Skip to main content
gilbertog
gilbertog
New Member
April 16, 2018
Solved

OSPF over IPSec VPN Tunnel

  • April 16, 2018
  • 2 replies
  • 12854 views

Hi everyone.

 

I'm presenting some issues in an OSPF over IPSec configuration.

 

I have two FTGs connected by a VPN Tunnel working by OSPF routing protocol. They are working properly configured as in this guide: https://docs.fortinet.com/uploaded/files/1693/using-redundant-OSPF-routing-over-IPsec-VPN.pdf

 

As you can see, in this document they configure Phase two of the VPN tunnel with 0.0.0.0 local and remote Addresses. The thing is we need to set this address as the company have (previously we had the tunnels configured with a static route and the local and remote subnets established in Phase Two) but when we set up this there is no OSPF traffic so no OSPF routes are visualized in routing table.

 

Thanks everyone.

 

Best answer by romanr

gilbertog wrote:

As you can see, in this document they configure Phase two of the VPN tunnel with 0.0.0.0 local and remote Addresses. The thing is we need to set this address as the company have (previously we had the tunnels configured with a static route and the local and remote subnets established in Phase Two) but when we set up this there is no OSPF traffic so no OSPF routes are visualized in routing table.

 

Hi,

 

if you are running this configuration from Fortigate to Fortigate I would stronly suggest to switch to ip wildcard selectors on your IPSec phase 2! Otherwise you making things unnecessarily complex.

 

if you are not setting your phase 2 selectors with wildcards (0.0.0.0/0) you need to setup addidtional phase 2 selectors which will allow OSPF multicasts to happen. (eg 224.0.0.0/24 should be fine for both sides of the tunnel)

Also the ip addresses of the tunnel interfaces must be reflected in your phase 2 settings...

 

Br,

Roman

2 replies

emnoc
emnoc
New Member
April 16, 2018

Can you explain what's the problem? !st fo you see  OSPF between the two tunnels ? ( diag sniffer packet < interfacename > " dst net 224"  )

 

Do you have neighborship ?

 

Are you redist-static/connect/etc.....

 

Ken

 

 

romanr
romanrAnswer
New Member
April 16, 2018

gilbertog wrote:

As you can see, in this document they configure Phase two of the VPN tunnel with 0.0.0.0 local and remote Addresses. The thing is we need to set this address as the company have (previously we had the tunnels configured with a static route and the local and remote subnets established in Phase Two) but when we set up this there is no OSPF traffic so no OSPF routes are visualized in routing table.

 

Hi,

 

if you are running this configuration from Fortigate to Fortigate I would stronly suggest to switch to ip wildcard selectors on your IPSec phase 2! Otherwise you making things unnecessarily complex.

 

if you are not setting your phase 2 selectors with wildcards (0.0.0.0/0) you need to setup addidtional phase 2 selectors which will allow OSPF multicasts to happen. (eg 224.0.0.0/24 should be fine for both sides of the tunnel)

Also the ip addresses of the tunnel interfaces must be reflected in your phase 2 settings...

 

Br,

Roman

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
April 16, 2018

I agree with romanr. Then check ospf neighboring with "get router info ospf neighbor" to see if it's established. You should see "FULL" state as its status.

Terms & ConditionsAccessibility statement