some guidening and mentoring. Cisco beginner here. The class has changed professor, the old one was using the CORE Emulator. Now we are using the Eve-NG. I am kinda liking the Cisco world because there is material and tutorial online and is fun too. With CORE Emulator was more hardcore, but it was fun too.

I'am doing a class that we need to do the following under this context:

We have four offices, one office is the Main office and the three others are Branch Offices. And in between we have the ISP.

I'am configuring the ISP to use the RIP v2 for simplicity. For the offices we will use OSPF and OSPFv3.

But, the ISP don't need to/don't have to know our OSPF routes. The Main Office is the Backbone Area 0, and the other three offices are Area 10, 20 and 30.

So I was planning to announce the OSPF routes inside IPSec. But i am struggling so hard to understand and implement.

So, how I implement to make the OSPF announce inside IPSec Tunnels? Do I have to create a Tunnel Interface and do what? I've created some labs to try to implement, but in terms of theory, I am not understanding.

Thanks in advance!

Richard Burts · ‎04-13-2019

There are several things I would like to comment on for this post:

- if the objective is to send OSPF advertisements from HQ to Branch Office without the ISP being aware of the OSPF routing then the simple solution would be to configure a GRE tunnel from HQ to each branch. There is not any need of IPSEC for this.

- the original post describes HQ as being Backbone area 0 and the Branches as being area 10, 20, and 30. This is a typical way to describe them but it is not really an accurate way to think of them. A router does not belong to an area, but the router interface is what belongs to an area. Certainly HQ will have some LAN(s) that belong to area 0. And Branch 10 will have some LAN(s) that belong to area 10. Which of the routers will act as the Area Border Router? This is determined by which area does the tunnel connecting them belong to? If the tunnel belongs to area 0 then Branch 10 is the ABR and it will have interfaces in area 10 and an interface in area 0 while HQ has interfaces only in area 0. If the tunnel belongs to area 10 then HQ is the ABR and it will have interfaces in area 0 and area 10, while Branch 10 has interfaces only in area 10.

- If there is a need for encrypting the traffic between HQ and Branches then we need to consider configuring IPSEC to run between HQ and Branches. Traditional IPSEC is configured using a crypto map assigned to the interfaces used between HQ and the Branches. The crypto map uses an ACL to identify the traffic to be encrypted. Traditional IPSEC was for unicast IP traffic and as such can not run OSPF between HQ and Branches.

- to support OSPF between HQ and Branches with encryption we must combine IPSEC with a tunnel interface. The traditional approach was to configure a GRE tunnel and to use IPSEC to encrypt that traffic. A more recent approach was to configure a VTI tunnel. The advantage of the VTI tunnel is that while the GRE tunnel with encryption does require the crypto map, the VTI tunnel does not require a crypto map and so is easier to configure.

HTH

Rick

HTH

Rick

View solution in original post

Seb Rupik · ‎04-08-2019

Hi there,

On the outside interface of all your offices (branch and main) configure an IPSec crypto map such that each branch site is connected back to the main office via an IPSec tunnel.

Then you will need to create a tunnel interface on each branch router and have it peer back to the main office (itself will have a tunnel interface for each branch office). This will give you a hub and spoke topology with the GRE tunnel being encapsulated inside the IPsec tunnel.

You then configure OSPF to peer using the GRE tunnel interfaces. I suggest configuring the branch sites as OSPF stubs so that they just receive a default route from the main office.

Alternatively you could create IPsec/ GRE tunnels between all the routers, this would be considered a full-mesh design, which for learning purposes is OK, but ultimately does not scale very well.

https://www.cisco.com/c/en/us/td/docs/ios/12_4/interface/configuration/guide/inb_tun.html#wp1049738

cheers,

Seb.

SubaruSama · ‎04-15-2019

Thanks. Your answer helped me a lot!

Joseph W. Doherty · ‎04-11-2019

Once you have a tunnel interface (IPSec or not), you pretty much treat it, for OSPF purposes, as just another interface.

What's important, though, is the tunnel passes traffic between both end-points. Some tunnels, like GRE, can show the tunnel interface as "UP" even though you don't have end-to-end tunnel connectivity.

