cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2568
Views
0
Helpful
4
Replies

ASA VPN/IPsec with multi-area OSPF (PIX Version 7.x or ASA)

rganascim
Level 1
Level 1

Hi All,

Is it possible using ASA without GRE tunnels to pass OSPF traffic and set an OSPF area ID for each VPN peer/neighbor?

I'm testing with an internal lab and worked only with one OSPF area for all VPN peers. Just as the Cisco site example [1]. If I change some area of a neighbor (via 'network' command), they log conflicts between neighbor area and interface area.

Thanks.

[1] http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

If you use the "neighbor" command, OSPF will work as unicast instead of multicast, and you can pass the routing updates through the IPSec tunnel. If you are trying to use OSPF multicast through the IPSec tunnel, it is not supported as IPSec does not support multicast traffic natively. You would need to have GRE tunnel to encapsulate those multicast traffic prior to being encrypted with IPSec. GRE tunnel is only supported on IOS routers, not on ASA.

Thanks Halijenn!


But is it possible to set an different OSPF area ID for each 'neighbor' configured? Or just the same OSPF area of the interface?

The idea is that each remote site has its own area id.

Regards,

Rafael

No, you can't have 1 interface belonging to multiple ospf areas.

Then for each remote site has it own area ID I must use GRE tunnel, between two routers (or another capable ospf/gre device) before the ASA Lan2Lan? Is It right?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: