Technical Tip: Dynamic dial-up VPN with OSPF

sagha · ‎01-14-2020

Description

This article describes how to configure OSPF over dynamic IPSEC VPN.

The setup includes single spokes with hub location which would be assigning IP addresses to the spokes via dial-up VPN.
A dynamic IPsec tunnel will be established which will allow OSPF through it.

Scope

FortiGate.

Solution

Hub Configuration.

Configure VPN phase-1.

config vpn ipsec phase1-interface
    edit "dial-up"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device enable
        set mode-cfg enable
        set proposal des-md5
        set add-route disable
        set dpd on-idle
        set ipv4-start-ip 10.1.1.4
        set ipv4-end-ip 10.1.1.255
        set psksecret <secret>
    next
end

Note:

When configuring the ‘IPv4-start-ip’ and ‘IPv4-end-ip’, assign the IP address that is multiple of /30 subnet.
As an example in the above configuration first spoke is assigned subnet 10.1.1.4/30 and second spoke is assigned subnet 10.1.1.8/30.
The first usable IP in the subnet is assigned to the spoke and second one hub assigns it to itself.
When it is not falling in the range, the FortiGate displays an error message as follow: 'IPv4-start-ip must be be a multiple of a /30 subnet'.

Config VPN phase-2.

config vpn ipsec phase2-interface
    edit "dial-up-p2"
        set phase1name "dial-up"
        set proposal 3des-sha1 aes128-sha1
    next
end

Configuring tunnel interface.

config system interface
    edit "dial-up"
        set vdom "root"
        set type tunnel
        set snmp-index 8
        set interface "wan1"
    next
end

Note: There is no need to assign any IP address on the tunnel interface to make OSPF neighborship work.

Configuring OSPF.

config router ospf

set router-id 2.2.2.2

config area

edit 0.0.0.0

    end
    config ospf-interface
      edit "1"
          set interface "dial-up"
          set cost 10
          set dead-interval 40
          set hello-interval 10
          set network-type point-to-point
      next
    end
    config network
        edit 1
    set prefix 10.1.1.0 255.255.255.0
next
    end
    config redistribute "connected"
    end
    config redistribute "static"
    end
    config redistribute "rip"
    end
    config redistribute "bgp"
    end

config redistribute "isis"

end
end

Configuring firewall policies.

config firewall policy
    edit 2
        set name "12"
        set uuid acb445b4-0d38-51ea-b14f-4aa6f8d95e2f
        set srcintf "dial-up"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "OSPF"
        set fsso disable
    next
    edit 3
        set name "21"
        set uuid be577278-0d38-51ea-32eb-259a94e511b2
        set srcintf "internal"
        set dstintf "dial-up"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "OSPF"
        set fsso disable
    next
end

Spoke Configuration.

Configure VPN phase-1.

config vpn ipsec phase1-interface
    edit "dial-up-client"
        set interface "wan2"
        set ike-version 2
        set peertype any
        set mode-cfg enable
        set proposal des-md5
        set add-route disable
        set remote-gw <IP>
        set psksecret <secret>
    next
end

Configure VPN phase-2.

config vpn ipsec phase2-interface
    edit "dial-up-client-PHASE2"
        set phase1name "dial-up-client"
        set proposal 3des-sha1 aes128-sha1
        set auto-negotiate enable
    next
end

Configuring tunnel interface.

config system interface
    edit "dial-up-client"
        set vdom "root"
        set type tunnel
        set snmp-index 7
        set interface "wan2"
    next

Note:

There is no need to assign any IP address on a tunnel interface to make OSPF neighborship work.

Configuring OSPF.

config router ospf

    set router-id 1.1.1.1
        config area
            edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "1"
          set interface "dial-up-client"
          set cost 10
          set dead-interval 40
          set hello-interval 10
            set network-type point-to-point
       next
    end
    config network
        edit 1
            set prefix 10.1.1.0 255.255.255.0
        next
    end
    config redistribute "connected"
    end
    config redistribute "static"
    end
    config redistribute "rip"
    end
    config redistribute "bgp"
    end
    config redistribute "isis"
    end
end

Configuring firewall policies.

config firewall policy
    edit 2
        set name "21"
        set uuid e8837c7c-0d42-51ea-ef68-ee882be1dd18
        set srcintf "internal"
        set dstintf "dial-up-client"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "OSPF"
        set fsso disable
    next
    edit 3
        set name "12"
        set uuid f35734f4-0d42-51ea-9470-6c0f614f2997
        set srcintf "dial-up-client"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "OSPF"
        set fsso disable
    next
end

