Suitable VPN option?

Unanswered Question
Mar 12th, 2010
User Badges:


I am planning to deploy a VPN connection between the Head Office, couple of branch offices and Remote Access VPN.

Some of the office has Router as internet facing and others have Firewall as internet facing.

I am plannng, if all the VPN connections are terminated in one place, it would be east. I have configured several options. I thought of DMVPN initially. I guess i cant implement DMVPN on firewall and remote access VPN. Am i right..?

Then i thought about GRE/IPSec VPN. So that i could you dynamic routing protocols for routing. But again, i assume ASA / PIX will have some issues with GRE.

Could any one please suggest any suitable options for me. The main requirements are, I have routers as well as firewalls at front end. And i want to use dynamic routing protocols for routing.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Fri, 03/12/2010 - 08:21
User Badges:
  • Green, 3000 points or more


To use an IGP, plain IPsec is not going to work.

To be able to have a DMVPN network or IPsec/GRE you need routers (ASA will not work).

So, there's no problem with the routers, but with the ASA's, from ASA's 7.x code you can run OSPF via IPsec.

Take a look:


nimalrajphilips Fri, 03/12/2010 - 08:37
User Badges:

Hi, I have heard about this. But me question is, if i do IPSec with OSPF, it will be between two ASA/PIX. Isnt it..?

How about the connection between the router & firewall?

Please keep in mind that i want all the VPN connection to be interconnected (Hub & Spoke), so that the traffic can pass through between all the locations.

The ideal VPN connection will look like this.


Federico Coto F... Fri, 03/12/2010 - 08:50
User Badges:
  • Green, 3000 points or more

The OSFP configuration through IPsec between ASAs is because the actual OSPF is unicast through the tunnel.

The only way I see this working between a router and an ASA is if the router is configured for point-to-point non-broadcast (have not tried it).

The problem that I see is that for VPNs, the ASA only supports plain IPsec or SSL.

Only the routers supports regular dynamic routing protocols via means of DMVPN, GRE/IPsec, GETVPN, VTIs, etc

The ideal scenario that you're looking for will work perfectly with just routers, or using the Firewalls, but trying the OSPF configuration.


nimalrajphilips Mon, 03/15/2010 - 03:03
User Badges:

Is this is a weired scenario i only have..? I was thinking, this is more general design in any big companies?

How about using just static routes, than the routing protocols..? Since I have only few remotes, can i use normal IPSec VPN with static routes to connect to all sites from any spoke in a hub and spoke model..?

Federico Coto F... Mon, 03/15/2010 - 09:16
User Badges:
  • Green, 3000 points or more

You can use static routes to the ASAs and that will work fine.

If there are only a few ASAs, you can still run an IGP between the routers.

The restrictions of the ASA is basically this:

They don't support a routing protocol thorugh the IPsec tunnel, because they only run plain IPsec.


nimalrajphilips Mon, 03/15/2010 - 09:18
User Badges:

I will try the static route option in next couple of days and update here.


This Discussion