Comments on: OSPF routing between 3 sites over IPSec VPN terminated by ASA http://www.networkingblog.in/ospf-routing-between-3-sites-over-ipsec-vpn-terminated-by-asa-2-2875 Cisco Netpro Blog Wed, 23 Jun 2010 06:07:14 +0000 hourly 1 http://wordpress.org/?v=3.0 By: arul http://www.networkingblog.in/ospf-routing-between-3-sites-over-ipsec-vpn-terminated-by-asa-2-2875/comment-page-1#comment-2014 arul Sat, 13 Mar 2010 16:12:08 +0000 http://www.networkingblog.in/?p=2875#comment-2014 Thanks a lot for your time and willingness to help. The ASA config is pretty standard even if I have two IPSec tunnels configured on it. I'm providing you with sections of the config covering interfaces and crypto configuration to save space: interface GigabitEthernet0/0 nameif outside security-level 0 ip address x.x.x.26 255.255.255.248 ! interface GigabitEthernet0/1 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/2 nameif inside security-level 100 ip address 192.168.228.1 255.255.255.0 crypto ipsec transform-set SET1 esp-aes-256 esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map MAP1 1 match address TUNNEL-TO-PEER1 crypto map MAP1 1 set peer y.y.y.254 crypto map MAP1 1 set transform-set SET1 crypto map MAP1 1 match address TUNNEL-TO-BWY crypto map MAP1 1 set peer z.z.z.254 crypto map MAP1 1 set transform-set SET1 crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption aes hash md5 group 2 lifetime 86400 router ospf 1 network 192.168.228.0 255.255.255.0 area 0 log-adj-changes redistribute connected redistribute static subnets route-map REDISTRIBUTE If I were to follow the guide that I already mentioned I would need to add this line to interface Ethernet0/0: ospf network point-to-point non-broadcast There's no way to say point-to-multipoint under the ASA code as opposed to IOS. One would say why not allocate one more outside interface/subinterface and configure it to point to other peer but it would greatly complicate things. It's just not viable at all. And there's no problem adding networks under router ospf section at all. The only problem is how to make OSPF to send unicasts over IPSec tunnel to more than one peer. Eugene Thanks a lot for your time and willingness to help. The ASA config is pretty standard even if I have two IPSec tunnels configured on it.
I’m providing you with sections of the config covering interfaces and crypto configuration to save space:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.x.26 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 192.168.228.1 255.255.255.0

crypto ipsec transform-set SET1 esp-aes-256 esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map MAP1 1 match address TUNNEL-TO-PEER1
crypto map MAP1 1 set peer y.y.y.254
crypto map MAP1 1 set transform-set SET1

crypto map MAP1 1 match address TUNNEL-TO-BWY
crypto map MAP1 1 set peer z.z.z.254
crypto map MAP1 1 set transform-set SET1
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400

router ospf 1
network 192.168.228.0 255.255.255.0 area 0
log-adj-changes
redistribute connected
redistribute static subnets route-map REDISTRIBUTE

If I were to follow the guide that I already mentioned I would need to add this line to interface Ethernet0/0:

ospf network point-to-point non-broadcast

There’s no way to say point-to-multipoint under the ASA code as opposed to IOS.

One would say why not allocate one more outside interface/subinterface and configure it to point to other peer but it would greatly complicate things. It’s just not viable at all.

And there’s no problem adding networks under router ospf section at all. The only problem is how to make OSPF to send unicasts over IPSec tunnel to more than one peer.

Eugene

]]> By: karan http://www.networkingblog.in/ospf-routing-between-3-sites-over-ipsec-vpn-terminated-by-asa-2-2875/comment-page-1#comment-2013 karan Sat, 13 Mar 2010 16:09:57 +0000 http://www.networkingblog.in/?p=2875#comment-2013 The link that you show builds a single IPSec tunnel for a single OSPF neighbor. And you want a second OSPF neighbor. Have you added a second IPSec tunnel? Perhaps if you post the configuration from your ASA we might be able to provide better answers. The link that you show builds a single IPSec tunnel for a single OSPF neighbor. And you want a second OSPF neighbor. Have you added a second IPSec tunnel?
Perhaps if you post the configuration from your ASA we might be able to provide better answers.

]]>