cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12123
Views
0
Helpful
6
Replies

OSPF routing between 3 sites over IPSec VPN terminated by ASA

zheka_pefti
Level 2
Level 2

Hi folks,

I really don't know if this is the right section to ask this question as it deals with both generic routing and VPN/firewalling technologies.

I've simulated and tested the well-known scenario described in this guide:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

But when I tried to build three sites connectivity I ran into a limitation saying that "Only one neighbor allowed on point-to-point interfaces" when trying to configure two neibhors on one ASA. Assuming that I would need two interfaces looking outside will complicate the entire design. See the attached diagram showing the connectivity. All routers and ASA firewalls are expected to be in one area 0 and backup radio links should be used as the feasible successor in case of IPSec tunnel failure.

Is there any documented or similar examples? Any ideas how it would be better to design it?

As an afterthought, would I overcome this limitation if add one more OSPF process and then redistribute routes from another routing process similar to this:

router ospf 1
network 192.168.1.0 255.255.255.0 area 0
log-adj-changes
redistribute ospf 2 metric 100 subnets
!
router ospf 2
network 192.168.2.0 255.255.255.0 area 0
log-adj-changes
redistribute ospf 1 metric 100 subnets

6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

Zheka

The link that you show builds a single IPSec tunnel for a single OSPF neighbor. And you want a second OSPF neighbor. Have you added a second IPSec tunnel?

Perhaps if you post the configuration from your ASA we might be able to provide better answers.

HTH

Rick

HTH

Rick

Hi Rick,

Thanks a lot for your time and willingness to help. The ASA config is pretty standard even if I have two IPSec tunnels configured on it.

I'm providing you with sections of the config covering interfaces and crypto configuration to save space:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.x.26 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 192.168.228.1 255.255.255.0

crypto ipsec transform-set SET1 esp-aes-256 esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map MAP1 1 match address TUNNEL-TO-PEER1
crypto map MAP1 1 set peer y.y.y.254
crypto map MAP1 1 set transform-set SET1

crypto map MAP1 1 match address TUNNEL-TO-BWY
crypto map MAP1 1 set peer z.z.z.254
crypto map MAP1 1 set transform-set SET1
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400

router ospf 1
network 192.168.228.0 255.255.255.0 area 0
log-adj-changes
redistribute connected
redistribute static subnets route-map REDISTRIBUTE

If I were to follow the guide that I already mentioned I would need to add this line to interface Ethernet0/0:

ospf network point-to-point non-broadcast

There's no way to say point-to-multipoint under the ASA code as opposed to IOS.

One would say why not allocate one more outside interface/subinterface and configure it to point to other peer but it would greatly complicate things. It's just not viable at all.

And there's no problem adding networks under router ospf section at all. The only problem is how to make OSPF to send unicasts over IPSec tunnel to more than one peer.

Eugene

Eugene

Thank you for the additional information. I believe that it will be helpful in understanding and resolving your issue.

Your comment is that you have configured two tunnels. But the way that I read the configuration I believe that the ASA regards this as a single tunnel. I would suggest that if you were to change the configuration to be like this then the ASA would recognize a second tunnel and might then allow you to configure a second OSPF neighbor:

crypto map MAP1 1 match address TUNNEL-TO-PEER1
crypto map MAP1 1 set peer y.y.y.254
crypto map MAP1 1 set transform-set SET1

crypto map MAP1 2 match address TUNNEL-TO-BWY
crypto map MAP1 2 set peer z.z.z.254
crypto map MAP1 2 set transform-set SET1

Give this a try and let us know if it helps.

HTH

Rick

HTH

Rick

Hi Rick,

It's my bad indeed.

I pasted and copied the portion of the crypto-map configuration trying to make it look as a generic setup and forgot to change sequence numbers. On the ASA those numbers are 10 and 20. The point is that we don't have it deployed in the production mode for the client and I had a chance to play with three firewalls only for a limited time. The third ASA deployment is scheduled for the coming weekend and I already shipped it to the client. I can't show you how it looks now but when I played with three boxes in our lab I had two tunnels established on every unit.

I have the other ASA firewall with 5 IPSec site-to-site tunnels to try though.

GVTAPS-ASA01# sh crypto isa sa

   Active SA: 5
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 5

1   IKE Peer: x.x.x.25
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: y.y.y.33
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
3   IKE Peer: z.z.z.17
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
4   IKE Peer: a.a.a.89
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
5   IKE Peer: b.b.b.72
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

Now if I go to the outside interface configuration mode the only command available to enable OSPF in a non-broadcast mode is this:

ospf network point-to-point non-broadcast

Then when I create OSPF routing process I want to configure two neighbors. Adding just one neighbor works and ASA accepts my config:

router ospf 100
network c.c.c.129 255.255.255.255 area 0
network 192.168.1.0 255.255.255.0 area 0
neighbor b.b.b.72 interface outside
log-adj-changes

But when I try to add the second neighbor I end up with a familiar error message:

GVTAPS-ASA01(config-router)# neighbor a.a.a.89 interface outside
ERROR: Only one neighbor allowed on point-to-point interfaces

We are back to problem inherent to the interface configuration mode where there's only one point-to-point option available.

Eugene

Eugene

I have looked at some Cisco documentation and this feature is not well documented, but I have not found anything that gives a limitation that there can be only a single neighbor when configuring this feature.

I do find a mention that there needs to be a static route configured for each neighbor that you configure. Is there a static route configured for a.a.a.89 before you attempt to configure it as an OSPF neighbor?

HTH

Rick

HTH

Rick

Hi Rick,

I did try to have host static routes added to the ASA but it didn't help a lot.

As far as I understand the whole thing is about finding a way how to send either multicasts or unicasts over IPSec tunnel. And this is where we hit this limitation with ASA, it was not developed to do it.  If we were on the IOS I would do it by saying something like:

"point-to-multipoint nonbroadcast"

Don't understand what was Cisco's reasoning not to support it on the ASA....

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: