Using route-based VPNs for dynamic routing

Route-based VPNs can protect and route dynamic routing communications between sites to protect the confidentiality and integrity of the dynamic routing communications.

Routing protocols, such as RIP, OSPF, and BGP, send non-routable multicast packets between routing devices, such as routers and firewalls. Because IPsec accepts only unicast traffic, these packets cannot be directly sent into IPsec tunnels. Instead, dynamic routing communications are forwarded to tunnel interfaces, which encapsulate the traffic and send it into the route-based VPN tunnel. The following configuration considerations apply when route-based VPNs are used to protect dynamic routing protocols:

  • The TTL value for the tunnel must be high enough to allow the packets to be routed through each hop in the route.
  • If IP addresses are defined for tunnel interfaces, the netmask must be defined according to the functionality of the interface. For OSPF, the peers must belong to the same subnet.