Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
37747
Views
15
Helpful
10
Replies

OSPF over IPSEC???

Go to solution
Arun Nair
Level 1
Level 1

‎10-31-2011 03:36 AM - edited ‎02-21-2020 05:41 PM

Hi Guys,

Can I run ospf over basic IPSEC?(Not GRE).

3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to marco1.fabbri

‎03-25-2013 12:36 AM

Marco,

Not really a bug in the common sense, pasting the description.

It explains what you see and why people in the past might have seen a different behavior. :-)

M.

CSCtq94342 - Self originated, multicast traffic handling through IPsec tunnel



  


This is a documentation bug only.
Symptom:
A note needs to be added into configuration guide to specify that:
As of release 12.4(9)T multicast traffic originated from the box will be encapsulated into IPsec if proxy identities allow this.
Further description
A typical use case for this is when router is sourcing OSPF packets and traffic selectors for IPsec allows OSPF packets (protocol number 89, group 224.0.0.5 & 224.0.0.6).
As of release 12.4(9)T those packets will be put into the tunnel and encrypted. 
At the same time, please be aware that using "any any" as your proxy identities is HIGHLY discouraged.
"any any" proxy identities can be achieved in case of using VTI configuration which is recommended if those proxy identities are desired.

View solution in original post

10 Replies 10

Go to solution
Arun Nair
Level 1
Level 1

‎10-31-2011 03:43 AM

Also,

I do know that multicast traffic is not allowed over IPSEC. That is a drawback. But there is a concept of reverse-route injection which can accomplish route population across the tunnel. But I am not able to get more information on that.

Please help.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Arun Nair

‎10-31-2011 02:11 PM

Arun

In general the answer is that no you can not run OSPF over just an IPSec connection. You need some kind of tunnel to transport the multicast traffic. Historically that has been solved by using GRE tunnels with IPSec. Cisco has introduced a feature called VTI (Virtual Tunnel Interface) which allows running dynamic routing protocols without requiring the processing of GRE (and without requiring the crypto map configuration required with GRE tunnels). I have configured quite a few VTI tunnels and they work quite well.

Here is a link with some additional information about VTI.

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html

HTH

Rick

HTH

Rick

Go to solution
Arun Nair
Level 1
Level 1
In response to Richard Burts

‎10-31-2011 10:15 PM

Swwweeeet!!!

That is a very good whitepaper. Thanks Rick.

Would you be kind enough to give me a short gist on RRI too? I did not really get the concept. Configuration wise, I see we do not have to do much except include one command, but, what difference does it make is my question?

Cheers

Arun

0 Helpful

Go to solution
Marcofbbr
Level 1
Level 1
In response to Richard Burts

‎03-24-2013 09:52 AM

Hello Richard,

I was testing IPSEC in my lab, and I noticed that OSPF works even when only IPSEC(w/o GRE) is configured.

I was quite surprised to see the adjacency UP.

Perhaps it depends on the cisco IOS release ( I am using Version 12.4(15)T10)?

I was not sure whether OSPF was going through the IPSEC tunnel, so I double checked removing the ACL or the "crypto map" applied to the interface.

In both cases the adjacency was lost. This should prove that OSPF is working over IPSEC. I hope I am not missing something.

THe configuration is quite straightforward:

=====================

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ISAKEY address 10.1.2.2

!

!

crypto ipsec transform-set TSET esp-aes

!

crypto map CMAP 1 ipsec-isakmp

set peer 10.1.2.2

set transform-set TSET

match address 101

access-list 101 permit ip any any

interface Serial1/0

ip address 10.1.2.1 255.255.255.252

serial restart-delay 0

crypto map CMAP

==============

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Marcofbbr

‎03-24-2013 11:29 AM

Have a look at:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtq94342

We do recommend moving away from crypto maps whenever possible, VTI and other logical interfaces are the way to go in ipsec.

Go to solution
marco1.fabbri
Level 1
Level 1
In response to Marcin Latosiewicz

‎03-24-2013 01:26 PM

Hello Martin,

unfortunately that bug description is not accessible to common users : "the bug ID CSCtq94342 you searched contains proprietary information that cannot be disclosed at this time"

I suppose I hit an IOS bug ? If yes, could you just briefly describe it? The same problem appeared changing the routing protocol to EIGRP.

As far as I know, there is not much to choose from: classic "tunnel protection" and VTI should be the other solution. Are there other solution available?

Thanks for time.

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to marco1.fabbri

‎03-25-2013 12:36 AM

Marco,

Not really a bug in the common sense, pasting the description.

It explains what you see and why people in the past might have seen a different behavior. :-)

M.

CSCtq94342 - Self originated, multicast traffic handling through IPsec tunnel



  


This is a documentation bug only.
Symptom:
A note needs to be added into configuration guide to specify that:
As of release 12.4(9)T multicast traffic originated from the box will be encapsulated into IPsec if proxy identities allow this.
Further description
A typical use case for this is when router is sourcing OSPF packets and traffic selectors for IPsec allows OSPF packets (protocol number 89, group 224.0.0.5 & 224.0.0.6).
As of release 12.4(9)T those packets will be put into the tunnel and encrypted. 
At the same time, please be aware that using "any any" as your proxy identities is HIGHLY discouraged.
"any any" proxy identities can be achieved in case of using VTI configuration which is recommended if those proxy identities are desired.

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Marcin Latosiewicz

‎03-25-2013 05:25 AM

I had not been aware of this change. Thank you for sharing this very helpful information with us.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Alessio Andreoli
Level 5
Level 5
In response to Richard Burts

‎10-04-2019 02:19 AM

HI Guys,

i have the same problem and i could not find your links to the bug or to the technology any longer. I have an ASAv and a Cisco router and i set up an IPSec/IKEv2 tunnel between them that is up and stable. I need now to run OSPF over this VTI VPN and it is a nightmare. Do you have any working configuration sample? Could you share? 

 

Thanks!

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9

‎03-24-2013 12:28 PM

Hi Arun,

Yes you can run OSPF over IPsec.

PIX/ASA 7.x and later : VPN/IPsec with OSPF Configuration Example

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

To make this work you need to change the OSPF network type:

ospf network point-to-point non-broadcast

This would be in case that you have an ASA, if you have a Router, I would definitely go for a logical interface.

HTH.

Portu.

0 Helpful
Customers Also Viewed These Support Documents