Cisco Support Community
Community Member

Pushing OSPF over Lan-to-Lan VPN

This is an exersize in learning, and I'm getting stuck on the OSPF/Routing piece.

What I am wanting to do is build a Lan-to-Lan VPN network between a 2811 and a 3005. Once that is done, inner routers at each site will run OSPF and should populate routes between the sites.

I have built the VPN Lan-to-Lan sucessfully, but I am not able to get the Inner Routers to build neighbor relationships. Likely, I am missing something fundamental.

The outer/gateway/vpn devices at each site (2800 and 3005) are not participating in OSPF. I have configured the near and far side networks on each VPN device and have full connectivity between all clients at both sites. My challenge is to get the gateway devices to forward the OSPF Multicasts to the far side network and delivered to the Inner Router.

I understand that the Neighbor Relationship is built with Hello Messages between routers that share a common segment. I assumed that the VPN tunnel between sites would simulate this "common segment" function by identifying the multicast traffic as "interesting" and thus forward the multicast to the far end. To get to this, I used an access list to identify the source networks and then identified the destination as, thinking that the local VPN device would see the multicast communication from the Inner Router and encapsulate it for passage to the far end. Once arriving, the far end would un-encapsulate it and deliver it to the inside interface where the far end Inner Router would recieve the multicast Hello message.

Here is what the network looks like:


So my assumption is that this is not working because the two Inner Routers do not share the "common segment" which likely requires identical subnet/mask.

Is there any way to make this kind of environment work, or possibly an alternative solution where the Outer/VPN devices do not participate in the Routing Protocol but the Inner Routers do?

Thanks for any assistance you can offer.

Cisco Employee

Re: Pushing OSPF over Lan-to-Lan VPN


IPSEC does not encrypt Multicast Traffic. So, the tunnel between the VPN3000 and Router will not encrypt the OSPF Multicast packets and hence no OSPF Neighbor/Adjacency/Routing. Your best option with the above set up is to configure GRE Tunnel between two routers behind the VPN3000 and VPN Router and then configure OSPF across the GRE Tunnel. Since, OSPF Multicast packets are encapsulated into GRE and the VPN3000 sees the GRE packet only and not the MC Packets within GRE, VPN3000 will encrypt the packets and send it across.

Refer the below URL, this is actually for a Pix but the concept is the same.



*Pls rate if it helps*

CreatePlease to create content