Multicast via VPN to ASA

Unanswered Question
May 8th, 2008

I have a requirement to allow multicast traffic from a workstation that connects to an ASA via a Remote Access VPN.

Once authenticated to the ASA on the VPN they want to start a program that requires multicast in order to connect to a server also via multicast.

I have been reading and I understand how the ASA can be a Multicast RP and forward info accordingly. However none of the documentation discusses doing this via a remote access vpn, is this possible?

If so what steps / gotchas should I look out for?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
smalkeric Wed, 05/14/2008 - 08:05

security association is uniquely identified by a triple consisting of a Security Parameter Index (SPI), an IP Destination Address, and a security protocol (AH or ESP) identifier. In principle, the Destination Address may be a unicast address, an IP broadcast

address, or a multicast group address. However, IPsec SA management mechanisms currently are defined only for unicast SAs.

The receiver-orientation of the Security Association implies that, in the case of unicast traffic, the destination system will normally select the SPI value. By having the destination select the SPI value, there is no potential for manually configured Security Associations to conflict with automatically configured (e.g., via a key management protocol) Security Associations or for Security Associations from multiple sources to conflict with each other. For multicast traffic, there are multiple destination systems per multicast group. So some system or person will need to coordinate among all multicast groups to select an SPI or SPIs on behalf of each multicast group and then communicate the group's IPsec information to all of the legitimate members of that multicast group via mechanisms not defined

sushilmenon Wed, 05/14/2008 - 11:37

hi in short ipsec doesn't support protecting multicast or broadcast traffic.

in remote access vpn the only solution for providing multicast protection in ipsec is using L2tp tunnel where in the multicast traffic is encapsulated in ppp and then the ppp frames are encrypted using ipsec.

cisco vpn client doesn;t support L2tp u will need to use windows L2tp client.

hope this helps.




This Discussion