OSPF over IPSEC VPN Problem with ASA 5520's

Unanswered Question

I am having a problem getting OSPF LSA's over an IPSEC VPN tunnel

Our Network Currently has OSPF at the Core in 2 different locations, our main site has a BGP routing based IPVPN (Time Warner MPLS Dedicated Circuit) to our Sister location. This is being redistributed into OSPF on both sides and works well. I want to put in a redundant IPSEC VPN over the internet in the event of a dedicated Circuit meltdown. I have configured the IPSEC VPN and it comes up when I take down the IPVPN circuit, I AM able to pass traffic based on the crypto map traffic ACL's. However I'm unable to get the ASA's on both sides to become adjacent neighbors. As a reuslt I get no routes in my OSPF table to the other side. Debug OSPF shows that I am receiving hellos from our sister site, but our sister site never receives hellos from our main site. At First I thought that maybe I had a a route still being advertised somewhere, and verfied that with the IPVPN Circuit down there are not routes in the routing table. Has anyone ever done OSPF over IPSEC VPN without using a GRE tunnel before?

When you guys have the time please take a look at my OSPF configurations and tell me what I have missed, I have enclosed both ASA configurations, and a WAN map.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dongdongliu Wed, 02/13/2008 - 22:35

what`s the 44.18.208.65? I think it`s a internet access equipment,maybe it`s a ISP.

44.18.208.65 and 55.163.15.126 are both gateway.

because louasa001 and dalasa001 have both set crypto peer:

crypto map Outside_2_map 20 set peer 55.163.15.123

crypto map Outside_2_map 20 set peer 44.18.208.93

and there are some default route are configured in the louasa001 and dalasa001,so louasa001 and dalasa001 can find peer each other.

gateway will be in charge of pass traffic.

btw,

why network 44.18.208.64 255.255.255.224 belong to area 0 in the louasa001 but belong to area 1 in the dalasa001?

Good Day Dingdongliu, 44.18.20.65 is the ISP router for the louasa5520.

Default route is being set with the route Outside_2 0.0.0.0 0.0.0.0 44.18.208.65 1 statement in Louasa5520.

55.163.15.126 is a CPE router in the Corp location and is the default router for Dalasa5520. The dalasa5520 has its default route being set by the route Outside_2 0.0.0.0 0.0.0.0 55.163.15.126 1 statement. You are correct; the outside IP's are 55.163.15.123 in DalASA5520 and 44.18.209.93 in LouASA5520, and they are Crypto peers. The VPN does come up when I take down the IPVPN circuit and I am able to pass traffic based on the crypto ACL's without any problems.

As for the 44.18.208.64 being in area 1 in the Dalasa5520, this is a misconfig after trying to push the area 0 to the louasa520. orginally, I had the 55.163.15.96 in Area 1 on the DalASA5520 and all of LouASA5520 was in area 1, nice catch. I have changed 44.1.208.64 on the DalASA5520 to be in area 0,

cleared ospf router7, and will test the failover again, here are the changes to Dalasa5520.

router ospf 7

router-id 172.16.100.225

network 172.16.100.224 255.255.255.240 area 0

network 55.163.15.96 255.255.255.224 area 0

network 44.18.208.64 255.255.255.224 area 0

area 0

neighbor 44.18.208.93 interface Outside_2

log-adj-changes

default-information originate always metric 1

Thanks for your Reply.

Actions

This Discussion