Suitable VPN option?

Unanswered Question
Mar 12th, 2010

Hi,

I am planning to deploy a VPN connection between the Head Office, couple of branch offices and Remote Access VPN.

Some of the office has Router as internet facing and others have Firewall as internet facing.

I am plannng, if all the VPN connections are terminated in one place, it would be east. I have configured several options. I thought of DMVPN initially. I guess i cant implement DMVPN on firewall and remote access VPN. Am i right..?

Then i thought about GRE/IPSec VPN. So that i could you dynamic routing protocols for routing. But again, i assume ASA / PIX will have some issues with GRE.

Could any one please suggest any suitable options for me. The main requirements are, I have routers as well as firewalls at front end. And i want to use dynamic routing protocols for routing.

Cheers

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Fri, 03/12/2010 - 08:21

Hi,

To use an IGP, plain IPsec is not going to work.

To be able to have a DMVPN network or IPsec/GRE you need routers (ASA will not work).

So, there's no problem with the routers, but with the ASA's, from ASA's 7.x code you can run OSPF via IPsec.

Take a look:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

Federico.

nimalrajphilips Fri, 03/12/2010 - 08:37

Hi, I have heard about this. But me question is, if i do IPSec with OSPF, it will be between two ASA/PIX. Isnt it..?

How about the connection between the router & firewall?

Please keep in mind that i want all the VPN connection to be interconnected (Hub & Spoke), so that the traffic can pass through between all the locations.

The ideal VPN connection will look like this.

Cheers

Federico Coto F... Fri, 03/12/2010 - 08:50

The OSFP configuration through IPsec between ASAs is because the actual OSPF is unicast through the tunnel.

The only way I see this working between a router and an ASA is if the router is configured for point-to-point non-broadcast (have not tried it).

The problem that I see is that for VPNs, the ASA only supports plain IPsec or SSL.

Only the routers supports regular dynamic routing protocols via means of DMVPN, GRE/IPsec, GETVPN, VTIs, etc

The ideal scenario that you're looking for will work perfectly with just routers, or using the Firewalls, but trying the OSPF configuration.

Federico.

nimalrajphilips Mon, 03/15/2010 - 03:03

Is this is a weired scenario i only have..? I was thinking, this is more general design in any big companies?

How about using just static routes, than the routing protocols..? Since I have only few remotes, can i use normal IPSec VPN with static routes to connect to all sites from any spoke in a hub and spoke model..?

Federico Coto F... Mon, 03/15/2010 - 09:16

You can use static routes to the ASAs and that will work fine.

If there are only a few ASAs, you can still run an IGP between the routers.

The restrictions of the ASA is basically this:

They don't support a routing protocol thorugh the IPsec tunnel, because they only run plain IPsec.

Federico.

Actions

This Discussion