Skip to main content
akristof
Staff
akristof
Staff
August 8, 2019

Technical Tip: How to configure OSPF with virtual link

  • August 8, 2019
  • 0 replies
  • 6860 views

Description

This article describes how to connect OSPF areas using a virtual link.

Scope

FortiGate.

Solution

In OSPF, all areas need to be connected directly to Area 0 (backbone). However, in some cases, it is not possible to physically connect the area to the backbone. For this purpose, virtual links can be used to establish a connection to the backbone area through a non-backbone area.

 

Virtual links are established between area border routers.

 

Diagram:

 

pmanak_1-1751926559193.png

 

Router IDs:

  • FGT1 – 1.1.1.1.
  • FGT2 – 2.2.2.2.
  • FGT3 – 3.3.3.3.

 

After basic OSPF configuration, all neighbors are in FULL state, but networks 200.0.x.0/24 are not reachable on FGT3.

 

FGT3 # get router info ospf neighbor

OSPF process 0, VRF 0:

Neighbor ID     Pri   State           Dead Time   Address         Interface

2.2.2.2           1   Full/ -         00:00:39    10.223.0.184    port1

 

FGT3 # get router info routing-table all

Routing table for VRF=0

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default

S*      0.0.0.0/0 [10/0] via 10.109.31.254, wan1

C       2.2.2.2/32 is directly connected, T

C       10.109.16.0/20 is directly connected, wan1

O IA    10.222.0.0/20 [110/2] via 10.223.0.184, port1, 00:06:50

C       10.223.0.0/20 is directly connected, port1

C       192.168.100.0/24 is directly connected, lan

 

To fix this, configure virtual links between FGT1 and FGT2. These routers are area border routers for area2/area1 and area1/area0, respectively.

 

Note:

The virtual link is configured between router IDs (not actual IP addresses). Also, the virtual link needs to be configured under the area that is used as transit – in THIS case, the transit area is Area1:

FGT1 # show router ospf

config router ospf

    set router-id 1.1.1.1

        config area

            edit 0.0.0.1

                config virtual-link

                    edit "Area1_Virtual_link"

                        set peer 2.2.2.2 <<< Router ID of the peer

                    next

                end

            next

            edit 0.0.0.2

            next

 

FGT2 # show router ospf

config router ospf

    set router-id 2.2.2.2

        config area

            edit 0.0.0.0

            next

            edit 0.0.0.1

                config virtual-link

                    edit "Area1_Virtual_link"

                        set peer 1.1.1.1 <<< Router ID of the peer

                    next

                end

            next

end

 

If necessary, virtual-link also supports MD5 authentication. See this article for more info: Technical Tip: How to configure OSPF MD5 authentication. After running the above commands, 200.0.x.0/24 routes are being learned by FGT3.

FGT2 # get router info ospf virtual-links

Virtual Link VLINK0 to router 1.1.1.1 is up

Process ID 0, VRF 0, Router ID 2.2.2.2, Cost: 1

Transit area 0.0.0.1 via interface port1

Local address 10.222.0.184/32

Remote address 10.222.0.85/32

Transmit Delay is 1 sec, State Point-To-Point,

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

Hello due in 00:00:05

Adjacency state Full

 

FGT2 # get router info ospf neighbor

OSPF process 0, VRF 0:

Neighbor ID     Pri   State           Dead Time   Address         Interface

1.1.1.1           1   Full/ -         00:00:40    10.222.0.85     port1

3.3.3.3           1   Full/ -         00:00:30    10.223.0.62     port2

1.1.1.1           1   Full/ -         00:00:38    10.222.0.85     VLINK0

 

FGT3 # get router info routing-table all

Routing table for VRF=0

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default

S*      0.0.0.0/0 [10/0] via 10.109.31.254, wan1

C       2.2.2.2/32 is directly connected, T

C       10.109.16.0/20 is directly connected, wan1

O IA    10.222.0.0/20 [110/2] via 10.223.0.184, port1, 00:19:09

C       10.223.0.0/20 is directly connected, port1

C       192.168.100.0/24 is directly connected, lan

O IA    200.0.0.0/24 [110/102] via 10.223.0.184, port1, 00:06:38

O IA    200.0.1.0/24 [110/102] via 10.223.0.184, port1, 00:06:38

O IA    200.0.2.0/24 [110/102] via 10.223.0.184, port1, 00:00:27

 

To troubleshoot the virtual-link issue, run the OSPF debugs.

 

FGT2 # diagnose debug reset
FGT2 # diagnose ip router ospf level info
FGT2 # diagnose ip router ospf events vlink enable
Debug messages will be on for 30 minutes.

FGT2 # diagnose debug console timestamp enable
FGT2 # diagnose debug enable

   FGT2 # 2026-01-13 21:59:39 [root] OSPF: VLINK[VLINK0]: receive packet, but link is down
   2026-01-13 21:59:40 [root] OSPF: VLINK[VLINK0]: outgoing interface is changed from (null) to     port3:x.x.x.x
   2026-01-13 21:59:40 [root] OSPF: VLINK[VLINK0]: local address is x.x.x.x
   2026-01-13 21:59:40 [root] OSPF: VLINK[VLINK0]: remote address is x.x.x.x
   2026-01-13 21:59:40 [root] OSPF: VLINK[VLINK0]: peer 1.1.1.1 link up
   2026-01-13 22:00:05 [root] OSPF: RECV[DD]: From 1.1.1.1 via VLINK0: Negotiation fails, packet     discarded
   2026-01-13 22:00:10 [root] OSPF: RECV[DD]: From 1.1.1.1 via VLINK0: Negotiation fails, packet     discarded
   2026-01-13 22:00:47 id=20302 msg="OSPF: %OSPF-5-ADJCHANGE: neighbor VLINK0-1.1.1.1 Up"

 

Related article:

Technical Tip: Basic OSPF configuration and MTU settings in OSPF
    Terms & ConditionsAccessibility statement