cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
999
Views
0
Helpful
4
Replies

OSPF routing over IPSEC

Velos-itnet
Level 1
Level 1

Problem:

I currently have a client with over 50 site to site IPSEC VPN tunnels running GRE tunnels to enable them to use OSPF routing. I wish to build a tunnel from our ASA 5510 to most of these remote sites (most sites are using fairly old Cisco routers) The problem I have is that the ASA does not seem to support GRE tunnels so how can I get OSPF routing to work. I have a basic tunnel up and running but am not sure how to proceed if it is even possible. To change all the client tunnels to use tunnel protection thus bypassing the need for OSPF would not really be a viable solution as they would have to do a lot of network changes which I believe they would be unwilling to do.

Any ideas anyone?

4 Replies 4

paolo bevilacqua
Hall of Fame
Hall of Fame

You cannot build a scalable and manageable network with ASAs and old routers only.

What you want is a modern DMVPN solution and in practice that means you have ISR routers everywhere.

You can go around and around but will find that there is no quality alternative, just clumsy workarounds.

Hi Thanks for the response.

I understand that this does not scale as a solution but as the Older routers belong to a client and not to my own organisation there is very little I can do at this time to influence their current architecture. What I need for the moment is some sort of workaround to allow me to build a site to site VPN to my clients network and be able to exchange routes with them via OSPF.

Place a router behind the ASA. Terminate IPSec in the ASA, or do not do IPsec at all. Terminate GRE in said router. Use multipoint RE to the extent possible.

Give re-design issue to an able salesperson in order to convince client about limits of current hardware and move away from unsatisfying workarounds.

I think you are probably right. I was considering terminating the IPSEC tunnel on the ASA and the GRE tunnels on a Juniper SSG 140 that sits behind the ASA to get around it but it may be cleaner to do as you say and take the hit of installing a cisco router.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco