Internet Routing Over Ipsec Vpn

matias_rognone · ‎09-04-2015

Hi all,

I have the next scenario 2 office's connected with Ipsec Vpn Tunnel. This Ipsec work ok, i can ping, i can access between the offices ,etc.

I need to route 2 destinations over this Tunnel.

Example:

When office A try access to an external Destination (200.1.1.1 )the destination travel over the tunnel to office B and go to internet from this Office.

I have ASA5505 in office A

ASA5510 in office B

I tried using statics, add the destionations in the crypto ACL.

I tried with OSPF over the IPsec.

but nothing seems to work.

ideas?

thanks in advance.

Seb Rupik · ‎09-07-2015

Hi there,

IPSec only supports unicast traffic. OSPF uses multicast for some aspects of communication between neighbours.

The common solution for this is to create a GRE tunnel and have that encapsulated within the IPSec tunnel. GRE supports multicast traffic. However the ASA does not support GRE tunnels, so unless you have routers behind the ASAs which could host these GRE tunnels, this option is not viable.

This leaves the option of reconfiguring your OSPF processes and configuring them as non-broadcast (ie not to use the multicast group addresses). You would need to ensure the correct neighbor statements exist in each routers OSPF process.

The following two URLs should give you some more detail:

http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13690-18.html

https://ccieblog.co.uk/ospf/ospf-non-broadcast-nbma-network

cheers,

Seb.

Philip D'Ath · ‎12-22-2015

The closest you'll be able to do is reverse route injection on the VPNs. So when the VPN is up the ASA adds a local reverse route into the local routing table.

Ganesh Hariharan · ‎12-25-2015

Hello,

Check out the below link for more information..

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14381-gre-ipsec-ospf.html

Hope it Helps..

-GI