Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

OSPF over IPSEC???

Hi Guys,

Can I run ospf over basic IPSEC?(Not GRE).

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

OSPF over IPSEC???

Marco,

Not really a bug in the common sense, pasting the description.

It explains what you see and why people in the past might have seen a different behavior. :-)

M.

CSCtq94342 - Self originated, multicast traffic handling through IPsec tunnel

This is a documentation bug only.
Symptom:
A note needs to be added into configuration guide to specify that:
As of release 12.4(9)T multicast traffic originated from the box will be encapsulated into IPsec if proxy identities allow this.
Further description
A typical use case for this is when router is sourcing OSPF packets and traffic selectors for IPsec allows OSPF packets (protocol number 89, group 224.0.0.5 & 224.0.0.6).
As of release 12.4(9)T those packets will be put into the tunnel and encrypted.
At the same time, please be aware that using "any any" as your proxy identities is HIGHLY discouraged.
"any any" proxy identities can be achieved in case of using VTI configuration which is recommended if those proxy identities are desired.

9 REPLIES
New Member

OSPF over IPSEC???

Also,

I do know that multicast traffic is not allowed over IPSEC. That is a drawback. But there is a concept of reverse-route injection which can accomplish route population across the tunnel. But I am not able to get more information on that.

Please help.

Hall of Fame Super Silver

OSPF over IPSEC???

Arun

In general the answer is that no you can not run OSPF over just an IPSec connection. You need some kind of tunnel to transport the multicast traffic. Historically that has been solved by using GRE tunnels with IPSec. Cisco has introduced a feature called VTI (Virtual Tunnel Interface) which allows running dynamic routing protocols without requiring the processing of GRE (and without requiring the crypto map configuration required with GRE tunnels). I have configured quite a few VTI tunnels and they work quite well.

Here is a link with some additional information about VTI.

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html

HTH

Rick

New Member

Re: OSPF over IPSEC???

Swwweeeet!!!

That is a very good whitepaper. Thanks Rick.

Would you be kind enough to give me a short gist on RRI too? I did not really get the concept. Configuration wise, I see we do not have to do much except include one command, but, what difference does it make is my question?

Cheers

Arun

New Member

Re: OSPF over IPSEC???

Hello Richard,

I was testing IPSEC in my lab, and I noticed that OSPF works even when only IPSEC(w/o GRE) is configured.

I was quite surprised to see the adjacency UP.

Perhaps it depends on the cisco IOS release ( I am using Version 12.4(15)T10)?

I was not sure whether OSPF was going through the IPSEC tunnel, so I double checked removing the ACL or the "crypto map" applied to the interface.

In both cases the adjacency was lost. This should prove that OSPF is working over IPSEC. I hope I am not missing something.

THe configuration is quite straightforward:

=====================

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ISAKEY address 10.1.2.2

!

!

crypto ipsec transform-set TSET esp-aes

!

crypto map CMAP 1 ipsec-isakmp

set peer 10.1.2.2

set transform-set TSET

match address 101

access-list 101 permit ip any any

interface Serial1/0

ip address 10.1.2.1 255.255.255.252

serial restart-delay 0

crypto map CMAP

==============

Cisco Employee

OSPF over IPSEC???

Have a look at:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtq94342

We do recommend moving away from crypto maps whenever possible, VTI and other logical interfaces are the way to go in ipsec.

New Member

OSPF over IPSEC???

Hello Martin,

unfortunately that bug description is not accessible to common users : "the bug ID CSCtq94342 you searched contains proprietary information that cannot be disclosed at this time"

I suppose I hit an IOS bug ? If yes, could you just briefly describe it? The same problem appeared changing the routing protocol to EIGRP.

As far as I know, there is not much to choose from: classic "tunnel protection" and VTI should be the other solution. Are there other solution available?

Thanks for time.

Cisco Employee

OSPF over IPSEC???

Marco,

Not really a bug in the common sense, pasting the description.

It explains what you see and why people in the past might have seen a different behavior. :-)

M.

CSCtq94342 - Self originated, multicast traffic handling through IPsec tunnel

This is a documentation bug only.
Symptom:
A note needs to be added into configuration guide to specify that:
As of release 12.4(9)T multicast traffic originated from the box will be encapsulated into IPsec if proxy identities allow this.
Further description
A typical use case for this is when router is sourcing OSPF packets and traffic selectors for IPsec allows OSPF packets (protocol number 89, group 224.0.0.5 & 224.0.0.6).
As of release 12.4(9)T those packets will be put into the tunnel and encrypted.
At the same time, please be aware that using "any any" as your proxy identities is HIGHLY discouraged.
"any any" proxy identities can be achieved in case of using VTI configuration which is recommended if those proxy identities are desired.

Hall of Fame Super Silver

OSPF over IPSEC???

I had not been aware of this change. Thank you for sharing this very helpful information with us.

HTH

Rick

OSPF over IPSEC???

Hi Arun,

Yes you can run OSPF over IPsec.

PIX/ASA 7.x and later : VPN/IPsec with OSPF Configuration Example

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

To make this work you need to change the OSPF network type:

ospf network point-to-point non-broadcast

This would be in case that you have an ASA, if you have a Router, I would definitely go for a logical interface.

HTH.

Portu.

15341
Views
9
Helpful
9
Replies
CreatePlease to create content