Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

OSPF routing over IPSEC


I currently have a client with over 50 site to site IPSEC VPN tunnels running GRE tunnels to enable them to use OSPF routing. I wish to build a tunnel from our ASA 5510 to most of these remote sites (most sites are using fairly old Cisco routers) The problem I have is that the ASA does not seem to support GRE tunnels so how can I get OSPF routing to work. I have a basic tunnel up and running but am not sure how to proceed if it is even possible. To change all the client tunnels to use tunnel protection thus bypassing the need for OSPF would not really be a viable solution as they would have to do a lot of network changes which I believe they would be unwilling to do.

Any ideas anyone?

Hall of Fame Super Gold

Re: OSPF routing over IPSEC

You cannot build a scalable and manageable network with ASAs and old routers only.

What you want is a modern DMVPN solution and in practice that means you have ISR routers everywhere.

You can go around and around but will find that there is no quality alternative, just clumsy workarounds.

New Member

Re: OSPF routing over IPSEC

Hi Thanks for the response.

I understand that this does not scale as a solution but as the Older routers belong to a client and not to my own organisation there is very little I can do at this time to influence their current architecture. What I need for the moment is some sort of workaround to allow me to build a site to site VPN to my clients network and be able to exchange routes with them via OSPF.

Hall of Fame Super Gold

Re: OSPF routing over IPSEC

Place a router behind the ASA. Terminate IPSec in the ASA, or do not do IPsec at all. Terminate GRE in said router. Use multipoint RE to the extent possible.

Give re-design issue to an able salesperson in order to convince client about limits of current hardware and move away from unsatisfying workarounds.

New Member

Re: OSPF routing over IPSEC

I think you are probably right. I was considering terminating the IPSEC tunnel on the ASA and the GRE tunnels on a Juniper SSG 140 that sits behind the ASA to get around it but it may be cleaner to do as you say and take the hit of installing a cisco router.