I really don’t know if this is the right section to ask this question as it deals with both generic routing and VPN/firewalling technologies.
I’ve simulated and tested the well-known scenario described in this guide:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml
But when I tried to build three sites connectivity I ran into a limitation saying that “Only one neighbor allowed on point-to-point interfaces” when trying to configure two neibhors on one ASA. Assuming that I would need two interfaces looking outside will complicate the entire design. See the attached diagram showing the connectivity. All routers and ASA firewalls are expected to be in one area 0 and backup radio links should be used as the feasible successor in case of IPSec tunnel failure.
Is there any documented or similar examples? Any ideas how it would be better to design it?
As an afterthought, would I overcome this limitation if add one more OSPF process and then redistribute routes from another routing process similar to this:
router ospf 1
network 192.168.1.0 255.255.255.0 area 0
log-adj-changes
redistribute ospf 2 metric 100 subnets
!
router ospf 2
network 192.168.2.0 255.255.255.0 area 0
log-adj-changes
redistribute ospf 1 metric 100 subnets
{ 2 comments… read them below or add one }
The link that you show builds a single IPSec tunnel for a single OSPF neighbor. And you want a second OSPF neighbor. Have you added a second IPSec tunnel?
Perhaps if you post the configuration from your ASA we might be able to provide better answers.
Thanks a lot for your time and willingness to help. The ASA config is pretty standard even if I have two IPSec tunnels configured on it.
I’m providing you with sections of the config covering interfaces and crypto configuration to save space:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.x.26 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 192.168.228.1 255.255.255.0
crypto ipsec transform-set SET1 esp-aes-256 esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map MAP1 1 match address TUNNEL-TO-PEER1
crypto map MAP1 1 set peer y.y.y.254
crypto map MAP1 1 set transform-set SET1
crypto map MAP1 1 match address TUNNEL-TO-BWY
crypto map MAP1 1 set peer z.z.z.254
crypto map MAP1 1 set transform-set SET1
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
router ospf 1
network 192.168.228.0 255.255.255.0 area 0
log-adj-changes
redistribute connected
redistribute static subnets route-map REDISTRIBUTE
If I were to follow the guide that I already mentioned I would need to add this line to interface Ethernet0/0:
ospf network point-to-point non-broadcast
There’s no way to say point-to-multipoint under the ASA code as opposed to IOS.
One would say why not allocate one more outside interface/subinterface and configure it to point to other peer but it would greatly complicate things. It’s just not viable at all.
And there’s no problem adding networks under router ospf section at all. The only problem is how to make OSPF to send unicasts over IPSec tunnel to more than one peer.
Eugene
You must log in to post a comment.