Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

How to inject to OSPF a route to a subnet behind IPSEC VPN?

I have a router that runs OSPF and terminates IPSEC VPN (no GRE). How can make the router inject route to a subnet behind the VPN?

Thanks.

Jarek

8 REPLIES
Cisco Employee

Re: How to inject to OSPF a route to a subnet behind IPSEC VPN?

The only way I can think of is to use a GRE tunnel and run OSPF on the tunnel.

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Re: How to inject to OSPF a route to a subnet behind IPSEC VPN?

I would agree, you got to have a GRE tun to make it work.

-Jeff

New Member

Re: How to inject to OSPF a route to a subnet behind IPSEC VPN?

Unfortunately, GRE is not an option.

Meanwhile, I believe, I found a solution. I configured static route such as:

ip route remote_subnet mask int_with_IPSEC_crypto-map.

Then, I redistributed the route into OSPF. Seems to be working fine.

New Member

Re: How to inject to OSPF a route to a subnet behind IPSEC VPN?

You can run ospf in non-broadcast mode on the interface, using neighbor statements, which will use unicast. Or RIP/EIGRP with neighbor statements which will also use unicasts.

int x/y

ip ospf network non-broadcast

router ospf 1

neighbor a.b.c.d.....

New Member

Re: How to inject to OSPF a route to a subnet behind IPSEC VPN?

Did you mean to run OSPF over the Internet to the neighbor's public address?

How about if the IPSec tunnel is terminated on a device not supporting OSPF, such as PIX?

Please explain. Thanks.

New Member

Re: How to inject to OSPF a route to a subnet behind IPSEC VPN?

Hello,

Ideally I mean the following:

router 1 -ospf- vpn router 1--- ospf over ipsec (unicast ) --- vpn router 2 --- ospf router 2

Router 1 passes the route to vpn router 1, which uses ospf non broadcast to send it over ipsec to vpn router 2, which then forwards it to router 2.

In your case it sounds like the vpn routers are PIX, so I can't see a way to send the ospf without gre. The other option is to redist on router 1 into rip and do unicast rip from router 1 to router 2 (bypassing the vpn routers), and put statics on the pix's to resolve next hops. This will require the no update-verify source command,

Regards

Ian

New Member

Re: How to inject to OSPF a route to a subnet behind IPSEC VPN?

Hi Ian,

My setup is less complicated, but it leaves less space to manouver. The OSPF router terminates also the IPSec VPN. The tunnel goes to a PIX at the remote end. There are no routers at the remote site.

Jarek

New Member

Re: How to inject to OSPF a route to a subnet behind IPSEC VPN?

Hi Jarek,

I think PIX only runs RIP listen, is that correct? If so, you will need to deploy a router next to the PIX at the remote site and run unicast RIP to it, or front the PIX with a router, and terminate IPSEC on it, then you can run OSPF non-broadcast between the two IPSEC termination routers.

Regards

Ian

155
Views
0
Helpful
8
Replies
CreatePlease to create content