Re: OSPF over VPN

Mike Hendriks · ‎05-19-2009

I've been reading this configuration example to help set up OSPF over a VPN.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

The difference, in my case, is that the second VPN peer is a Cisco 861 IOS based router. Can IOS do OSPF over the site-to-site VPN, or is a GRE tunnel needed? Where can I find reference material to help me set this up?

Thanks in advance.

Laurent Aubert · ‎05-20-2009

Hi,

IOS doesn't support this configuration. You need to go with a GRE tunnel.

HTH

Laurent.

rakesh.hegde · ‎05-21-2009

Hi,

If the router supports, you may want to consier Virtual Tunnel Interfaces in native ipsec ipv4 mode.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html

HTH

Rakesh

patucker · ‎06-04-2009

What is the downside of SVTI (static virtual tunnel interface) compared to GRE?

rakesh.hegde · ‎06-04-2009

Hi,

You can use static VTIs with or with out GRE. The difference is with the way router builds the IPSEC SA proxies. If you use the default gre mode, the traffic hitting the tunnel interface is GRE encapsulated using tunnel source and destination ips and then the IPSEC SAs is built using same source and destination ips. This means that tunnel source and destination IPs must be reachable. This is pretty much the only downside I can think of. In a traditional GRE over IPSEC set up you don't have this requirement (you use IPSEC to provide tunnel end point reach ability).

So, if you want encrypt multicast with out GRE encapulation you can use VTI in tunnel mode (tunnel mode ipsec ipv4). In this case the router builds IPSEC SAs for all source and destination (0.0.0.0/0.0.0.0) using tunnel source and destination ip.

HTH,

Rakesh