05-03-2010 08:43 AM - edited 02-21-2020 04:37 PM
Hi All,
Is it possible using ASA without GRE tunnels to pass OSPF traffic and set an OSPF area ID for each VPN peer/neighbor?
I'm testing with an internal lab and worked only with one OSPF area for all VPN peers. Just as the Cisco site example [1]. If I change some area of a neighbor (via 'network' command), they log conflicts between neighbor area and interface area.
Thanks.
05-03-2010 06:48 PM
If you use the "neighbor" command, OSPF will work as unicast instead of multicast, and you can pass the routing updates through the IPSec tunnel. If you are trying to use OSPF multicast through the IPSec tunnel, it is not supported as IPSec does not support multicast traffic natively. You would need to have GRE tunnel to encapsulate those multicast traffic prior to being encrypted with IPSec. GRE tunnel is only supported on IOS routers, not on ASA.
05-04-2010 04:14 AM
Thanks Halijenn!
But is it possible to set an different OSPF area ID for each 'neighbor' configured? Or just the same OSPF area of the interface?
The idea is that each remote site has its own area id.
Regards,
Rafael
05-04-2010 04:25 AM
No, you can't have 1 interface belonging to multiple ospf areas.
05-04-2010 04:38 AM
Then for each remote site has it own area ID I must use GRE tunnel, between two routers (or another capable ospf/gre device) before the ASA Lan2Lan? Is It right?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: