cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3332
Views
15
Helpful
8
Replies
Highlighted
Beginner

OSPF over IPSEC

Hello ,

 

I have a few questions regarding dynamic routing protocols over ospf.

 

In cisco world if you want to establish a secured ipsec tunnel between 2 sites and have dynamic routing protocol established , you need to do GRE over IPSEC. Which obviously impacts the overall MTU of the link. GRE is required as multicast is not supported over IPSEC.

 

Other vendors are doing multicast over IPSEC. So i just wanted to know why would cisco still have such an issue supporting multicast over IPSEC (without GRE).

 

Secondly , i need to establish a mesh VPN network between 10 sites and dynamic routing will be required(OSPF). Any ideas how i can accomplish this with any cisco technology without doing GRE?

8 REPLIES 8
Highlighted
Hall of Fame Cisco Employee

Re: OSPF over IPSEC

Hello,

You have a very good question at hand.

GRE is required as multicast is not supported over IPSEC.

This is not entirely true. IPsec can transport multicast IP packets. With the classic IPsec, though, the main issue with multicast is that even if you run over a Layer2 technology that supports broadcast and multicast replication itself, such as Ethernet, you may have several IPsec peers reachable through the same interface, and with each of them, you will have an independent IPsec SA established (cipher, hash, keying material, packet counter, ...) - meaning that a single encrypted packet can only be validly decrypted by a single receiver, even if it is properly flooded to all recipients. As a consequence, IPsec always makes the interconnection between the tunnel endpoints behave as a NBMA network, forcing each endpoint to perform multicast replication itself, and in addition, for each IPsec neighbor, creating a separate encrypted instance of the original packet since the IPsec SA with that neighbor is unique and cannot be reused with any other neighbor. This is in fact where GETVPN comes in that enforces a single IPsec SA to the entire group of IPsec tunnel endpoints, and preserves the original IP header addresses, again allowing a single encrypted packet to be correctly processed by all receivers, and letting the underlay do the multicast job if it knows how to do it.

In fact, even without GETVPN, you can configure a plain point-to-point native IPsec tunnel on Cisco routers, and it will carry multicast packets just fine:

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
!
crypto isakmp key asdf1234 address 192.168.34.4   
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile P
 set transform-set TS 
!
interface Tunnel24
 ip address 10.0.24.2 255.255.255.0
 ip ospf 1 area 0
 tunnel source 192.168.23.2
 tunnel mode ipsec ipv4
 tunnel destination 192.168.34.4
 tunnel protection ipsec profile P

!!!

R2# show ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.255.255.4      0   FULL/  -        00:00:35    10.0.24.4       Tunnel24 <<<<<<<<
10.255.255.1      1   FULL/DR         00:00:31    10.0.12.1       Ethernet2/1

R2# ping 224.0.0.5
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 224.0.0.5, timeout is 2 seconds:

Reply to request 0 from 10.0.12.1, 40 ms
Reply to request 0 from 10.0.24.4, 124 ms <<<<<<<<
Reply to request 0 from 10.255.255.2, 44 ms
R2# show ip ospf int tun24 Tunnel24 is up, line protocol is up Internet Address 10.0.24.2/24, Area 0, Attached via Interface Enable Process ID 1, Router ID 10.255.255.2, Network Type POINT_TO_POINT, Cost: 1000 Topology-MTID Cost Disabled Shutdown Topology Name 0 1000 no no Base Enabled by interface config, including secondary ip addresses Transmit Delay is 1 sec, State POINT_TO_POINT Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:00 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 1/3/3, flood queue length 0 Next 0x0(0)/0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 10.255.255.4 Suppress hello for 0 neighbor(s)

The OSPF adjacency over the Tun24 interface is just fine - these are purely dynamical neighbors using multicast, I haven't configured any static OSPF neighbors here (I would not be even able to - the OSPF network type of the interface is point-to-point which does not allow configuring a static neighbor).

