ASA VPN/IPsec with multi-area OSPF (PIX Version 7.x or ASA)

Unanswered Question
May 3rd, 2010

Hi All,

Is it possible using ASA without GRE tunnels to pass OSPF traffic and set an OSPF area ID for each VPN peer/neighbor?

I'm testing with an internal lab and worked only with one OSPF area for all VPN peers. Just as the Cisco site example [1]. If I change some area of a neighbor (via 'network' command), they log conflicts between neighbor area and interface area.

Thanks.

[1] http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Mon, 05/03/2010 - 18:48

If you use the "neighbor" command, OSPF will work as unicast instead of multicast, and you can pass the routing updates through the IPSec tunnel. If you are trying to use OSPF multicast through the IPSec tunnel, it is not supported as IPSec does not support multicast traffic natively. You would need to have GRE tunnel to encapsulate those multicast traffic prior to being encrypted with IPSec. GRE tunnel is only supported on IOS routers, not on ASA.

rganascim Tue, 05/04/2010 - 04:14

Thanks Halijenn!


But is it possible to set an different OSPF area ID for each 'neighbor' configured? Or just the same OSPF area of the interface?

The idea is that each remote site has its own area id.

Regards,

Rafael

rganascim Tue, 05/04/2010 - 04:38

Then for each remote site has it own area ID I must use GRE tunnel, between two routers (or another capable ospf/gre device) before the ASA Lan2Lan? Is It right?

Actions

This Discussion