Description
This article describes how to configure OSPF over dynamic IPSEC VPN.
The setup includes single spokes with hub location which would be assigning IP addresses to the spokes via dial-up VPN.
A dynamic IPsec tunnel will be established which will allow OSPF through it.
Solution
Hub Configuration.
config vpn ipsec phase1-interface
edit "dial-up"
set type dynamic
set interface "wan1"
set ike-version 2
set peertype any
set net-device enable
set mode-cfg enable
set proposal des-md5
set add-route disable
set dpd on-idle
set ipv4-start-ip 10.1.1.4
set ipv4-end-ip 10.1.1.255
set psksecret <secret>
next
end
Note:
config vpn ipsec phase2-interface
edit "dial-up-p2"
set phase1name "dial-up"
set proposal 3des-sha1 aes128-sha1
next
end
config system interface
edit "dial-up"
set vdom "root"
set type tunnel
set snmp-index 8
set interface "wan1"
next
end
Note: There is no need to assign any IP address on the tunnel interface to make OSPF neighborship work.
config router ospf
set router-id 2.2.2.2
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "1"
set interface "dial-up"
set cost 10
set dead-interval 40
set hello-interval 10
set network-type point-to-point
next
end
config network
edit 1
set prefix 10.1.1.0 255.255.255.0
next
end
config redistribute "connected"
end
config redistribute "static"
end
config redistribute "rip"
end
config redistribute "bgp"
end
config redistribute "isis"
end
end
config firewall policy
edit 2
set name "12"
set uuid acb445b4-0d38-51ea-b14f-4aa6f8d95e2f
set srcintf "dial-up"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "OSPF"
set fsso disable
next
edit 3
set name "21"
set uuid be577278-0d38-51ea-32eb-259a94e511b2
set srcintf "internal"
set dstintf "dial-up"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "OSPF"
set fsso disable
next
end
Spoke Configuration.
config vpn ipsec phase1-interface
edit "dial-up-client"
set interface "wan2"
set ike-version 2
set peertype any
set mode-cfg enable
set proposal des-md5
set add-route disable
set remote-gw <IP>
set psksecret <secret>
next
end
config vpn ipsec phase2-interface
edit "dial-up-client-PHASE2"
set phase1name "dial-up-client"
set proposal 3des-sha1 aes128-sha1
set auto-negotiate enable
next
end
config system interface
edit "dial-up-client"
set vdom "root"
set type tunnel
set snmp-index 7
set interface "wan2"
next
Note: There is no need to assign any IP address on a tunnel interface to make OSPF neighborship work.
config router ospf
set router-id 1.1.1.1
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "1"
set interface "dial-up-client"
set cost 10
set dead-interval 40
set hello-interval 10
set network-type point-to-point
next
end
config network
edit 1
set prefix 10.1.1.0 255.255.255.0
next
end
config redistribute "connected"
end
config redistribute "static"
end
config redistribute "rip"
end
config redistribute "bgp"
end
config redistribute "isis"
end
end
config firewall policy
edit 2
set name "21"
set uuid e8837c7c-0d42-51ea-ef68-ee882be1dd18
set srcintf "internal"
set dstintf "dial-up-client"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "OSPF"
set fsso disable
next
edit 3
set name "12"
set uuid f35734f4-0d42-51ea-9470-6c0f614f2997
set srcintf "dial-up-client"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "OSPF"
set fsso disable
next
end
Troubleshooting:
get router info ospf interface
get router info ospf interface
dial-up_0 is up, line protocol is up
Internet Address 10.1.1.6/30, Area 0.0.0.0, MTU 1446 10.1.1.4/30 assigned for First spoke
10.1.1.6/30 assigned by Hub to itself
Process ID 0, VRF 0, Router ID 2.2.2.2, Network Type POINTOPOINT, Cost: 10
Transmit Delay is 1 sec, State Point-To-Point
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:05
Neighbor Count is 1, Adjacent neighbor count is 1
Crypt Sequence Number is 6075
Hello received 35 sent 35, DD received 5 sent 6
LS-Req received 1 sent 1, LS-Upd received 3 sent 3
LS-Ack received 2 sent 2, Discarded 0
Loopback_2 is up, line protocol is up
Internet Address 2.2.2.2/32, Area 0.0.0.0, MTU 1500
Process ID 0, VRF 0, Router ID 2.2.2.2, Network Type LOOPBACK, Cost: 100
No bandwidth information from kernel
Transmit Delay is 1 sec, State Loopback
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
Spoke-FGT # get router info ospf interface
dial-up-client is up, line protocol is up
Internet Address 10.1.1.5/30, Area 0.0.0.0, MTU 1446 10.1.1.4/30 assigned for First Spoke
10.1.1.5/30 assigned by Hub to Spoke
Process ID 0, VRF 0, Router ID 1.1.1.1, Network Type POINTOPOINT, Cost: 10
Transmit Delay is 1 sec, State Point-To-Point
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:03
Neighbor Count is 1, Adjacent neighbor count is 1
Crypt Sequence Number is 6022
Hello received 37 sent 39, DD received 6 sent 5
LS-Req received 1 sent 1, LS-Upd received 3 sent 3
LS-Ack received 2 sent 2, Discarded 0
loopback_1 is up, line protocol is up
Internet Address 1.1.1.1/32, Area 0.0.0.0, MTU 1500
Process ID 0, VRF 0, Router ID 1.1.1.1, Network Type LOOPBACK, Cost: 100
Transmit Delay is 1 sec, State Loopback
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
# get router info ospf interface
Hub-FGT # get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 Full/ - 00:00:34 10.1.1.5 dial-up_0
Spoke-FGT # get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 Full/ - 00:00:41 10.1.1.6 dial-up-client
# get router info routing-table connected
Hub-FGT # get router info routing-table connected
C 10.1.1.4/30 is directly connected, dial-up_0 <----- Dial-up subnet of /30.
C 10.1.1.6/32 is directly connected, dial-up_0 <----- Dial-up local interface.
C 10.1.1.8/30 is directly connected, dial-up_1 <----- Next /30 subnet assigned to second Spoke.
C 10.1.1.10/32 is directly connected, dial-up_1 <----- Dial-up local interface.
Related articles:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.