| Solution |
OSPF gets automatically enabled on the interfaces that have an IP address that falls under the advertised networks.
However, there can be some situations where OSPF does not get activated on an interface.
Scenario 1: In some OSPF implementations, the OSPF router ID is automatically selected as the Highest IP address of a Loopback interface, or if there is no Loopback then any active Physical interface IP.
However, in FortiOS OSPF requires a manually configured routerID otherwise it will not initiate or respond to OSPF hello packets on any interface and the output of the following command will not show any output:
FortiGate # get router info ospf interface
To configure router ID over CLI:
FortiGate # config router ospf
FortiGate(ospf) # set router-id x.x.x.x
FortiGate(ospf) # end
Note: Router ID can be any unique IP to identify OSPF peer and OSPF does not require reachability/connectivity to router ID to successfully establish neighborship.
After adding up the router ID manually, OSPF gets enabled on the interfaces that have their IP addresses advertised in the Network statement.
The following is a sample output:
FortiGate # get router info ospf interface
wan1 is up, line protocol is up
Internet Address 10.21.4.140/22, Area 0.0.0.0, MTU 1500
Process ID 0, VRF 0, Router ID 9.9.9.9, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State Backup, Priority 1
Designated Router (ID) 1.1.1.1, Interface Address 10.21.7.49
Backup Designated Router (ID) 9.9.9.9, Interface Address 10.21.4.140
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:09
Neighbor Count is 1, Adjacent neighbor count is 1
Crypt Sequence Number is 2306995
Hello received 19 sent 20, DD received 4 sent 5
LS-Req received 1 sent 1, LS-Upd received 3 sent 4
LS-Ack received 3 sent 2, Discarded 0
Area3 is up, line protocol is up ------> Here Area3 is the name of an IPSec interface.
Internet Address 3.3.3.2/32, Area 3.3.3.3, MTU 1420
Process ID 0, VRF 0, Router ID 9.9.9.9, Network Type POINTOPOINT, Cost: 100
No bandwidth information from kernel
Transmit Delay is 1 sec, State Point-To-Point
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:01
Neighbor Count is 1, Adjacent neighbor count is 1
Crypt Sequence Number is 2306995
Hello received 19 sent 19, DD received 4 sent 4
LS-Req received 1 sent 1, LS-Upd received 3 sent 3
LS-Ack received 2 sent 2, Discarded 0
Scenario 2: After successfully adding router ID there can be a situation when OSPF neighborship over the IPSec tunnel does not get initiated. The default configuration of the IPSec tunnel does not require IP addresses to be configured and this causes issues in activating OSPF on the IPSec tunnel interface.
So it is suggested to configure Local and remote IP address on both Sides of IPSec tunnels and then advertise that IPSec interface IP under OSPF settings to enable OSPF on tunnel interface. Here is a sample config for reference:
config system interface
edit "Area3"
set vdom "root"
set ip 3.3.3.2 255.255.255.255 -------> Local IP of IPSec interface and on Remote IPSec Peer this IP will be used as remote-ip.
set allowaccess ping
set type tunnel
set remote-ip 3.3.3.1 255.255.255.252 ----> This IP is supposed to be configured on the Tunnel interface of Remote Peer.
set snmp-index 30
set interface "wan1"
next
end
config router ospf
set router-id 9.9.9.9
config area
edit 1.1.1.1
next
edit 3.3.3.3
next
edit 0.0.0.0
next
end
config network
edit 3
set prefix 3.3.3.0 255.255.255.252 ---------> Advertising IPSec tunnel network to enable OSPF on Tunnel interface.
set area 3.3.3.3
next
edit 4
set prefix 10.21.4.0 255.255.255.0
next
end
end
Related article:
Technical Tip: OSPF with IPSec VPN for network redundancy
|
