VPN/IPsec with OSPF

April 23, 2012 Leave a comment


IPSEC TUNNEL WITH OSPF

 

 

hostname Left
!
interface Loopback11
ip address 11.11.11.11 255.255.255.0
!
interface Ethernet0
ip address 10.10.10.2 255.255.255.0
no keepalive
!
router ospf 11
log-adjacency-changes
network 10.10.10.0 0.0.0.255 area 0
network 11.11.11.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1

hostname Right
!
interface Loopback22
ip address 22.22.22.22 255.255.255.0
!
interface Ethernet0
ip address 20.20.20.2 255.255.255.0
no ip directed-broadcast
!
router ospf 22
log-adjacency-changes
network 20.20.20.0 0.0.0.255 area 0
network 22.22.22.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 20.20.20.1

ASA LOCAL
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 30.30.30.1 255.255.255.0

!— This line allows the unicast of OSPF over the IPsec tunnel.

ospf network point-to-point non-broadcast

!— This line is optional and not required for OSPF to work.
!— Enable this option only if you want to enable MD5 digest for OSPF.

ospf message-digest-key 10 md5 cisco
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
!— These access control list (ACL) entries define
!— interesting traffic for IPsec encryption and allow
!— the traffic to bypass NAT. Note that OSPF is permitted and only
!— in the crypto ACL.

same-security-traffic permit intra-interface
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ospf interface outside host 40.40.40.2
!
!— Do not translate traffic with NAT.

nat (inside) 0 access-list nonat
nat (inside) 10 10.10.10.0 255.255.255.0
!

!— This is OSPF.
!— Note: You must define the outside network of the remote peer.

router ospf 100
network 10.10.10.0 255.255.255.0 area 0
network 30.30.30.0 255.255.255.0 area 0
network 40.40.40.0 255.255.255.0 area 0

!— This is where OSPF is told where the
!— PEER is located.

neighbor 40.40.40.2 interface outside
log-adj-changes

!— This is a host based static. This is not always
!— necessary, but recommended to prevent recursive routing loops when
!— OSPF comes up over the IPsec tunnel.

route outside 40.40.40.2 255.255.255.255 30.30.30.2 1
route outside 0.0.0.0 0.0.0.0 30.30.30.2 1

!
!— This is the IPsec and IKE/ISAKMP configuration.
!— Make sure basic IPsec connectivity is present
!— before you add in OSPF.

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 40.40.40.2
crypto map outside_map 10 set transform-set myset
crypto map outside_map 10 set security-association lifetime seconds 86400
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400

tunnel-group 40.40.40.2 type ipsec-l2l
tunnel-group 40.40.40.2 ipsec-attributes
pre-shared-key cisco

===============================================================

ASA REMOTE
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 40.40.40.2 255.255.255.0

!— This line allows the unicast of OSPF over to
!— the IPsec tunnel.

ospf network point-to-point non-broadcast

!— This line is optional and not required for OSPF to work.
!— Enable this option only if you want to enable MD5 digest for OSPF.

ospf message-digest-key 10 md5 cisco

!
!— These ACL entries define interesting traffic for IPsec encryption and allow
!— the traffic to bypass NAT. Note that OSPF is permitted and only in the crypto ACL.

same-security-traffic permit intra-interface
access-list nonat extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list crypto extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list crypto extended permit ospf interface outside host 30.30.30.1

!
!— Do not translate traffic with NAT.

nat (inside) 0 access-list nonat
nat (inside) 20 20.20.20.0 255.255.255.0
!

!— This is OSPF.
!— Note: You must define the remote peer’s outside network.

router ospf 100
network 20.20.20.0 255.255.255.0 area 0
network 30.30.30.0 255.255.255.0 area 0
network 40.40.40.0 255.255.255.0 area 0

!— This is where the OSPF is told where the PEER is located.

neighbor 30.30.30.1 interface outside
log-adj-changes
!

!— This is a host based static. This is not always necessary, but recommended to
prevent recursive routing loops when OSPF comes up over the IPsec tunnel.

route outside 0.0.0.0 0.0.0.0 40.40.40.1 1
route outside 30.30.30.1 255.255.255.255 40.40.40.1 1

!
!— This is the IPsec configuration. Make sure basic IPsec connectivity is present
before you add in OSPF.

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map vpn 10 match address crypto
crypto map vpn 10 set peer 30.30.30.1
crypto map vpn 10 set transform-set myset
crypto map vpn interface outside

isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400

!
tunnel-group 30.30.30.1 type ipsec-l2l
tunnel-group 30.30.30.1 ipsec-attributes
pre-shared-key cisco

Filed under IP SERVICES