cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
745
Views
0
Helpful
6
Replies

Suitable VPN option?

nimalrajphilips
Level 1
Level 1

Hi,

I am planning to deploy a VPN connection between the Head Office, couple of branch offices and Remote Access VPN.

Some of the office has Router as internet facing and others have Firewall as internet facing.

I am plannng, if all the VPN connections are terminated in one place, it would be east. I have configured several options. I thought of DMVPN initially. I guess i cant implement DMVPN on firewall and remote access VPN. Am i right..?

Then i thought about GRE/IPSec VPN. So that i could you dynamic routing protocols for routing. But again, i assume ASA / PIX will have some issues with GRE.

Could any one please suggest any suitable options for me. The main requirements are, I have routers as well as firewalls at front end. And i want to use dynamic routing protocols for routing.

Cheers

6 Replies 6

Hi,

To use an IGP, plain IPsec is not going to work.

To be able to have a DMVPN network or IPsec/GRE you need routers (ASA will not work).

So, there's no problem with the routers, but with the ASA's, from ASA's 7.x code you can run OSPF via IPsec.

Take a look:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

Federico.

Hi, I have heard about this. But me question is, if i do IPSec with OSPF, it will be between two ASA/PIX. Isnt it..?

How about the connection between the router & firewall?

Please keep in mind that i want all the VPN connection to be interconnected (Hub & Spoke), so that the traffic can pass through between all the locations.

The ideal VPN connection will look like this.

Cheers

The OSFP configuration through IPsec between ASAs is because the actual OSPF is unicast through the tunnel.

The only way I see this working between a router and an ASA is if the router is configured for point-to-point non-broadcast (have not tried it).

The problem that I see is that for VPNs, the ASA only supports plain IPsec or SSL.

Only the routers supports regular dynamic routing protocols via means of DMVPN, GRE/IPsec, GETVPN, VTIs, etc

The ideal scenario that you're looking for will work perfectly with just routers, or using the Firewalls, but trying the OSPF configuration.

Federico.

Is this is a weired scenario i only have..? I was thinking, this is more general design in any big companies?

How about using just static routes, than the routing protocols..? Since I have only few remotes, can i use normal IPSec VPN with static routes to connect to all sites from any spoke in a hub and spoke model..?

You can use static routes to the ASAs and that will work fine.

If there are only a few ASAs, you can still run an IGP between the routers.

The restrictions of the ASA is basically this:

They don't support a routing protocol thorugh the IPsec tunnel, because they only run plain IPsec.

Federico.

I will try the static route option in next couple of days and update here.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: