cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
35524
Views
15
Helpful
10
Replies

OSPF over IPSEC???

Arun Nair
Level 1
Level 1

Hi Guys,

Can I run ospf over basic IPSEC?(Not GRE).

1 Accepted Solution

Accepted Solutions

Marco,

Not really a bug in the common sense, pasting the description.

It explains what you see and why people in the past might have seen a different behavior. :-)

M.

CSCtq94342 - Self originated, multicast traffic handling through IPsec tunnel

This is a documentation bug only.
Symptom:
A note needs to be added into configuration guide to specify that:
As of release 12.4(9)T multicast traffic originated from the box will be encapsulated into IPsec if proxy identities allow this.
Further description
A typical use case for this is when router is sourcing OSPF packets and traffic selectors for IPsec allows OSPF packets (protocol number 89, group 224.0.0.5 & 224.0.0.6).
As of release 12.4(9)T those packets will be put into the tunnel and encrypted.
At the same time, please be aware that using "any any" as your proxy identities is HIGHLY discouraged.
"any any" proxy identities can be achieved in case of using VTI configuration which is recommended if those proxy identities are desired.

View solution in original post

10 Replies 10

Arun Nair
Level 1
Level 1

Also,

I do know that multicast traffic is not allowed over IPSEC. That is a drawback. But there is a concept of reverse-route injection which can accomplish route population across the tunnel. But I am not able to get more information on that.

Please help.

Arun

In general the answer is that no you can not run OSPF over just an IPSec connection. You need some kind of tunnel to transport the multicast traffic. Historically that has been solved by using GRE tunnels with IPSec. Cisco has introduced a feature called VTI (Virtual Tunnel Interface) which allows running dynamic routing protocols without requiring the processing of GRE (and without requiring the crypto map configuration required with GRE tunnels). I have configured quite a few VTI tunnels and they work quite well.

Here is a link with some additional information about VTI.

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html

HTH

Rick

HTH

Rick

Swwweeeet!!!

That is a very good whitepaper. Thanks Rick.

Would you be kind enough to give me a short gist on RRI too? I did not really get the concept. Configuration wise, I see we do not have to do much except include one command, but, what difference does it make is my question?

Cheers

Arun

Hello Richard,

I was testing IPSEC in my lab, and I noticed that OSPF works even when only IPSEC(w/o GRE) is configured.

I was quite surprised to see the adjacency UP.

Perhaps it depends on the cisco IOS release ( I am using Version 12.4(15)T10)?

I was not sure whether OSPF was going through the IPSEC tunnel, so I double checked removing the ACL or the "crypto map" applied to the interface.

In both cases the adjacency was lost. This should prove that OSPF is working over IPSEC. I hope I am not missing something.

THe configuration is quite straightforward:

=====================

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ISAKEY address 10.1.2.2

!

!

crypto ipsec transform-set TSET esp-aes

!

crypto map CMAP 1 ipsec-isakmp

set peer 10.1.2.2

set transform-set TSET

match address 101

access-list 101 permit ip any any

interface Serial1/0

ip address 10.1.2.1 255.255.255.252

serial restart-delay 0

crypto map CMAP

==============

Have a look at:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtq94342

We do recommend moving away from crypto maps whenever possible, VTI and other logical interfaces are the way to go in ipsec.

Hello Martin,

unfortunately that bug description is not accessible to common users : "the bug ID CSCtq94342 you searched contains proprietary information that cannot be disclosed at this time"

I suppose I hit an IOS bug ? If yes, could you just briefly describe it? The same problem appeared changing the routing protocol to EIGRP.

As far as I know, there is not much to choose from: classic "tunnel protection" and VTI should be the other solution. Are there other solution available?

Thanks for time.

Marco,

Not really a bug in the common sense, pasting the description.

It explains what you see and why people in the past might have seen a different behavior. :-)

M.

CSCtq94342 - Self originated, multicast traffic handling through IPsec tunnel

This is a documentation bug only.
Symptom:
A note needs to be added into configuration guide to specify that:
As of release 12.4(9)T multicast traffic originated from the box will be encapsulated into IPsec if proxy identities allow this.
Further description
A typical use case for this is when router is sourcing OSPF packets and traffic selectors for IPsec allows OSPF packets (protocol number 89, group 224.0.0.5 & 224.0.0.6).
As of release 12.4(9)T those packets will be put into the tunnel and encrypted.
At the same time, please be aware that using "any any" as your proxy identities is HIGHLY discouraged.
"any any" proxy identities can be achieved in case of using VTI configuration which is recommended if those proxy identities are desired.

I had not been aware of this change. Thank you for sharing this very helpful information with us.

HTH

Rick

HTH

Rick

HI Guys,

i have the same problem and i could not find your links to the bug or to the technology any longer. I have an ASAv and a Cisco router and i set up an IPSec/IKEv2 tunnel between them that is up and stable. I need now to run OSPF over this VTI VPN and it is a nightmare. Do you have any working configuration sample? Could you share? 

 

Thanks!

Hi Arun,

Yes you can run OSPF over IPsec.

PIX/ASA 7.x and later : VPN/IPsec with OSPF Configuration Example

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

To make this work you need to change the OSPF network type:

ospf network point-to-point non-broadcast

This would be in case that you have an ASA, if you have a Router, I would definitely go for a logical interface.

HTH.

Portu.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: