02-25-2010 06:20 PM - edited 03-04-2019 07:38 AM
Hi folks,
I really don't know if this is the right section to ask this question as it deals with both generic routing and VPN/firewalling technologies.
I've simulated and tested the well-known scenario described in this guide:
But when I tried to build three sites connectivity I ran into a limitation saying that "Only one neighbor allowed on point-to-point interfaces" when trying to configure two neibhors on one ASA. Assuming that I would need two interfaces looking outside will complicate the entire design. See the attached diagram showing the connectivity. All routers and ASA firewalls are expected to be in one area 0 and backup radio links should be used as the feasible successor in case of IPSec tunnel failure.
Is there any documented or similar examples? Any ideas how it would be better to design it?
As an afterthought, would I overcome this limitation if add one more OSPF process and then redistribute routes from another routing process similar to this:
router ospf 1
network 192.168.1.0 255.255.255.0 area 0
log-adj-changes
redistribute ospf 2 metric 100 subnets
!
router ospf 2
network 192.168.2.0 255.255.255.0 area 0
log-adj-changes
redistribute ospf 1 metric 100 subnets
03-06-2010 10:21 AM
Zheka
The link that you show builds a single IPSec tunnel for a single OSPF neighbor. And you want a second OSPF neighbor. Have you added a second IPSec tunnel?
Perhaps if you post the configuration from your ASA we might be able to provide better answers.
HTH
Rick
03-08-2010 12:39 PM
Hi Rick,
Thanks a lot for your time and willingness to help. The ASA config is pretty standard even if I have two IPSec tunnels configured on it.
I'm providing you with sections of the config covering interfaces and crypto configuration to save space:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.x.26 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 192.168.228.1 255.255.255.0
crypto ipsec transform-set SET1 esp-aes-256 esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map MAP1 1 match address TUNNEL-TO-PEER1
crypto map MAP1 1 set peer y.y.y.254
crypto map MAP1 1 set transform-set SET1
crypto map MAP1 1 match address TUNNEL-TO-BWY
crypto map MAP1 1 set peer z.z.z.254
crypto map MAP1 1 set transform-set SET1
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
router ospf 1
network 192.168.228.0 255.255.255.0 area 0
log-adj-changes
redistribute connected
redistribute static subnets route-map REDISTRIBUTE
If I were to follow the guide that I already mentioned I would need to add this line to interface Ethernet0/0:
ospf network point-to-point non-broadcast
There's no way to say point-to-multipoint under the ASA code as opposed to IOS.
One would say why not allocate one more outside interface/subinterface and configure it to point to other peer but it would greatly complicate things. It's just not viable at all.
And there's no problem adding networks under router ospf section at all. The only problem is how to make OSPF to send unicasts over IPSec tunnel to more than one peer.
Eugene
03-08-2010 01:22 PM
Eugene
Thank you for the additional information. I believe that it will be helpful in understanding and resolving your issue.
Your comment is that you have configured two tunnels. But the way that I read the configuration I believe that the ASA regards this as a single tunnel. I would suggest that if you were to change the configuration to be like this then the ASA would recognize a second tunnel and might then allow you to configure a second OSPF neighbor:
crypto map MAP1 1 match address TUNNEL-TO-PEER1
crypto map MAP1 1 set peer y.y.y.254
crypto map MAP1 1 set transform-set SET1
crypto map MAP1 2 match address TUNNEL-TO-BWY
crypto map MAP1 2 set peer z.z.z.254
crypto map MAP1 2 set transform-set SET1
Give this a try and let us know if it helps.
HTH
Rick
03-08-2010 02:07 PM
Hi Rick,
It's my bad indeed.
I pasted and copied the portion of the crypto-map configuration trying to make it look as a generic setup and forgot to change sequence numbers. On the ASA those numbers are 10 and 20. The point is that we don't have it deployed in the production mode for the client and I had a chance to play with three firewalls only for a limited time. The third ASA deployment is scheduled for the coming weekend and I already shipped it to the client. I can't show you how it looks now but when I played with three boxes in our lab I had two tunnels established on every unit.
I have the other ASA firewall with 5 IPSec site-to-site tunnels to try though.
GVTAPS-ASA01# sh crypto isa sa
Active SA: 5
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 5
1 IKE Peer: x.x.x.25
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: y.y.y.33
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
3 IKE Peer: z.z.z.17
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
4 IKE Peer: a.a.a.89
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
5 IKE Peer: b.b.b.72
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Now if I go to the outside interface configuration mode the only command available to enable OSPF in a non-broadcast mode is this:
ospf network point-to-point non-broadcast
Then when I create OSPF routing process I want to configure two neighbors. Adding just one neighbor works and ASA accepts my config:
router ospf 100
network c.c.c.129 255.255.255.255 area 0
network 192.168.1.0 255.255.255.0 area 0
neighbor b.b.b.72 interface outside
log-adj-changes
But when I try to add the second neighbor I end up with a familiar error message:
GVTAPS-ASA01(config-router)# neighbor a.a.a.89 interface outside
ERROR: Only one neighbor allowed on point-to-point interfaces
We are back to problem inherent to the interface configuration mode where there's only one point-to-point option available.
Eugene
03-09-2010 03:31 PM
Eugene
I have looked at some Cisco documentation and this feature is not well documented, but I have not found anything that gives a limitation that there can be only a single neighbor when configuring this feature.
I do find a mention that there needs to be a static route configured for each neighbor that you configure. Is there a static route configured for a.a.a.89 before you attempt to configure it as an OSPF neighbor?
HTH
Rick
03-09-2010 05:06 PM
Hi Rick,
I did try to have host static routes added to the ASA but it didn't help a lot.
As far as I understand the whole thing is about finding a way how to send either multicasts or unicasts over IPSec tunnel. And this is where we hit this limitation with ASA, it was not developed to do it. If we were on the IOS I would do it by saying something like:
"point-to-multipoint nonbroadcast"
Don't understand what was Cisco's reasoning not to support it on the ASA....
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: