03-12-2010 01:37 AM
Hi,
I am planning to deploy a VPN connection between the Head Office, couple of branch offices and Remote Access VPN.
Some of the office has Router as internet facing and others have Firewall as internet facing.
I am plannng, if all the VPN connections are terminated in one place, it would be east. I have configured several options. I thought of DMVPN initially. I guess i cant implement DMVPN on firewall and remote access VPN. Am i right..?
Then i thought about GRE/IPSec VPN. So that i could you dynamic routing protocols for routing. But again, i assume ASA / PIX will have some issues with GRE.
Could any one please suggest any suitable options for me. The main requirements are, I have routers as well as firewalls at front end. And i want to use dynamic routing protocols for routing.
Cheers
03-12-2010 08:21 AM
Hi,
To use an IGP, plain IPsec is not going to work.
To be able to have a DMVPN network or IPsec/GRE you need routers (ASA will not work).
So, there's no problem with the routers, but with the ASA's, from ASA's 7.x code you can run OSPF via IPsec.
Take a look:
Federico.
03-12-2010 08:37 AM
Hi, I have heard about this. But me question is, if i do IPSec with OSPF, it will be between two ASA/PIX. Isnt it..?
How about the connection between the router & firewall?
Please keep in mind that i want all the VPN connection to be interconnected (Hub & Spoke), so that the traffic can pass through between all the locations.
The ideal VPN connection will look like this.
Cheers
03-12-2010 08:50 AM
The OSFP configuration through IPsec between ASAs is because the actual OSPF is unicast through the tunnel.
The only way I see this working between a router and an ASA is if the router is configured for point-to-point non-broadcast (have not tried it).
The problem that I see is that for VPNs, the ASA only supports plain IPsec or SSL.
Only the routers supports regular dynamic routing protocols via means of DMVPN, GRE/IPsec, GETVPN, VTIs, etc
The ideal scenario that you're looking for will work perfectly with just routers, or using the Firewalls, but trying the OSPF configuration.
Federico.
03-15-2010 03:03 AM
Is this is a weired scenario i only have..? I was thinking, this is more general design in any big companies?
How about using just static routes, than the routing protocols..? Since I have only few remotes, can i use normal IPSec VPN with static routes to connect to all sites from any spoke in a hub and spoke model..?
03-15-2010 09:16 AM
You can use static routes to the ASAs and that will work fine.
If there are only a few ASAs, you can still run an IGP between the routers.
The restrictions of the ASA is basically this:
They don't support a routing protocol thorugh the IPsec tunnel, because they only run plain IPsec.
Federico.
03-15-2010 09:18 AM
I will try the static route option in next couple of days and update here.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide