unable to run ospf between two ASA's running l2l ipsec tunnel.

kirti_bapat · ‎05-21-2007

Hi All,

my scenario is as shown below :

R1>>ASA1>>internet>>ASA2>>R2

i have established the ipsec tunnel between the two ASA's. now, when i run ospf on both these ASA's ,they do not become neighbors. as per the cisco doc ASA allows OSPF unicast to work over the IPSEC tunnel.

kindly advise me on this.

waiting for reply.

thanks

kirti.

laurent.geyer · ‎05-21-2007

What does the interface configuration of the ASAs look like and what does your OSPF config on the routers look like?

kirti_bapat · ‎05-21-2007

the configs are as follows

on R1

router ospf 10

net 10.1.1.1 0.0.0.0 a 0 (loopback IP)

net 1.1.1.1 0.0.0.0 a 0

---------

on the ASA1 outside interface e0/1 the config is:

int e0/1

nameif outside

sec 0

ip add 2.1.1.2 255.255.255.0

ospf net point-to-point non-broadcast

router ospf 10

net 1.1.1.2 255.255.255.255 a 0

net 2.1.1.2 255.255.255.255 a 0

net 3.1.1.0 255.255.255.0 a 0

neigh 3.1.1.2 int outside (this is the outside IP of the ASA2)

---------

config on ASA 2

int e0/1

nameif outside

sec 0

ip add 3.1.1.2 255.255.255.0

ospf net point-to-point non-broadcast

router ospf 10

net 3.1.1.2 255.255.255.255 a 0

net 4.1.1.2 255.255.255.255 a 0

net 2.1.1.0 255.255.255.0 a 0

neigh 2.1.1.2 int outside (this is the outside IP of ASA1)

----------

on R2

router ospf 10

net 20.1.1.1 0.0.0.0 a 0 (loopback IP)

net 4.1.1.1 0.0.0.0 a 0

thanks

kirti.

laurent.geyer · ‎05-21-2007

One more question, are R1 and R2 supposed to be able to talk OSPF or only ASA1 and ASA2?

kirti_bapat · ‎05-21-2007

i have enabled ospf on R1 and R2, so that the respective loopbacks on these routers are advertised; and thus i can send traffic from one loopback to another over the IPSEC tunnel.

hence i am running ospf on routers as well as asa.

thanks

kirti.

laurent.geyer · ‎05-21-2007

I see your loopback, but I don't see the interface you share with firewall on the inside.

In order to get this OSPF traffic accross the tunnel you need your router to be connected to the firewall on the inside interface in some sort of fashion.

kirti_bapat · ‎05-22-2007

hi i am already running opsf between the asa inside and the inside router and the loopback is on the inside router. on the asa i am receiving the loopback route via ospf.

the problem is the ospf running on the outside of the asa . i am not able ot establish ospf neighbourship between the 2 asa outside.

the ipsec tunnel is up and running.

regards

kirti

kirti_bapat · ‎05-22-2007

also, just FYI i am configuring as per this doc: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

thanks

kirti

kirti_bapat · ‎05-23-2007

can somebody please help me with this issue.

waiting for reply.

thanks

kirti.

kirti_bapat · ‎05-26-2007

has anybody been able to implement ospf over ipsec vpn tunnel ?

please let me know the configuration.

regards

kirti.