OSPF Routing

Eric Vyncke evyncke at CISCO.COM
Mon Jul 10 15:21:30 EDT 2000


Just a late reply...

Actually, it is a pretty common configuration for large scale (100+) VPN.

Using OSPF, or any other routing protocols, allows for:
- adding resilience and load balancing
- detect failure of a remote peer (to avoid the issue of IKE keep-alives or
   enhanced ping or ...)
- adding some more dynamic changes (like addressing) without having
   to reconfigure the VPN

As I'm working for Cisco, I have only experience with Cisco routers, but,
the trick on our boxes is:
- define a tunnel interface (meaning using GRE encapsulation)
- protect the GRE tunnel by IPSec in transport mode (transport mode has
   much less overhead and the IPSec-transport+GRE has roughly the same
   overhead as IPSec-tunnel)
- run a routing process (can have multiple independant OSPF in the same box)
   which works only on the tunnel interface(s) and on the protected interface(s)
   NOT on the interface to the 'dirty' network.
- run a routing process only on the 'dirty' interfaces (this can be as simple
   as a default static route!)

Works like a charm :-)

-eric

At 15:44 05/07/2000 +0200, Standen Malcolm - mlsa wrote:

>Has anybody any experience thoughts on using OSPF as the routing and advertising protocol in a VPN network, using the virtual interface to define/learn the routing for site-to-site multi-routed network traffic verses external non corporate traffic?
>
>Regards
>
>Malcolm

Eric Vyncke
Senior Consulting Engineer         Cisco Systems EMEA
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke at cisco.com          Mobile: +32-75-312.458
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000710/cafb89bf/attachment.htm 


More information about the VPN mailing list