Also keep in mind, tunnels need to "know" how to "route" the tunnel packets separate from the traffic being routed encapsulated within the tunnel.

Good quick tests are that you can ping one tunnel's external IP from the other's external IP, and also ping one tunnel's IP from the other's tunnel IP.

Again, if both those ping tests work, you should be able to configure OSPF on the tunnel interfaces.

In the above, I've been assuming you've defined p2p tunnels between the hub and the spokes (easiest for that, using IPSec, is to use VTI tunnels). However, it's also possible to define a DMVPN (mutl-point IPSec) tunnel too. The latter takes a bit more work to configure, but once you've configured it, adding spokes becomes much, much easier. Also, depending on the configuration (and DMVPN version), DMVPN can support dynamic spoke-to-spoke traffic flows.

SubaruSama · ‎04-15-2019

Thanks. Your answer helped me a lot!

Richard Burts · ‎04-13-2019

There are several things I would like to comment on for this post:

- if the objective is to send OSPF advertisements from HQ to Branch Office without the ISP being aware of the OSPF routing then the simple solution would be to configure a GRE tunnel from HQ to each branch. There is not any need of IPSEC for this.

- the original post describes HQ as being Backbone area 0 and the Branches as being area 10, 20, and 30. This is a typical way to describe them but it is not really an accurate way to think of them. A router does not belong to an area, but the router interface is what belongs to an area. Certainly HQ will have some LAN(s) that belong to area 0. And Branch 10 will have some LAN(s) that belong to area 10. Which of the routers will act as the Area Border Router? This is determined by which area does the tunnel connecting them belong to? If the tunnel belongs to area 0 then Branch 10 is the ABR and it will have interfaces in area 10 and an interface in area 0 while HQ has interfaces only in area 0. If the tunnel belongs to area 10 then HQ is the ABR and it will have interfaces in area 0 and area 10, while Branch 10 has interfaces only in area 10.

- If there is a need for encrypting the traffic between HQ and Branches then we need to consider configuring IPSEC to run between HQ and Branches. Traditional IPSEC is configured using a crypto map assigned to the interfaces used between HQ and the Branches. The crypto map uses an ACL to identify the traffic to be encrypted. Traditional IPSEC was for unicast IP traffic and as such can not run OSPF between HQ and Branches.

- to support OSPF between HQ and Branches with encryption we must combine IPSEC with a tunnel interface. The traditional approach was to configure a GRE tunnel and to use IPSEC to encrypt that traffic. A more recent approach was to configure a VTI tunnel. The advantage of the VTI tunnel is that while the GRE tunnel with encryption does require the crypto map, the VTI tunnel does not require a crypto map and so is easier to configure.

HTH

Rick

HTH

Rick

SubaruSama · ‎04-15-2019

Thanks. Your answer helped me a lot!

Richard Burts · ‎04-16-2019

You are welcome. I am glad that our suggestions and responses have been helpful. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

HTH

Rick

SubaruSama · ‎04-19-2019

Hello again!

I am using the option, that creates the VTI tunnel. But i am struggling to make the OSPF run. And as said in the second answer, I am struggling to make the areas work.

Do I have to create two tunnels on each router: one for the area that the interface belongs to and one area to connect to the backbone?

Thanks!

Joseph W. Doherty · ‎04-19-2019

Can from one tunnel end-point interface, can you ping the other tunnel's end-point interface?

Do both tunnel end-point interfaces belong to the same area?

SubaruSama · ‎04-19-2019

Yes i can ping end point interface of each router.
So, as I have 4 areas to manage and one interface belong to one area, I am really confused about that subject DD:

Richard Burts · ‎04-19-2019

Thanks for the update telling us that you are using the option to configure VTI tunnels. That should wok well. I do not understand the issue that you are currently experiencing. One thing is clear: you should not need 2 tunnels. A single VTI tunnel should be good enough. If your OSPF areas are not working then you need to tell us more about how you have configured them. We need to see your current configs and would be helpful if you provide explanation about your topology.

HTH

Rick

HTH

Rick