cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5108
Views
25
Helpful
20
Replies

Announce OSPF inside IPSec

SubaruSama
Level 1
Level 1

Hello everyone, how are you going?

I need some guidening and mentoring. Cisco beginner here. The class has changed professor, the old one was using the CORE Emulator. Now we are using the Eve-NG. I am kinda liking the Cisco world because there is material and tutorial online and is fun too. With CORE Emulator was more hardcore, but it was fun too.

 

I'am doing a class that we need to do the following under this context:

We have four offices, one office is the Main office and the three others are Branch Offices. And in between we have the ISP.

I'am configuring the ISP to use the RIP v2 for simplicity. For the offices we will use OSPF and OSPFv3.

But, the ISP don't need to/don't have to know our OSPF routes. The Main Office is the Backbone Area 0, and the other three offices are Area 10, 20 and 30.

So I was planning to announce the OSPF routes inside IPSec. But i am struggling so hard to understand and implement.

 

So, how I implement to make the OSPF announce inside IPSec Tunnels? Do I have to create a Tunnel Interface and do what? I've created some labs to try to implement, but in terms of theory, I am not understanding.

 

Thanks in advance!

20 Replies 20

Thank you for posting the diagram and the router configurations. I suspect that we may have multiple issues to deal with. I will start with 2 and after they are resolved we will see what else we need to address.

 

First I have an architectural concern. When you described 4 sites running OSPF I expected to see 4 non backbone areas (one area per site) with an area 0 backbone in the middle. What we have here appears to be area 0 backbone at one site and 3 non backbone areas. You could make this work, but it will be a bit more complex. I wonder if there was a particular reason to set it up this way?

 

Second I looked at one of the site routers. I see the configuration of a VTI tunnel and I see OSPF for the tunnel. But when I look at the ISP router configuration I do not see any tunnel configured and I do not see any OSPF configured. I see 2 interfaces with RIP running on both interfaces. Why are you running RIP on the interface connecting to the site? Why is there no tunnel? And why is there no OSPF on the ISP router?

 

HTH

 

Rick

HTH

Rick

Hello, how are you? Responding the first question: since in the project is asked to work with hub-and-spoke, i thought that the hub would be the backbone area and the spoke would be the areas 10, 20 and 30. So, do i have to make the ISP an Area 0, and each site assign a Area?

 

Second response: yeah i've talked with some colleagues and they said that same thing, that the border routers of each site dont have to announce RIPv2, the RIPv2 will only run inside ISP. And the interfaces for the each border routers would be and OSPF. I've thought that i would announce the OSPF routes inside the IPSec tunnel that is reachble through the RIPv2.

 

So, if i get it, i need to configure:

  1. The border router of each site would be an Area, and the Backbone Area would the ISP (each interface for the site would be a OSPF interface)

  2. The tunnel is created to make the connectivity between the OSPF interface of the ISP connect to the OSPF interface of other site (not that is connected to).

 

But, i am in doubt: what is the purpose of the tunnel then? How i would fix that?

 

Thanks!

OK. It is helpful to know that the project asked for hub and spoke. That is quite possible. You should configure the VTI tunnels so that they go from the spoke router to the hub router (rather than to the ISP router). If you configure it this way then OSPF runs through the tunnel and the ISP routers are not involved in OSPF at all. RIPv2 would run on ISP routers, on the interfaces connecting the ISP routers to your routers, and on your routers interface connecting to the ISP (but not on your LAN or on the VTI tunnel). And RIPv2 would advertise only the subnets of interfaces connecting to ISP routers. This will mean that each of your spoke routers would have routes to the hub interface and the tunnel could work.

 

HTH

 

Rick

HTH

Rick

Hey guys, sorry for the late response. In this weekend i've reworked all the routing topology. I've get rid of RIPv2 and make the ISP talk OSPF in own area. I've made each branch and the main office in your respective area (using virtual-link, i don't know if this solution is old or bad, but it works. maybe it will need some analyze for security reasons or other stuff, but for this project is working good) and all is working fine!

I've created the IPSec tunnels and made each LAN talk with other LAN.

 

So, my routing problem is solved thanks for your insights and ideas!

 

Thanks for your time and your patience. See you around!

 

Bye!

SubaruSama
Level 1
Level 1

Hey guys, sorry for the late response. In this weekend i've reworked all the routing topology. I've get rid of RIPv2 and make the ISP talk OSPF in own area. I've made each branch and the main office in your respective area (using virtual-link, i don't know if this solution is old or bad, but it works. maybe it will need some analyze for security reasons or other stuff, but for this project is working good) and all is working fine!

I've created the IPSec tunnels and made each LAN talk with other LAN.

 

So, my routing problem is solved thanks for your insights and ideas!

 

Thanks for your time and your patience. See you around!

 

Bye!

Thank you for the update that you have it running successfully and that your routing issue is solved. I am glad that our suggestions have pointed you in the right direction. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information.

 

HTH

 

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco