Dynamic Routing Protocol (IGP) over IPSec VPN tunnels to branch offices?

  • What are the best practices for running an IGP to learn networks at HQ from branch offices when those offices connect via IPSec LAN-to-LAN VPN tunnels over the Internet? The branch offices terminate on Cisco VPN Concentrators that are being replaced with Cisco ASA-X's.

    Is it better to let a dynamic routing protocol (IGP) -- in this case OSPF -- run directly through or to the firewalls (and across the tunnels) or is OSPF over GRE (through the firewalls, but not to the firewalls) the way to go or some other option? We have too many static routes in place that need to be eliminated. The IPSec VPN branch offices are small and don't currently run an IGP other than statics, so consider it a clean slate on what to do with branch office routing. Routers exist beyond the firewalls and can be used for tunneling if needed.

    *Answers should focus on Cisco ASA-X's in the mix with L3 switches behind them to run any GRE tunnels if necessary.

    Did any answer help you? if so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could provide and accept your own answer.

  • Since you are using all ASA-X firewalls, I suggest you go with EIGRP and drop the GRE part - configure IPSEC VPN on ASA.

    I had about 80+ branch offices connecting to main site with IPSEC VPN (Although tunnels were on routers not on firewalls) EIGRP played really well. EIGRP is much lighter with computations and has better performance than OSPF. Plus EIGRP is lot easier to troubleshoot and configure.

    As for GRE you don't have that option (because you have ASA firewalls not routers) and if you ask me GRE is not the way to go with IPSEC VPN anyway.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM