Mar 21, 2013

Route-based IPsec VPN with OSPF

Some time ago, I wrote an article explaining how to setup a route-based VPN on an ASA. The reader wintermute000 asked me if would be possible to use dynamic routing instead of adding static routes for any subnet that we want to be reached through the VPN tunnel. I told him it is possible, and now I'm going to show how.
We are going to use a similar topology and the same configuration presented on the article Route-based IPsec VPN on ASA, except that now we don't need static routes to remote subnets.


Interfaces settings on local-asa:

interface Ethernet0/0
 no shutdown
!
interface Ethernet0/0.100
 vlan 100
 nameif outside
 security-level 0
 ip address 192.0.2.1 255.255.255.192
!
interface Ethernet0/0.200
 vlan 200
 nameif vpn
 security-level 0
 ip address 192.0.2.65 255.255.255.192
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.1.0.1 255.255.255.0
 no shutdown

The VPN configuration is exactly the same as presented in the prior article. For static routing, we just need one route to the remote peer through the vpn interface:

route outside 0.0.0.0 0.0.0.0 192.0.2.62 1
route vpn 192.0.2.193 255.255.255.255 192.0.2.126 1

For OSPF, we use the neighbor feature to add the remote peer as a static neighbor:

interface Ethernet0/0.200
 ospf network point-to-point non-broadcast
!
router ospf 1
 network 10.10.10.0 255.255.255.0 area 0
 network 192.0.2.64 255.255.255.192 area 0
 neighbor 192.0.2.193 interface vpn

Once we have the remote peer done, the tunnel will be established and OSPF adjacency as well:

local-asa# show ipsec sa peer 192.0.2.193
peer address: 192.0.2.193
    Crypto map tag: VPN, seq num: 1, local addr: 192.0.2.65

      access-list enc-domain permit ip any any
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: 192.0.2.193

      #pkts encaps: 261, #pkts encrypt: 261, #pkts digest: 261
      #pkts decaps: 254, #pkts decrypt: 254, #pkts verify: 254
...

local-asa# show ospf neighbor vpn
Neighbor ID     Pri   State           Dead Time   Address         Interface
192.0.2.193       1   FULL/  -        0:00:34     192.0.2.193     vpn

Once we have the routers added to the OSPF area, the network will be converged and all local and remote subnets reachable from each other:

local-asa# show ospf neighbor inside
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.10.254      1   FULL/DR         0:00:36     10.10.10.254    inside

local-asa# show route

Gateway of last resort is 192.0.2.62 to network 0.0.0.0

O    172.16.0.0 255.255.255.0 [110/11] via 10.10.10.254, 0:12:35, inside
O    172.31.0.0 255.255.0.0 [110/21] via 192.0.2.193, 0:12:35, vpn
O    10.20.20.0 255.255.255.0 [110/20] via 192.0.2.193, 0:12:35, vpn
C    10.10.10.0 255.255.255.0 is directly connected, inside
O    192.0.2.192 255.255.255.192 [110/20] via 192.0.2.193, 0:12:35, vpn
S    192.0.2.193 255.255.255.255 [1/0] via 192.0.2.126, vpn
C    192.0.2.64 255.255.255.192 is directly connected, vpn
C    192.0.2.0 255.255.255.192 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 192.0.2.62, outside


local-router#show ip route

Gateway of last resort is 10.10.10.1 to network 0.0.0.0

     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.0.0 is directly connected, Loopback0
O    172.31.0.0/16 [110/31] via 10.10.10.1, 00:21:28, FastEthernet0/0
     10.0.0.0/24 is subnetted, 2 subnets
O       10.20.20.0 [110/30] via 10.10.10.1, 00:21:28, FastEthernet0/0
C       10.10.10.0 is directly connected, FastEthernet0/0
     192.0.2.0/26 is subnetted, 2 subnets
O       192.0.2.192 [110/30] via 10.10.10.1, 00:21:28, FastEthernet0/0
O       192.0.2.64 [110/20] via 10.10.10.1, 00:21:29, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 10.10.10.1

local-router#show ip ospf database

            OSPF Router with ID (10.10.10.254) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
10.10.10.254    10.10.10.254    1371        0x80000006 0x005E84 2
10.20.20.254    10.20.20.254    1348        0x80000004 0x001172 2
192.0.2.65      192.0.2.65      1397        0x80000005 0x00CF93 3
192.0.2.193     192.0.2.193     1397        0x80000007 0x007E37 3

                Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
10.10.10.254    10.10.10.254    1456        0x80000001 0x0030AE
10.20.20.1      192.0.2.193     183         0x80000002 0x0023A8

local-router#ping 172.31.0.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.0.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/92/144 ms


6 comments:

  1. Thanks for that, I'm guessing the secret command is to define OSPF non broadcast? (makes sense)

    And that if its not defined as broadcast then your security is OK because you need to manually define your neighbors so hence you could restrict it to only the tunnels you want?

    The ironic thing is it all seems much easier with IOS and VTIs.... but then you lose the wire speed ASA hardware.

    Great blog, and great work

    ReplyDelete
    Replies
    1. The "neighbor" command won't take place until you set the interface as non broadcast.

      Thanks for your feedback!

      Delete
  2. This is no scalable solution, you can only have 2 neighbors. What about 3 neighbors?

    ReplyDelete
    Replies
    1. It's possible to have additional neighbors. You add one sub-interface for each neighbor and use similar configs for IPsec and OSPF.

      Delete
  3. Would it be possible to use eigrp? Also it seems like one would be hampered quite a bit just to get dynamic routing protocols running through the asa VPNs.

    Would it be crazy to suggest that the router be behind the ASA and just have the routers create a tunnel through the ASAs. I don't see this being done anywhere. Most everyone have their ASAs behind the routers. I just despise static routing enough to see if this is a viable solution/strategy

    ReplyDelete
    Replies
    1. It doesn't work with EIGRP.

      The router behind the ASA works, but you still need to setup OSPF on the ASA, otherwise it won't learn how to reach the remote subnets and therefore won't route the traffic through the tunnel.

      Delete