Mar 21, 2013

Route-based IPsec VPN with OSPF

Some time ago, I wrote an article explaining how to setup a route-based VPN on an ASA. The reader wintermute000 asked me if would be possible to use dynamic routing instead of adding static routes for any subnet that we want to be reached through the VPN tunnel. I told him it is possible, and now I'm going to show how.
We are going to use a similar topology and the same configuration presented on the article Route-based IPsec VPN on ASA, except that now we don't need static routes to remote subnets.

Interfaces settings on local-asa:

interface Ethernet0/0
 no shutdown
interface Ethernet0/0.100
 vlan 100
 nameif outside
 security-level 0
 ip address
interface Ethernet0/0.200
 vlan 200
 nameif vpn
 security-level 0
 ip address
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address
 no shutdown

The VPN configuration is exactly the same as presented in the prior article. For static routing, we just need one route to the remote peer through the vpn interface:

route outside 1
route vpn 1

For OSPF, we use the neighbor feature to add the remote peer as a static neighbor:

interface Ethernet0/0.200
 ospf network point-to-point non-broadcast
router ospf 1
 network area 0
 network area 0
 neighbor interface vpn

Once we have the remote peer done, the tunnel will be established and OSPF adjacency as well:

local-asa# show ipsec sa peer
peer address:
    Crypto map tag: VPN, seq num: 1, local addr:

      access-list enc-domain permit ip any any
      local ident (addr/mask/prot/port): (
      remote ident (addr/mask/prot/port): (

      #pkts encaps: 261, #pkts encrypt: 261, #pkts digest: 261
      #pkts decaps: 254, #pkts decrypt: 254, #pkts verify: 254

local-asa# show ospf neighbor vpn
Neighbor ID     Pri   State           Dead Time   Address         Interface       1   FULL/  -        0:00:34     vpn

Once we have the routers added to the OSPF area, the network will be converged and all local and remote subnets reachable from each other:

local-asa# show ospf neighbor inside
Neighbor ID     Pri   State           Dead Time   Address         Interface      1   FULL/DR         0:00:36    inside

local-asa# show route

Gateway of last resort is to network

O [110/11] via, 0:12:35, inside
O [110/21] via, 0:12:35, vpn
O [110/20] via, 0:12:35, vpn
C is directly connected, inside
O [110/20] via, 0:12:35, vpn
S [1/0] via, vpn
C is directly connected, vpn
C is directly connected, outside
S* [1/0] via, outside

local-router#show ip route

Gateway of last resort is to network is subnetted, 1 subnets
C is directly connected, Loopback0
O [110/31] via, 00:21:28, FastEthernet0/0 is subnetted, 2 subnets
O [110/30] via, 00:21:28, FastEthernet0/0
C is directly connected, FastEthernet0/0 is subnetted, 2 subnets
O [110/30] via, 00:21:28, FastEthernet0/0
O [110/20] via, 00:21:29, FastEthernet0/0
S* [1/0] via

local-router#show ip ospf database

            OSPF Router with ID ( (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count    1371        0x80000006 0x005E84 2    1348        0x80000004 0x001172 2      1397        0x80000005 0x00CF93 3     1397        0x80000007 0x007E37 3

                Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum    1456        0x80000001 0x0030AE     183         0x80000002 0x0023A8


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/92/144 ms


  1. Thanks for that, I'm guessing the secret command is to define OSPF non broadcast? (makes sense)

    And that if its not defined as broadcast then your security is OK because you need to manually define your neighbors so hence you could restrict it to only the tunnels you want?

    The ironic thing is it all seems much easier with IOS and VTIs.... but then you lose the wire speed ASA hardware.

    Great blog, and great work

    1. The "neighbor" command won't take place until you set the interface as non broadcast.

      Thanks for your feedback!

  2. This is no scalable solution, you can only have 2 neighbors. What about 3 neighbors?

    1. It's possible to have additional neighbors. You add one sub-interface for each neighbor and use similar configs for IPsec and OSPF.

  3. Would it be possible to use eigrp? Also it seems like one would be hampered quite a bit just to get dynamic routing protocols running through the asa VPNs.

    Would it be crazy to suggest that the router be behind the ASA and just have the routers create a tunnel through the ASAs. I don't see this being done anywhere. Most everyone have their ASAs behind the routers. I just despise static routing enough to see if this is a viable solution/strategy

    1. It doesn't work with EIGRP.

      The router behind the ASA works, but you still need to setup OSPF on the ASA, otherwise it won't learn how to reach the remote subnets and therefore won't route the traffic through the tunnel.