05-03-2010 08:43 AM - edited 02-21-2020 04:37 PM
Hi All,
Is it possible using ASA without GRE tunnels to pass OSPF traffic and set an OSPF area ID for each VPN peer/neighbor?
I'm testing with an internal lab and worked only with one OSPF area for all VPN peers. Just as the Cisco site example [1]. If I change some area of a neighbor (via 'network' command), they log conflicts between neighbor area and interface area.
Thanks.
05-03-2010 06:48 PM
If you use the "neighbor" command, OSPF will work as unicast instead of multicast, and you can pass the routing updates through the IPSec tunnel. If you are trying to use OSPF multicast through the IPSec tunnel, it is not supported as IPSec does not support multicast traffic natively. You would need to have GRE tunnel to encapsulate those multicast traffic prior to being encrypted with IPSec. GRE tunnel is only supported on IOS routers, not on ASA.
05-04-2010 04:14 AM
Thanks Halijenn!
But is it possible to set an different OSPF area ID for each 'neighbor' configured? Or just the same OSPF area of the interface?
The idea is that each remote site has its own area id.
Regards,
Rafael
05-04-2010 04:25 AM
No, you can't have 1 interface belonging to multiple ospf areas.
05-04-2010 04:38 AM
Then for each remote site has it own area ID I must use GRE tunnel, between two routers (or another capable ospf/gre device) before the ASA Lan2Lan? Is It right?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide