About the Author

author photo

Joe Harris, CCIE No. 6200 (R&S, Security & SP) is a Systems Engineer with Cisco Systems® specializing in Security. In addition to authoring Cisco Network Security Little Black Book, Joe has also been a technical reviewer for several Cisco Press publications and written articles, white papers, and presentations on various security technologies. He also assists various Certification Partners by beta testing their newest CCIE certification workbooks and has been recognized by Cisco as an SE Wall of Fame award winner.

See All Posts by This Author

Routing over an IPSec VPN without GRE

February 27th, 2008 • RelatedFiled Under

Joe, I thought I recalled you mentioning that the Cisco ASA allowed me to run OSPF inside of an IPSec VPN tunnel without having to run GRE over it. Is this the case because I do not want to have to purchase additional routers and run an overlay VPN/GRE network. If this is true, is this documented with an example somewhere? My Response:

You are correct; the ASA does give you this ability natively. One of my biggest VPN design issues has always been the whole dynamic routing protocol over an IPSec VPN issue, whereby we had to design a VPN model that did not limit the dynamic nature of the routing protocol. With an ASA and 7(x) plus code you can run unicast routing without the need for GRE…check out a sample configuration here:

Dynamic Routing Protocol inside IPSec VPN without GRE Sample

There Are 4 Responses So Far. »

  1. Gravatar

    Comment by ben on 27 February 2008:

    Is it only OSPF or is EIGRP an option as well?

  2. Gravatar

    Comment by Joe Harris on 28 February 2008:

    Ben,

    Excellent question…but the answer is not exactly… :-) … If you look @ #9 of this document it states:

    9. EIGRP hello packets are sent as multicast packets. If an EIGRP neighbor is located across a nonbroadcast network, such as a VPN tunnel, you must manually define that neighbor. When you manually define an EIGRP neighbor, hello packets are sent to that neighbor as unicast messages. In order to define static EIGRP neighbors, go to the Static Neighbor pane. ”

    The problem is that the static neighbor will not allow you to put an IP address that is different from the subnet of the local interface you want to use.

    This is the error:
    CCIE6200(config-router)# neighbor 192.168.20.2 interface outside
    ERROR: EIGRP-IPv4 Neighbor address 192.168.20.2 is on different network from outside

    I confirmed this as well with the VPN team that 8.0 does not currently support the same feature/functionality for EIGRP as it does for OSPF in this case.

    -Joe

  3. Gravatar

    Comment by barry on 20 May 2008:

    What about BGP?

  4. Gravatar

    Comment by Joe Harris on 20 May 2008:

    BGP is not supported on the ASA today nor is it a roadmap item as well. The only BGP support available on any Cisco firewall is the BGP stub function on the FWSM. Please reference this link:

    http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/ip_f.html#wp1041629

Post a Response