12-22-2012 11:06 AM - edited 03-07-2019 10:44 AM
Hi Everyone,
I read IPSEC does not support Routing Protocols with Site to Site VPN as they both are Layer4.
Does it mean that If Site A has to reach Site B over WAN link we should use Static IP on Site A and Site B Router?
In my home Lab i config Site to Site IPSES VPN and they are working fine using OSPF does this mean that IPSEC supports Routing Protocol?
IF someone can explain me this please?
Thanks
Mahesh
12-22-2012 11:23 AM
Hi,
to use a routing protocol using multicast with a IPSec VPN tunnel you need ;
- use IPSec over GRE as GRE supports multicast
- configure a VTI IPSec tunnel compared to a crypto-map IPSec tunnel.
Regards.
Alain
Don't forget to rate helpful posts.
12-22-2012 11:41 AM
Hi Alain,
Can you please explain me what is VTI IPSEC tunnel?
Thanks
Mahesh
12-22-2012 11:48 AM
Hi,
traditional IPSec VPN tunnel is using crypto map assigned to outbound interface and this crypto map is matching a crypto ACL which means that you have to initiate interesting traffic( traffic permitted in this crypto ACL to initiate the tunnel.
A VTI tunnel is not using crypto map but instead a tunnel interface is created and all traffic routed through this tunnle will be encrypted by IPSec.
http://www.ccierants.com/2009/09/ipsec-with-vti-best-damn-way-to-do-it.html
Regards.
Alain
Don't forget to rate helpful posts.
12-22-2012 11:28 AM
Hi,
If you configure OSPF neighbor and point a static route to subnets behind IPSEC router it is possible. IPSEC as far I know supports only unicast packets over VPN tunnel. For example GRE supports both multicast and unicast that's why it supports OSPF, EIGRP like dynamic protocols.
Can you post config of ospf and tunnel interface as well ip routes.
Sent from Cisco Technical Support iPhone App
12-22-2012 11:40 AM
Hi Abzal,
I am not using GRE
Side B
router ospf 1
router-id 3.4.4.4
log-adjacency-changes
area 10 virtual-link 10.4.4.1
passive-interface Vlan10
passive-interface Vlan20
network 3.4.4.4 0.0.0.0 area 0
network 192.168.4.0 0.0.0.255 area 10
network 192.168.5.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.98.0 0.0.0.255 area 0
network 192.168.99.0 0.0.0.255 area 0
3550SMIA#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.5.3 to network 0.0.0.0
O 192.168.12.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11
100.0.0.0/32 is subnetted, 1 subnets
O 100.100.100.100 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11
3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O 3.3.3.3/32 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
C 3.4.4.0/24 is directly connected, Loopback0
C 192.168.30.0/24 is directly connected, Vlan30
64.0.0.0/32 is subnetted, 1 subnets
O E2 64.59.135.150 [110/300] via 192.168.5.3, 1d09h, FastEthernet0/11
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
C 192.168.10.0/24 is directly connected, Vlan10
172.31.0.0/24 is subnetted, 4 subnets
O E2 172.31.3.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O E2 172.31.2.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O E2 172.31.1.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O E2 172.31.0.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O 192.168.11.0/24 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11
O 192.168.98.0/24 [110/2] via 192.168.99.1, 3d17h, FastEthernet0/8
C 192.168.99.0/24 is directly connected, FastEthernet0/8
C 192.168.20.0/24 is directly connected, Vlan20
192.168.5.0/31 is subnetted, 1 subnets
C 192.168.5.2 is directly connected, FastEthernet0/11
C 10.0.0.0/8 is directly connected, Tunnel0
192.168.6.0/31 is subnetted, 1 subnets
O 192.168.6.2 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
O 192.168.1.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11
O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 1d09h, FastEthernet0/11
Side A
router ospf 1
log-adjacency-changes
network 192.168.97.0 0.0.0.255 area 0
network 192.168.98.0 0.0.0.255 area 0
network 192.168.99.0 0.0.0.255 area 0
1811w# sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.99.2 to network 0.0.0.0
O 192.168.12.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0
100.0.0.0/32 is subnetted, 1 subnets
O 100.100.100.100 [110/4] via 192.168.99.2, 3d17h, FastEthernet0
3.0.0.0/32 is subnetted, 2 subnets
O 3.3.3.3 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
O 3.4.4.4 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
O 192.168.30.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
64.0.0.0/32 is subnetted, 1 subnets
O E2 64.59.135.150 [110/300] via 192.168.99.2, 1d09h, FastEthernet0
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
O 192.168.10.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
172.31.0.0/24 is subnetted, 4 subnets
O E2 172.31.3.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O E2 172.31.2.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O E2 172.31.1.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O E2 172.31.0.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O 192.168.11.0/24 [110/4] via 192.168.99.2, 3d17h, FastEthernet0
C 192.168.98.0/24 is directly connected, BVI98
C 192.168.99.0/24 is directly connected, FastEthernet0
O 192.168.20.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
192.168.5.0/31 is subnetted, 1 subnets
O 192.168.5.2 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
192.168.6.0/31 is subnetted, 1 subnets
O 192.168.6.2 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
O 192.168.1.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0
O*E2 0.0.0.0/0 [110/1] via 192.168.99.2, 1d09h, FastEthernet0
This shows that both sides are communicating via OSPF right ?
Thanks
Mahesh
12-22-2012 11:50 AM
Hi,
this doesn't show they are using the IPSec tunnel to do it .
Regards.
Alain
Don't forget to rate helpful posts.
12-22-2012 12:01 PM
But does this show
3550SMIA#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.99.2 192.168.99.1 QM_IDLE 1005 ACTIVE
3550SMIA#sh crypto ipsec sa
interface: FastEthernet0/8
Crypto map tag: VPN_MAP, local addr 192.168.99.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
current_peer 192.168.99.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4114, #pkts encrypt: 4114, #pkts digest: 4114
#pkts decaps: 4055, #pkts decrypt: 4055, #pkts verify: 4055
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 192.168.99.2, remote crypto endpt.: 192.168.99.1
path mtu 1500, ip mtu 1500
current outbound spi: 0xC936CF9D(3375812509)
inbound esp sas:
spi: 0xB481DC3B(3028409403)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 189, flow_id: 189, crypto map: VPN_MAP
sa timing: remaining key lifetime (k/sec): (4519331/2630)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC936CF9D(3375812509)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 190, flow_id: 190, crypto map: VPN_MAP
sa timing: remaining key lifetime (k/sec): (4519338/2626)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
3550SMIA#
1811w#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.99.2 192.168.99.1 QM_IDLE 2005 ACTIVE
IPv6 Crypto ISAKMP SA
So this shows that they are using IPSEC tunnel right?
Thanks
Mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide