Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1175
Views
0
Helpful
1
Replies

OSPF over GREoIPSec VPNs.

Go to solution
tkatsiaounis
Level 1
Level 1

‎10-27-2010 03:04 AM

Hello.

I have a network where some spoke routers (branch offices , all routers are 2811) connect with IPSec VPNs over adsl lines to my central office and a 5540 ASA. Also there is a backup central site with another ASA 5540 where VPNs terminate in case of the primary asa failure.

So to every spoke router there is a crypto map with these two peers. Primary as default and the other one as secondary. Primary and secondary offices communicate with each other through a metro-ethernet line.

What i want to do is put a router behind these two ASA's accesible to both of them and then create GRE tunnels from the spoke routers to the hub router and run ospf or eigrp protocol over them. You can see the configuration i am trying to create in the attached jpeg.

My question is if this thing is going to work. Is it going to be able to detect if some spoke lost connection to the primary site and connected to the secondary and forward traffic correctly?? Does it really  care from which site the spoke router connects or what it wants is connectivity from tunnel to tunnel only??? And you would prefer ospf or eigrp??? All equipment is cisco.

Any help would be very appreciated. Thanks in advance.

Labels:
Preview file
41 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-27-2010 04:16 PM

Hi!

First of all forums is probably not the best place to ask about design, I'd typicaly tell people to run it by their Cisco SE ;-)

That being said, here goes. My two cents.

The concept is not without it's charm, although it looks like instead of using DMVPN with two hub routers you really want to offload IPsec to ASAs.

That's OK.

While standard IPsec, multiple peers etc should in in theory make sure traffic goes to the Hub...

what mechanism did you think of to change routing between ASAs and the hub in case of failure on the path?

I mean let's say tunnels to primary ASA go down because of failure of ISP, how does the hub know not to send traffic to primary and send it to the backup one?

I can see reverse-route injection + redistribution into dynamic RP as a possibility, not without it's flaws.

Another possibilibity would be to run OSPF (via neighbor) all across the board (ASA can run OSPF over IPsec when using neighbor, since we avoid multicast).

It seems also that the GRE tunnel(s?) would have to be sourced from a loopback interface, which means the ASAs need to know where it is ;-)

If you don't mind a suggestion.

Why not have two GRE tunnels, from each spoke, to two "hubs" (one hub behind each ASA)...

Two tunnels up all the time could actually mean you can try to load-share,load-balance the traffic over two location.

Just thinking out loud I don't know about the background and requirements.

OSPF versus EIGRP. I don't want to start a flame war, so I would say it depends :-)

Mostly on what else you have in the network what the end goal is etc etc...

Hope this helps,
Marcin

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-27-2010 04:16 PM

Hi!

First of all forums is probably not the best place to ask about design, I'd typicaly tell people to run it by their Cisco SE ;-)

That being said, here goes. My two cents.

The concept is not without it's charm, although it looks like instead of using DMVPN with two hub routers you really want to offload IPsec to ASAs.

That's OK.

While standard IPsec, multiple peers etc should in in theory make sure traffic goes to the Hub...

what mechanism did you think of to change routing between ASAs and the hub in case of failure on the path?

I mean let's say tunnels to primary ASA go down because of failure of ISP, how does the hub know not to send traffic to primary and send it to the backup one?

I can see reverse-route injection + redistribution into dynamic RP as a possibility, not without it's flaws.

Another possibilibity would be to run OSPF (via neighbor) all across the board (ASA can run OSPF over IPsec when using neighbor, since we avoid multicast).

It seems also that the GRE tunnel(s?) would have to be sourced from a loopback interface, which means the ASAs need to know where it is ;-)

If you don't mind a suggestion.

Why not have two GRE tunnels, from each spoke, to two "hubs" (one hub behind each ASA)...

Two tunnels up all the time could actually mean you can try to load-share,load-balance the traffic over two location.

Just thinking out loud I don't know about the background and requirements.

OSPF versus EIGRP. I don't want to start a flame war, so I would say it depends :-)

Mostly on what else you have in the network what the end goal is etc etc...

Hope this helps,
Marcin

0 Helpful
Customers Also Viewed These Support Documents