OSPF routing over IPSEC

Unanswered Question
Apr 8th, 2009
User Badges:


I currently have a client with over 50 site to site IPSEC VPN tunnels running GRE tunnels to enable them to use OSPF routing. I wish to build a tunnel from our ASA 5510 to most of these remote sites (most sites are using fairly old Cisco routers) The problem I have is that the ASA does not seem to support GRE tunnels so how can I get OSPF routing to work. I have a basic tunnel up and running but am not sure how to proceed if it is even possible. To change all the client tunnels to use tunnel protection thus bypassing the need for OSPF would not really be a viable solution as they would have to do a lot of network changes which I believe they would be unwilling to do.

Any ideas anyone?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
paolo bevilacqua Wed, 04/08/2009 - 07:26
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

You cannot build a scalable and manageable network with ASAs and old routers only.

What you want is a modern DMVPN solution and in practice that means you have ISR routers everywhere.

You can go around and around but will find that there is no quality alternative, just clumsy workarounds.

Velos-itnet Wed, 04/08/2009 - 07:30
User Badges:

Hi Thanks for the response.

I understand that this does not scale as a solution but as the Older routers belong to a client and not to my own organisation there is very little I can do at this time to influence their current architecture. What I need for the moment is some sort of workaround to allow me to build a site to site VPN to my clients network and be able to exchange routes with them via OSPF.

paolo bevilacqua Wed, 04/08/2009 - 07:35
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Place a router behind the ASA. Terminate IPSec in the ASA, or do not do IPsec at all. Terminate GRE in said router. Use multipoint RE to the extent possible.

Give re-design issue to an able salesperson in order to convince client about limits of current hardware and move away from unsatisfying workarounds.

Velos-itnet Wed, 04/08/2009 - 07:49
User Badges:

I think you are probably right. I was considering terminating the IPSEC tunnel on the ASA and the GRE tunnels on a Juniper SSG 140 that sits behind the ASA to get around it but it may be cleaner to do as you say and take the hit of installing a cisco router.


This Discussion