OSPF Routing
Eric Vyncke
evyncke at CISCO.COM
Mon Jul 10 15:21:30 EDT 2000
Just a late reply...
Actually, it is a pretty common configuration for large scale (100+) VPN.
Using OSPF, or any other routing protocols, allows for:
- adding resilience and load balancing
- detect failure of a remote peer (to avoid the issue of IKE keep-alives or
enhanced ping or ...)
- adding some more dynamic changes (like addressing) without having
to reconfigure the VPN
As I'm working for Cisco, I have only experience with Cisco routers, but,
the trick on our boxes is:
- define a tunnel interface (meaning using GRE encapsulation)
- protect the GRE tunnel by IPSec in transport mode (transport mode has
much less overhead and the IPSec-transport+GRE has roughly the same
overhead as IPSec-tunnel)
- run a routing process (can have multiple independant OSPF in the same box)
which works only on the tunnel interface(s) and on the protected interface(s)
NOT on the interface to the 'dirty' network.
- run a routing process only on the 'dirty' interfaces (this can be as simple
as a default static route!)
Works like a charm :-)
-eric
At 15:44 05/07/2000 +0200, Standen Malcolm - mlsa wrote:
>Has anybody any experience thoughts on using OSPF as the routing and advertising protocol in a VPN network, using the virtual interface to define/learn the routing for site-to-site multi-routed network traffic verses external non corporate traffic?
>
>Regards
>
>Malcolm
Eric Vyncke
Senior Consulting Engineer Cisco Systems EMEA
Phone: +32-2-778.4677 Fax: +32-2-778.4300
E-mail: evyncke at cisco.com Mobile: +32-75-312.458
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000710/cafb89bf/attachment.htm
More information about the VPN
mailing list