cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1638
Views
14
Helpful
9
Replies

OSPF routes through VPN

a.shaukat
Level 1
Level 1

HI,

i am a lil confused...

we have a Crypto ipsec / isakmp VPN tunnel setup from one router in the head office(loopback address) to the other router at the branch office(loop back address).

Ospf routes are also configured.. and hello packets are being recieved at both ends.. i can see them on the router.

the tunnel is set using dynamic crypto map. and allows LAN to LAN communication (defined in the ACL)

my question.. i can understand that the traffic sent in the VPN tunnel is the traffic defined in the ACL (lan to lan) and the OSPF routes are sent to each peers on the wan link..

then where do we make use of GRE ??

if i want to configure EIGRP between the two routers can i do so ??? while having a VPN tunnel between LAN to LAN

LAN1(Router1)WAN1==============WAN2(Router2)LAN2

these WAN to WAN connections are point to point radio links. Theres is also a DSL connection for backup.

right now ive configured vpn session using the WAN ip addresses as peers.

and allowed LAN1 to LAN2 and vice versa in the ACLs.

i wana use the DSL line as backup, how do i configure that incase the radio link breaks.

(the wan end interfaces are fastethernets) so i cant go for static routes.. probably OSPF ?? or EIGRP ?

9 Replies 9

bjornarsb
Level 4
Level 4

Hi,

As far as I know you use either OSPF or EIGRP

over GRE (generic routing encapsulation).

Backup can be used flowting static.

route 0.0.0.0 0.0.0.0 z.z.z.z 200

HTH

BR,

Bjornarsb

Friend,

IPSEC does not support multicast and hence routing protocols like OSPF and EIGRP do not work over plain IPsec.

To run OSPF or EIGRP, we use GRE as it is capable of carrying the multicast packets and bringup the adjacencies and exchange routes

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

As far as the backup scenario is concerned, you can always use a flowing static as suggested above

HTH

Narayan

Narayan

I think that we need to qualify your answer a bit. It does accurately represent the traditional implementation of IPSec. But recently Cisco introduced a new feature (VTI) which does support routing protocols over IPSec without GRE. This link gives information about Virtual Tunnel Interface:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b00.html

Without some specifics from the router config we can not know whether this is being used or not. Perhaps Atif can post the router config so that we can see whether this feature is being used.

HTH

Rick

HTH

Rick

Hi guys,

thanks for the help..

what iv done so far is that iv enabled eigrp onthe WAN interface network...

ive setup a crypto map and defined the ACL to pass only the LAN to LAN traffic through the tunnel.. its working without GRE cause the routing trafic is not being passed through the tunnel instead its using the normal WAN link instead ...

LAN1(Router1)WAN1============WAN2(router2)LAN2

the WAN link is a Wireless bridge (point to point) and the beackupo link is a DSL line (data circuit, no internet)

im attaching the branch routers config with this post..

Atif

Posting the config was helpful. It made me realize that I had not paid sufficient attention to some of the details in your original post. In particular this line:

these WAN to WAN connections are point to point radio links.

Your point in this post that:

its working without GRE cause the routing trafic is not being passed through the tunnel

is exactly correct. Apparently in the original post you were running OSPF and now you are running EIGRP. As long as the dynamic routing protocol can run over the physical interface and reach the neighbor so that routes are exchanged, then there is no need for GRE.

The discussions about trying to use a routing protocol with IPSec VPN frequently assumes that the VPN peers are multiple hops away or that they are attempting to connect networks using private addressing over a connection in some public network. In that case it is generally required to use GRE for the routing protocol support or the new alternative of VTI. But in your particular case they are not needed.

HTH

Rick

HTH

Rick

Thanks Rick..

that cleared up a lota things :-)

Im using EIGRP as of now... can you please check the backup configuration that ive configured using the dialer 0 for ppoe dsl connection...

cause i ran a test today bu powering off the radio bridge .. ideally it the dsl should have dialed the ppoe dialer for backup connectivity but apparently it didnt .... perhaps problems with the config ??

Atif

I believe that the problem is related to how floating static routes work, especially when the primary static route is over a LAN interface.

First a quick review: the basic idea of floating static route is that you configure a static route with an administrative distance higher than the default. This static route will be used if the primary route is withdrawn from the routing table. The primary route can be a dynamically learned route or can be a regular static route. Your configuration uses a regular static route through the VLAN 2 interface.

So the question becomes what will cause the regular static route to be withdrawn from the routing table so the floating static will be used? A static route is withdrawn from the routing table when its outbound interface goes into protocol down state. Unfortunately when you power off the radio bridge and it stops forwarding traffic the interface does not go down. You could test to verify this but I am confident that this is the issue. The floating static route is never activated because the original static route is not withdrawn because the VLAN 2 interface does not go into protocol down even though it has lost connectivity.

If the route were dynamically learned and the radio bridge stopped forwarding traffic then the route would be withdrawn. But with static routes it needs the interface to go down. Cisco recognizes this issue and has developed a feature called Reliable Static Routes with Object Tracking. When you configure this feature the router will actively check the connection and if the remote side is not reachable it will withdraw the static route. I believe that this will solve your problem. This link has information about the feature and should help you to configure it:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5413/products_feature_guide09186a00801d862d.html

HTH

Rick

HTH

Rick

so if i use dynamic routing between the branch and the head office ??? then that would cause the floating static route to work ???

right ?

let say i take out the ip route 0.0.0.0 0.0.0.0 192.168.28.250 and configure EIGRP

but then id have a problem.. il have to specify the other side networks on EIGRP as well which i dont want to do ... i just want all traffic to go to 28.250 . if thats unavailable then it should go to dialer1 instead ..

i read the reliable static routes..but it says that it needs a DDR to work ?? or can i use the dialer confi i have configured as floating static route???

Atif

If you run a dynamic routing protocol like EIGRP it would resolve the problem and make the floating static route for backup to work properly.

I do not understand your statement about specify the other side networks. You only need EIGRP network statements for locally connected networks. When EIGRP forms neighbor relationship over the link then it will dynamically learn the remote routes (including a default route if the neighbor has a default route in EIGRP).

But if you do not want to run EIGRP there is the option to use Object Tracking which will also solve the problem. I am not clear which statement you are referring to in the link, but I believe that your current dialer config should work ok. You just need something to verify whether there is connectivity over the standard static route and to remove it if the connection fails.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco