We are going to use a similar topology and the same configuration presented on the article Route-based IPsec VPN on ASA, except that now we don't need static routes to remote subnets.
Interfaces settings on local-asa:
interface Ethernet0/0
no shutdown
!
interface Ethernet0/0.100
vlan 100
nameif outside
security-level 0
ip address 192.0.2.1 255.255.255.192
!
interface Ethernet0/0.200
vlan 200
nameif vpn
security-level 0
ip address 192.0.2.65 255.255.255.192
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.0.1 255.255.255.0
no shutdown
The VPN configuration is exactly the same as presented in the prior article. For static routing, we just need one route to the remote peer through the vpn interface:
route outside 0.0.0.0 0.0.0.0 192.0.2.62 1
route vpn 192.0.2.193 255.255.255.255 192.0.2.126 1
For OSPF, we use the neighbor feature to add the remote peer as a static neighbor:
interface Ethernet0/0.200
ospf network point-to-point non-broadcast
!
router ospf 1
network 10.10.10.0 255.255.255.0 area 0
network 192.0.2.64 255.255.255.192 area 0
neighbor 192.0.2.193 interface vpn
Once we have the remote peer done, the tunnel will be established and OSPF adjacency as well:
local-asa# show ipsec sa peer 192.0.2.193
peer address: 192.0.2.193
Crypto map tag: VPN, seq num: 1, local addr: 192.0.2.65
access-list enc-domain permit ip any any
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 192.0.2.193
#pkts encaps: 261, #pkts encrypt: 261, #pkts digest: 261
#pkts decaps: 254, #pkts decrypt: 254, #pkts verify: 254
...
local-asa# show ospf neighbor vpn
Neighbor ID Pri State Dead Time Address Interface
192.0.2.193 1 FULL/ - 0:00:34 192.0.2.193 vpn
Once we have the routers added to the OSPF area, the network will be converged and all local and remote subnets reachable from each other:
local-asa# show ospf neighbor inside
Neighbor ID Pri State Dead Time Address Interface
10.10.10.254 1 FULL/DR 0:00:36 10.10.10.254 inside
local-asa# show route
Gateway of last resort is 192.0.2.62 to network 0.0.0.0
O 172.16.0.0 255.255.255.0 [110/11] via 10.10.10.254, 0:12:35, inside
O 172.31.0.0 255.255.0.0 [110/21] via 192.0.2.193, 0:12:35, vpn
O 10.20.20.0 255.255.255.0 [110/20] via 192.0.2.193, 0:12:35, vpn
C 10.10.10.0 255.255.255.0 is directly connected, inside
O 192.0.2.192 255.255.255.192 [110/20] via 192.0.2.193, 0:12:35, vpn
S 192.0.2.193 255.255.255.255 [1/0] via 192.0.2.126, vpn
C 192.0.2.64 255.255.255.192 is directly connected, vpn
C 192.0.2.0 255.255.255.192 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.0.2.62, outside
local-router#show ip route
Gateway of last resort is 10.10.10.1 to network 0.0.0.0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.0.0 is directly connected, Loopback0
O 172.31.0.0/16 [110/31] via 10.10.10.1, 00:21:28, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
O 10.20.20.0 [110/30] via 10.10.10.1, 00:21:28, FastEthernet0/0
C 10.10.10.0 is directly connected, FastEthernet0/0
192.0.2.0/26 is subnetted, 2 subnets
O 192.0.2.192 [110/30] via 10.10.10.1, 00:21:28, FastEthernet0/0
O 192.0.2.64 [110/20] via 10.10.10.1, 00:21:29, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 10.10.10.1
local-router#show ip ospf database
OSPF Router with ID (10.10.10.254) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
10.10.10.254 10.10.10.254 1371 0x80000006 0x005E84 2
10.20.20.254 10.20.20.254 1348 0x80000004 0x001172 2
192.0.2.65 192.0.2.65 1397 0x80000005 0x00CF93 3
192.0.2.193 192.0.2.193 1397 0x80000007 0x007E37 3
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
10.10.10.254 10.10.10.254 1456 0x80000001 0x0030AE
10.20.20.1 192.0.2.193 183 0x80000002 0x0023A8
local-router#ping 172.31.0.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.0.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/92/144 ms
Thanks for that, I'm guessing the secret command is to define OSPF non broadcast? (makes sense)
ReplyDeleteAnd that if its not defined as broadcast then your security is OK because you need to manually define your neighbors so hence you could restrict it to only the tunnels you want?
The ironic thing is it all seems much easier with IOS and VTIs.... but then you lose the wire speed ASA hardware.
Great blog, and great work
The "neighbor" command won't take place until you set the interface as non broadcast.
DeleteThanks for your feedback!
This is no scalable solution, you can only have 2 neighbors. What about 3 neighbors?
ReplyDeleteIt's possible to have additional neighbors. You add one sub-interface for each neighbor and use similar configs for IPsec and OSPF.
DeleteWould it be possible to use eigrp? Also it seems like one would be hampered quite a bit just to get dynamic routing protocols running through the asa VPNs.
ReplyDeleteWould it be crazy to suggest that the router be behind the ASA and just have the routers create a tunnel through the ASAs. I don't see this being done anywhere. Most everyone have their ASAs behind the routers. I just despise static routing enough to see if this is a viable solution/strategy
It doesn't work with EIGRP.
DeleteThe router behind the ASA works, but you still need to setup OSPF on the ASA, otherwise it won't learn how to reach the remote subnets and therefore won't route the traffic through the tunnel.