[c-nsp] OPSF over a Lan-to-Lan VPN tunnel
Teller, Robert
RTeller at deltadentalwa.com
Mon Dec 15 19:51:15 EST 2008
You are going to have to use a combination of GRE and ISAKMP to get this to work. Routing updates are not passed through vpns natively.
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Per A
Sent: Monday, December 15, 2008 4:41 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] OPSF over a Lan-to-Lan VPN tunnel
This is an exersize in learning, and I'm getting stuck on the OSPF/Routing piece.
What I am wanting to do is build a Lan-to-Lan VPN network between a 2811 and a 3005. Once that is done, inner routers at each site will run OSPF/Routing Protocol and should populate routes between the sites.
I have built the VPN Lan-to-Lan sucessfully, but I am not able to get the Inner Routers to build neighbor relationships. Likely, I am missing something fundamental.
The outer/gateway/vpn devices at each site (2800 and 3005) are not participating in OSPF. I have configured the near and far side networks on each VPN device and have full connectivity between all clients at both sites. My challenge is to get the gateway devices to forward the OSPF Multicasts to the far side network and delivered to the Inner Router.
I understand that the Neighbor Relationship is built with Hello Messages between routers that share a common segment. I assumed that the VPN tunnel between sites would simulate this "common segment" function by identifying the multicast traffic as "interesting" and thus forward the multicast to the far end. To get to this, I used an access list to identify the source networks and then identified the destination as 224.0.0.5 0.0.0.0, thinking that the local VPN device would see the multicast communication from the Inner Router and encapsulate it for passage to the far end. Once arriving, the far end would un-encapsulate it and deliver it to the inside interface where the far end Inner Router would recieve the multicast Hello message.
Here is what the network looks like:
Site1_InnerRouter----Site1_3005----Internet----Site2_2811----Site2_InnerRouter
So my assumption is that this is not working because the two Inner Routers do not share the "common segment" which likely requires identical subnet/mask.
Is there any way to make this kind of environment work, or possibly an alternative solution where the Outer/VPN devices do not participate in the Routing Protocol but the Inner Routers do?
Thanks for any assistance you can offer.
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
#########################################################
The information contained in this e-mail and subsequent attachments may be privileged,
confidential and protected from disclosure. This transmission is intended for the sole
use of the individual and entity to whom it is addressed. If you are not the intended
recipient, any dissemination, distribution or copying is strictly prohibited. If you
think that you have received this message in error, please e-mail the sender at the above
e-mail address.
#########################################################
More information about the cisco-nsp
mailing list