Troubleshooting:

get router info ospf interface

Hub-FGT # get router info ospf interface
dial-up_0 is up, line protocol is up
Internet Address 10.1.1.6/30, Area 0.0.0.0, MTU 1446     10.1.1.4/30 assigned for First spoke
 10.1.1.6/30 assigned by Hub to itself
Process ID 0, VRF 0, Router ID 2.2.2.2, Network Type POINTOPOINT, Cost: 10
Transmit Delay is 1 sec, State Point-To-Point
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:05
Neighbor Count is 1, Adjacent neighbor count is 1
Crypt Sequence Number is 6075
Hello received 35 sent 35, DD received 5 sent 6
LS-Req received 1 sent 1, LS-Upd received 3 sent 3
LS-Ack received 2 sent 2, Discarded 0
Loopback_2 is up, line protocol is up
Internet Address 2.2.2.2/32, Area 0.0.0.0, MTU 1500
Process ID 0, VRF 0, Router ID 2.2.2.2, Network Type LOOPBACK, Cost: 100
No bandwidth information from kernel
Transmit Delay is 1 sec, State Loopback
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5

Spoke-FGT # get router info ospf interface
dial-up-client is up, line protocol is up
Internet Address 10.1.1.5/30, Area 0.0.0.0, MTU 1446      10.1.1.4/30 assigned for First Spoke
 10.1.1.5/30 assigned by Hub to Spoke
Process ID 0, VRF 0, Router ID 1.1.1.1, Network Type POINTOPOINT, Cost: 10
Transmit Delay is 1 sec, State Point-To-Point
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:03
Neighbor Count is 1, Adjacent neighbor count is 1
Crypt Sequence Number is 6022
Hello received 37 sent 39, DD received 6 sent 5
LS-Req received 1 sent 1, LS-Upd received 3 sent 3
LS-Ack received 2 sent 2, Discarded 0
loopback_1 is up, line protocol is up
Internet Address 1.1.1.1/32, Area 0.0.0.0, MTU 1500
Process ID 0, VRF 0, Router ID 1.1.1.1, Network Type LOOPBACK, Cost: 100
Transmit Delay is 1 sec, State Loopback
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5

get router info ospf interface

Hub-FGT # get router info ospf neighbor
OSPF process 0:
Neighbor ID     Pri   State      Dead Time   Address         Interface
1.1.1.1         1   Full/ -    00:00:34    10.1.1.5     dial-up_0

Spoke-FGT # get router info ospf neighbor
OSPF process 0:
Neighbor ID     Pri   State      Dead Time   Address         Interface
2.2.2.2         1   Full/ -    00:00:41    10.1.1.6     dial-up-client

get router info routing-table connected

Hub-FGT # get router info routing-table connected
C 10.1.1.4/30 is directly connected, dial-up_0                                                    <----- Dial-up subnet of /30.
C 10.1.1.6/32 is directly connected, dial-up_0                                                    <----- Dial-up local interface.
C 10.1.1.8/30 is directly connected, dial-up_1                                                    <----- Next /30 subnet assigned to second Spoke.
C 10.1.1.10/32 is directly connected, dial-up_1                                                   <----- Dial-up local interface.

Note:

Due to the known issue (#1012615) regarding address ranges in the phrase 2 selectors starting from v7.4.2 through v7.4.7, only the hub will be able to ping all the spokes' tunnel interface IPs. For the spokes to be able to ping the hub's tunnel interface IP, the hub must have 'exchange-interface-ip' enabled in the phase 1 settings (see Configure dial-up (dynamic) VPN - FortiGate 6.4.5 administration guide), and the tunnel interface IP must be manually set.

For more information about the traffic drop, see Technical Tip: IPsec VPN traffic dropped as 'anti-spoof check failed, drop' after the upgrade to 7....

This issue has already been resolved in v7.4.8 and v7.6.3.

Related articles:

OSPF Dynamic IPsec VPN - Fortinet Cookbook

Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity

Technical Tip: How to configure VPN Site to Site between FortiGates (Using VPN Setup Wizard)

Troubleshooting Tip: IPsec VPNs tunnels

Technical Tip: Setting multiple DNS server for IPSec dial-up VPN

Technical Tip: NAT-traversal comparison between site-to-site and dial-up” dynamic” tunnels

Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication

Technical Tip : How to configure multiple VPN tunnels from the same ISP to the same remote peer ISP.

Technical Tip: IPSec dial-up full tunnel with FortiClient