Meanwhile i tried your 2nd suggested workaround, and after a while i got it to work.
What have i done?
turned off redistribution of connected networks (be careful, you might loose access to the device)
under "OSPF Areas", i created Area 1 with the ID of 0.0.0.1
entered 10.1.1.0/24 under "Route Summarization" -> "Summary Range" -> "Summary Prefix
", this matches the subnet entered to OpenVPN under "Tunnel Settings" -> IPv4 Tunnel Network
under "OSPF Interfaces" i set the ovpn interface to be in Area 1
marked it as "Interface is Passive", because vpn clients do not need to participate in OSPF
and i changed the network type from "Not specified (default)" to "Point - multipoint"
With this setting, on the LAN side the Catalyst L3 was able to see 10.1.1.0/24 advertised from the FW, and only that subnet was advertised. The firewall was able to see all advertised routes from LAN from the beginning (after auth and a few basic thing was set up).
If i left the interface type on default or set it to point-to-point, there was nothing advertised from Area 1 , other types seemingly did the trick. From the working ones i picked P-MP which sounds OK for the VPN clients subnet.
If i removed the summary from Area 1 config, and the if type was "p-mp" or any of the working iftypes from aboove, there was only a /32 host route announced with the ovpn server address, despite a few clients were connected. The iftypes which yielded no redistribution, still remained silent irregardless of the value of the summary network.
