cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10814
Views
35
Helpful
12
Replies

OSPF over IPSEC

marine253
Level 1
Level 1

Hello ,

 

I have a few questions regarding dynamic routing protocols over ospf.

 

In cisco world if you want to establish a secured ipsec tunnel between 2 sites and have dynamic routing protocol established , you need to do GRE over IPSEC. Which obviously impacts the overall MTU of the link. GRE is required as multicast is not supported over IPSEC.

 

Other vendors are doing multicast over IPSEC. So i just wanted to know why would cisco still have such an issue supporting multicast over IPSEC (without GRE).

 

Secondly , i need to establish a mesh VPN network between 10 sites and dynamic routing will be required(OSPF). Any ideas how i can accomplish this with any cisco technology without doing GRE?

12 Replies 12

Peter Paluch
Cisco Employee
Cisco Employee

Hello,

You have a very good question at hand.

GRE is required as multicast is not supported over IPSEC.

This is not entirely true. IPsec can transport multicast IP packets. With the classic IPsec, though, the main issue with multicast is that even if you run over a Layer2 technology that supports broadcast and multicast replication itself, such as Ethernet, you may have several IPsec peers reachable through the same interface, and with each of them, you will have an independent IPsec SA established (cipher, hash, keying material, packet counter, ...) - meaning that a single encrypted packet can only be validly decrypted by a single receiver, even if it is properly flooded to all recipients. As a consequence, IPsec always makes the interconnection between the tunnel endpoints behave as a NBMA network, forcing each endpoint to perform multicast replication itself, and in addition, for each IPsec neighbor, creating a separate encrypted instance of the original packet since the IPsec SA with that neighbor is unique and cannot be reused with any other neighbor. This is in fact where GETVPN comes in that enforces a single IPsec SA to the entire group of IPsec tunnel endpoints, and preserves the original IP header addresses, again allowing a single encrypted packet to be correctly processed by all receivers, and letting the underlay do the multicast job if it knows how to do it.

In fact, even without GETVPN, you can configure a plain point-to-point native IPsec tunnel on Cisco routers, and it will carry multicast packets just fine:

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
!
crypto isakmp key asdf1234 address 192.168.34.4   
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile P
 set transform-set TS 
!
interface Tunnel24
 ip address 10.0.24.2 255.255.255.0
 ip ospf 1 area 0
 tunnel source 192.168.23.2
 tunnel mode ipsec ipv4
 tunnel destination 192.168.34.4
 tunnel protection ipsec profile P

!!!

R2# show ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.255.255.4      0   FULL/  -        00:00:35    10.0.24.4       Tunnel24 <<<<<<<<
10.255.255.1      1   FULL/DR         00:00:31    10.0.12.1       Ethernet2/1

R2# ping 224.0.0.5
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 224.0.0.5, timeout is 2 seconds:

Reply to request 0 from 10.0.12.1, 40 ms
Reply to request 0 from 10.0.24.4, 124 ms <<<<<<<<
Reply to request 0 from 10.255.255.2, 44 ms
R2# show ip ospf int tun24 Tunnel24 is up, line protocol is up Internet Address 10.0.24.2/24, Area 0, Attached via Interface Enable Process ID 1, Router ID 10.255.255.2, Network Type POINT_TO_POINT, Cost: 1000 Topology-MTID Cost Disabled Shutdown Topology Name 0 1000 no no Base Enabled by interface config, including secondary ip addresses Transmit Delay is 1 sec, State POINT_TO_POINT Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:00 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 1/3/3, flood queue length 0 Next 0x0(0)/0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 10.255.255.4 Suppress hello for 0 neighbor(s)

The OSPF adjacency over the Tun24 interface is just fine - these are purely dynamical neighbors using multicast, I haven't configured any static OSPF neighbors here (I would not be even able to - the OSPF network type of the interface is point-to-point which does not allow configuring a static neighbor).

Without GRE here, however, this tunnel is entirely locked to IPv4 communication - nothing else can pass through it. If you decide to add IPv6 addresses on the Tun24 to enable IPv6 over it, it won't work - the IPv6 packets will be simply blackholed. The same will happen to CDP, LLDP, IS-IS, to name a few. Having GRE there gives you the flexibility of carrying any protocol through such an IPsec tunnel thanks to the IP+GRE encapsulation, making IPsec happy.

Secondly , i need to establish a mesh VPN network between 10 sites and dynamic routing will be required(OSPF). Any ideas how i can accomplish this with any cisco technology without doing GRE?

One of the possibilities is to create 9 point-to-point IPsec tunnels with IPsec protection profile as shown in the example above, and run OSPF over them. Another possibility would be the GETVPN; however, this one assumes that the network between the tunnel endpoints has full visibility into the internal addressing on the sites (such as MPLS L3 VPN) because GETVPN preserves the original addresses, so this one might not be always usable.

https://www.cisco.com/c/dam/en/us/products/collateral/security/group-encrypted-transport-vpn/GETVPN_DIG_version_1_0_External.pdf

I hope this helps somewhat - please feel welcome to ask further!

Best regards,
Peter

 

at the moment this seems to be true for routers only. The ASA have apparent restrictions on this. If anyone ever configured OSPF over VTI then please post how.

 

Best

Alessio

Cannot remark on ASAs and OSPF, but as noted in my much earlier posts, I've done OSPF across VTI, on routers, w/o issue.

Yeah,
Between routers I did not have problems myself either. That is why I am surprised about the ospf keyword missing under the tunnel interface...

Anyone heard anything from Cisco? I tried to contact them but still waiting for a reply.

Thanks

HI Peter

 

 

    I am not sure you still care about this? In my view, the GRE or VTI needs for IPSec to handle the dynamic router and multicast. But lately, i have seen a lot of customer use only IPsec (without GRE and VTI) to support OSPF and even multicast PIM. from my understanding it is because both site are direct connect the ospf is using non encrypt traffic and it is under the same subnet. If so, does the IPsec even need? Or does the IPsec relay secure?

 

the setting is like this

R1---------R2

 

 

R1

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key test address 192.168.240.69
crypto isakmp nat keepalive 20
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set to_lcc esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set vpn esp-aes esp-sha512-hmac
mode tunnel
!
!
!
crypto map to_R2 10 ipsec-isakmp
set peer 192.168.240.69
set transform-set vpn
match address VPN
!

interface GigabitEthernet0/2
description Connect to R2
ip address 192.168.240.70 255.255.255.252
ip pim sparse-mode
ip tcp adjust-mss 1300
duplex full
speed 1000
crypto map to_R2
crypto ipsec df-bit clear

 

router ospf 17
network 192.168.0.0 0.0.255.255 area 17

 

 

R2

!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key test address 192.168.240.70
crypto isakmp nat keepalive 20
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set vpn esp-aes esp-sha512-hmac
mode tunnel
!
!
!
crypto map to_R1 10 ipsec-isakmp
set peer 192.168.240.70
set transform-set vpn
match address VPN

 

!
interface GigabitEthernet0/2
description Connect to R1
ip address 192.168.240.69 255.255.255.252
ip pim sparse-mode
ip tcp adjust-mss 1300
duplex full
speed 1000
crypto map to_R1
crypto ipsec df-bit clear
!
router ospf 17
network 192.168.0.0 0.0.255.255 area 17
!

Joseph W. Doherty
Hall of Fame
Hall of Fame

"In cisco world if you want to establish a secured ipsec tunnel between 2 sites and have dynamic routing protocol established , you need to do GRE over IPSEC."

 

In addition to what Peter posted, Cisco VTI tunnels will run OSPF w/o GRE overhead.

 

"Which obviously impacts the overall MTU of the link."

 

Actually, I suspect you're thinking of the IP MTU provided to the encapsulated packet.  The actual link MTU doesn't change.  Also, IPSec overhead impacts encapsulated packet MTU, generally more so than the GRE overhead.  Some of this can be mitigated, on tunnels, depending on whether you use transport or tunnel mode.

 

 

thanks.

 

I tried simulating  ipsec with VTI and i am having some trouble having traffic flow though the tunnel. Point to Point connectivity is okay on the tunnel , but it wont let traffic from other subnets flow via the tunnel.

 

I've tried using ospf or static routes. No luck.

Is there anything additional to be configured , for example : interesting traffic(via ACL) or anything like that?

 

For traffic to flow through the VTI tunnel, you need to route across it. This routing is separate from the routing you setup to support the tunnel itself.

If using OSPF, you configure the VTI tunnel interface much like any other interface.

For example, using static routing, you might have something like:

!local tunnel IP 192.168.1.1
!remote tunnel IP 192.168.1.2

!local public interface IP 1.1.1.2
!remote public interace IP 2.2.2.2

ip route 2.2.2.2 255.255.255.255 1.1.1.1 !to support tunnel
ip route 0.0.0.0 0.0.0.0 192.168.1.2 !to support traffic across tunnel

Hello , that's what i tried and it din't work.

 

Will post the full config later.

 

Thank you

Hi Joseph,

If running routing protocol OSPF through the VTI tunnel, does it need a static route to direct the traffic use the VTI? Thanks

 

Hello,

the short answer is: no. As long as you advertise the tunnel interface networks and the LAN networks, everything is reachable through OSPF and the tunnels.

As @Georg Pauwen already answered, should be "no" for a static route, if using OSPF; just add a VTI interface to it, as you would other interfaces.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco