OSPF over IPsec tunnel (ASA ikev1)
Today I would like to set up a VPN tunnel between two ASAs with capability of sending OSPF packets over the IPsec tunnel. I know there are similar examples available on the Internet but I would like to check if there are any problems during the implementation.
4.4.4.0/24 7.7.7.0/24 5.5.5.0/24
/----\ .1 .10 ----- .1 .2 ----- .10 .2/----\
| R1 |----------| ASA1 |----------| ASA2 |----------| R2 |
\----/ ----- ----- \----/
|<-----VPN----->|
The basic configuration:
R1:
!
hostname r1
!
interface GigabitEthernet0/0
ip address 4.4.4.1 255.255.255.0
no sh
!
router ospf 200
network 4.4.4.0 0.0.0.255 area 0
!
R2:
!
hostname r2
!
interface GigabitEthernet0/0
ip address 5.5.5.2 255.255.255.0
no sh
!
router ospf 100
log-adjacency-changes
network 5.5.5.0 0.0.0.255 area 0
!
ASA1:
!
hostname asa1
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 7.7.7.1 255.255.255.0
no sh
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 4.4.4.10 255.255.255.0
no sh
!
router ospf 150
network 4.4.4.0 255.255.255.0 area 0
network 7.7.7.0 255.255.255.0 area 0
log-adj-changes
!
ASA2:
!
hostname asa2
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 7.7.7.2 255.255.255.0
no sh
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 5.5.5.10 255.255.255.0
np sh
!
router ospf 250
network 5.5.5.0 255.255.255.0 area 0
network 7.7.7.0 255.255.255.0 area 0
log-adj-changes
!
Let’s check if OSPF works fine:
r1#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
4.4.4.10 1 FULL/BDR 00:00:39 4.4.4.10 GigabitEthernet0/0
r1#
asa1# sh ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
7.7.7.2 1 FULL/DR 0:00:30 7.7.7.2 outside
4.4.4.1 1 FULL/DR 0:00:31 4.4.4.1 inside
asa1#
asa2# sh ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
4.4.4.10 1 FULL/BDR 0:00:38 7.7.7.1 outside
5.5.5.2 1 FULL/DR 0:00:37 5.5.5.2 inside
asa2#
r2#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
7.7.7.2 1 FULL/BDR 00:00:36 5.5.5.10 GigabitEthernet0/0
r2#
As we see above all devices see their neighbors. Before I start VPN implementation I check if routing tables are correct.
R1:
r1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
4.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 4.4.4.0/24 is directly connected, GigabitEthernet0/0
L 4.4.4.1/32 is directly connected, GigabitEthernet0/0
5.0.0.0/24 is subnetted, 1 subnets
O 5.5.5.0 [110/21] via 4.4.4.10, 00:35:08, GigabitEthernet0/0
7.0.0.0/24 is subnetted, 1 subnets
O 7.7.7.0 [110/11] via 4.4.4.10, 00:35:08, GigabitEthernet0/0
r1#
R2:
r2#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
4.0.0.0/24 is subnetted, 1 subnets
O 4.4.4.0 [110/21] via 5.5.5.10, 00:35:07, GigabitEthernet0/0
5.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 5.5.5.0/24 is directly connected, GigabitEthernet0/0
L 5.5.5.2/32 is directly connected, GigabitEthernet0/0
7.0.0.0/24 is subnetted, 1 subnets
O 7.7.7.0 [110/11] via 5.5.5.10, 00:37:54, GigabitEthernet0/0
r2#
ASA1:
asa1# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 4.4.4.0 255.255.255.0 is directly connected, inside
O 5.5.5.0 255.255.255.0 [110/20] via 7.7.7.2, 0:37:26, outside
C 7.7.7.0 255.255.255.0 is directly connected, outside
asa1#
ASA2:
asa2# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
O 4.4.4.0 255.255.255.0 [110/20] via 7.7.7.1, 0:38:09, outside
C 5.5.5.0 255.255.255.0 is directly connected, inside
C 7.7.7.0 255.255.255.0 is directly connected, outside
asa2#
Ok, I’m ready to start configuring the VPN:
1) definition of 1st phase:
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 enable outside
and 2nd:
crypto ipsec ikev1 transform-set TS esp-aes-256 esp-sha-hmac
Now I define what traffic between LAN1 and LAN2 should be encrypted:
ASA1:
access-list VPN extended permit ip 4.4.4.0 255.255.255.0 5.5.5.0 255.255.255.0
and ASA2:
access-list VPN extended permit ip 5.5.5.0 255.255.255.0 4.4.4.0 255.255.255.0
Now, I configure tunnel groups:
ASA1:
tunnel-group 7.7.7.2 type ipsec-l2l
tunnel-group 7.7.7.2 ipsec-attributes
ikev1 pre-shared-key cisco123
!
and ASA1:
tunnel-group 7.7.7.1 type ipsec-l2l
tunnel-group 7.7.7.1 ipsec-attributes
ikev1 pre-shared-key cisco123
!
and crypto map:
ASA1:
crypto map MAPA 10 match address VPN
crypto map MAPA 10 set peer 7.7.7.2
crypto map MAPA 10 set ikev1 transform-set TS
crypto map MAPA interface outside
and ASA2:
crypto map MAPA 10 match address VPN
crypto map MAPA 10 set peer 7.7.7.1
crypto map MAPA 10 set ikev1 transform-set TS
crypto map MAPA interface outside
Let’s test the tunnel:
r1#ping 5.5.5.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
r1#
asa1# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 7.7.7.2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
asa1# sh crypto ips
asa1# sh crypto ipsec sa
interface: outside
Crypto map tag: MAPA, seq num: 10, local addr: 7.7.7.1
access-list VPN extended permit ip 4.4.4.0 255.255.255.0 5.5.5.0 255.255.255.0
local ident (addr/mask/prot/port): (4.4.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (5.5.5.0/255.255.255.0/0/0)
current_peer: 7.7.7.2
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 7.7.7.1/0, remote crypto endpt.: 7.7.7.2/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 86047244
current inbound spi : 8B36069C
inbound esp sas:
spi: 0x8B36069C (2335573660)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: MAPA
sa timing: remaining key lifetime (kB/sec): (3914999/28778)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x86047244 (2248438340)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: MAPA
sa timing: remaining key lifetime (kB/sec): (3914999/28778)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
asa1#
Ok, the tunnel is working fine but the OSPF traffic is not sent over the tunnel. Let’s add new ACE to VPN ACL:
ASA1:
access-list VPN extended permit ospf interface outside host 7.7.7.2
and ASA2:
access-list VPN extended permit ospf interface outside host 7.7.7.1
Now we have to change way how OSPF sends packets:
interface Ethernet0/0
ospf network point-to-point non-broadcast
!
because we disabled broadcast for OSPF I have to specify where the neighbor is located:
ASA1:
router ospf 150
neighbor 7.7.7.2 interface outside
ASA2:
router ospf 250
neighbor 7.7.7.1 interface outside
Now I clear the OSPF process and then I check what is the OSPF status:
asa1# clear ospf process
ASA1:
asa1# sh ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
7.7.7.2 1 FULL/ - 0:00:37 7.7.7.2 outside
4.4.4.1 1 FULL/DR 0:00:37 4.4.4.1 inside
asa1#
As we see ASA1 has a relationship with ASA2 but let’s confirm the packets are sent over the tunnel:
asa1# sh crypto ipsec sa
interface: outside
Crypto map tag: MAPA, seq num: 10, local addr: 7.7.7.1
access-list VPN extended permit ospf interface outside host 7.7.7.2
local ident (addr/mask/prot/port): (7.7.7.1/255.255.255.255/89/0)
remote ident (addr/mask/prot/port): (7.7.7.2/255.255.255.255/89/0)
current_peer: 7.7.7.2
#pkts encaps: 80, #pkts encrypt: 80, #pkts digest: 80
#pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 80, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 7.7.7.1/0, remote crypto endpt.: 7.7.7.2/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: E6E0B851
current inbound spi : 0C02D13A
inbound esp sas:
spi: 0x0C02D13A (201511226)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: MAPA
sa timing: remaining key lifetime (kB/sec): (3914994/28103)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE6E0B851 (3873486929)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: MAPA
sa timing: remaining key lifetime (kB/sec): (3914994/28103)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
asa1#
Let’s test once again ping from R1 to R2:
r1#ping 5.5.5.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
r1#
asa1# sh crypto ipsec sa
interface: outside
Crypto map tag: MAPA, seq num: 10, local addr: 7.7.7.1
access-list VPN extended permit ip 4.4.4.0 255.255.255.0 5.5.5.0 255.255.255.0
local ident (addr/mask/prot/port): (4.4.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (5.5.5.0/255.255.255.0/0/0)
current_peer: 7.7.7.2
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 7.7.7.1/0, remote crypto endpt.: 7.7.7.2/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 77D43B99
current inbound spi : 8B7F07B0
inbound esp sas:
spi: 0x8B7F07B0 (2340358064)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: MAPA
sa timing: remaining key lifetime (kB/sec): (3914999/28752)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x77D43B99 (2010397593)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: MAPA
sa timing: remaining key lifetime (kB/sec): (3914999/28752)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: MAPA, seq num: 10, local addr: 7.7.7.1
access-list VPN extended permit ospf interface outside host 7.7.7.2
local ident (addr/mask/prot/port): (7.7.7.1/255.255.255.255/89/0)
remote ident (addr/mask/prot/port): (7.7.7.2/255.255.255.255/89/0)
current_peer: 7.7.7.2
#pkts encaps: 90, #pkts encrypt: 91, #pkts digest: 91
#pkts decaps: 90, #pkts decrypt: 90, #pkts verify: 90
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 91, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 7.7.7.1/0, remote crypto endpt.: 7.7.7.2/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: E6E0B851
current inbound spi : 0C02D13A
inbound esp sas:
spi: 0x0C02D13A (201511226)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: MAPA
sa timing: remaining key lifetime (kB/sec): (3914993/28005)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE6E0B851 (3873486929)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: MAPA
sa timing: remaining key lifetime (kB/sec): (3914993/28003)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
asa1#
We see two SAs: the first for IP traffic and second for OSPF (one per each access-list entry).
29
Kudos
29
Kudos