Without GRE here, however, this tunnel is entirely locked to IPv4 communication - nothing else can pass through it. If you decide to add IPv6 addresses on the Tun24 to enable IPv6 over it, it won't work - the IPv6 packets will be simply blackholed. The same will happen to CDP, LLDP, IS-IS, to name a few. Having GRE there gives you the flexibility of carrying any protocol through such an IPsec tunnel thanks to the IP+GRE encapsulation, making IPsec happy.

Secondly , i need to establish a mesh VPN network between 10 sites and dynamic routing will be required(OSPF). Any ideas how i can accomplish this with any cisco technology without doing GRE?

One of the possibilities is to create 9 point-to-point IPsec tunnels with IPsec protection profile as shown in the example above, and run OSPF over them. Another possibility would be the GETVPN; however, this one assumes that the network between the tunnel endpoints has full visibility into the internal addressing on the sites (such as MPLS L3 VPN) because GETVPN preserves the original addresses, so this one might not be always usable.

https://www.cisco.com/c/dam/en/us/products/collateral/security/group-encrypted-transport-vpn/GETVPN_DIG_version_1_0_External.pdf

I hope this helps somewhat - please feel welcome to ask further!

Best regards,
Peter

 

Highlighted
Contributor

Re: OSPF over IPSEC

at the moment this seems to be true for routers only. The ASA have apparent restrictions on this. If anyone ever configured OSPF over VTI then please post how.

 

Best

Alessio

Highlighted
VIP Expert

Re: OSPF over IPSEC

Cannot remark on ASAs and OSPF, but as noted in my much earlier posts, I've done OSPF across VTI, on routers, w/o issue.
Highlighted
Contributor

Re: OSPF over IPSEC

Yeah,
Between routers I did not have problems myself either. That is why I am surprised about the ospf keyword missing under the tunnel interface...

Anyone heard anything from Cisco? I tried to contact them but still waiting for a reply.

Thanks
Highlighted
VIP Expert

Re: OSPF over IPSEC

"In cisco world if you want to establish a secured ipsec tunnel between 2 sites and have dynamic routing protocol established , you need to do GRE over IPSEC."

 

In addition to what Peter posted, Cisco VTI tunnels will run OSPF w/o GRE overhead.

 

"Which obviously impacts the overall MTU of the link."

 

Actually, I suspect you're thinking of the IP MTU provided to the encapsulated packet.  The actual link MTU doesn't change.  Also, IPSec overhead impacts encapsulated packet MTU, generally more so than the GRE overhead.  Some of this can be mitigated, on tunnels, depending on whether you use transport or tunnel mode.

 

 

Highlighted
Beginner

Re: OSPF over IPSEC

thanks.

 

I tried simulating  ipsec with VTI and i am having some trouble having traffic flow though the tunnel. Point to Point connectivity is okay on the tunnel , but it wont let traffic from other subnets flow via the tunnel.

 

I've tried using ospf or static routes. No luck.

Is there anything additional to be configured , for example : interesting traffic(via ACL) or anything like that?

 

Highlighted
VIP Expert

Re: OSPF over IPSEC

For traffic to flow through the VTI tunnel, you need to route across it. This routing is separate from the routing you setup to support the tunnel itself.

If using OSPF, you configure the VTI tunnel interface much like any other interface.

For example, using static routing, you might have something like:

!local tunnel IP 192.168.1.1
!remote tunnel IP 192.168.1.2

!local public interface IP 1.1.1.2
!remote public interace IP 2.2.2.2

ip route 2.2.2.2 255.255.255.255 1.1.1.1 !to support tunnel
ip route 0.0.0.0 0.0.0.0 192.168.1.2 !to support traffic across tunnel
Highlighted
Beginner

Re: OSPF over IPSEC

Hello , that's what i tried and it din't work.

 

Will post the full config later.

 

Thank you