This article describes how to configure OSPF over an IPsec dynamic tunnel with net-device disable and mode config.

The topology consists of two FortiGates in a hub-and-spoke topology:

While the VPN tunnel IP addresses (aka 'overlay IPs') of the spoke can be assigned manually, a more scalable solution for larger environments is to utilize IKE mode-config for dynamic address assignment. IKE mode-config will be used in this example deployment.

Configuration on the Hub:

IPsec Tunnel Interface configuration:

config system interface

    edit 'TO_SPOKE'

        set vdom 'root'
        set ip 10.10.10.1 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 10.10.10.254 255.255.255.0
        set interface 'port7'

    next

end

Notes:

• The Hub is assigned a manual fixed address with a /32 subnet mask (set ip x.x.x.x 255.255.255.255), whereas the Spokes will receive IP addresses dynamically from the Hub after connecting to the VPN.
• The address for remote-ip does not technically matter, as its function is to instruct the Hub FortiGate about the general subnet associated with the tunnel interface (e.g., 10.10.10.0/24 in the above setting). The last IP address of the subnet range is specified here (e.g., 10.10.10.254).

IPsec VPN configuration:

config vpn ipsec phase1-interface

    edit 'TO_SPOKES'

        set type dynamic
        set interface 'port7'
        set keylife 3600
        set mode aggressive
        set peertype any
        set net-device disable
        set exchange-interface-ip enable
        set mode-cfg enable <--- Enable Hub to assign IP addresses to Spokes
        set proposal aes256-sha256
        set add-route disable
        set dpd on-idle
        set dhgrp 14
        set tunnel-search nexthop <----- Deprecated v7.0.1+ (no need to manually set this).
        set ipv4-start-ip 10.10.10.2 <----- Specify address pool and subnet mask for mode-config.
        set ipv4-end-ip 10.10.10.253
        set ipv4-netmask 255.255.255.0
        set psksecret ENC my_encrypted_password
        set dpd-retryinterval 60

    next

end

config vpn ipsec phase2-interface

    edit 'TO_SPOKES'

        set phase1name 'TO_SPOKES'
        set proposal aes256-sha256
        set dhgrp 14
        set keylifeseconds 1800

    next

end

Notes:

• For more information on the net-device option, refer to the following KB article: Technical Tip: Understanding the net-device feature in FortiGate ADVPN Implementation.

'mode-config' has a behavior with net-device enable where it allocates a /30 subnet for each dialup client if the Hub does not have a tunnel IP statically assigned (one IP for the Hub's VPN kernel interface, another IP for the Spoke, and the remaining two IPs are for the network and broadcast addresses). This results in 4x the IPs being consumed from the mode-config pool per Spoke. It may cause IP exhaustion; IKE debug will show 'could not allocate IPv4 address'. Switch to net-device disable (as recommended in this article) and statically assigning an address to the Hub tunnel interface is recommended to prevent this issue.

• The exchange-interface-ip setting allows FortiGate peers to advertise their assigned tunnel interface IPs to each other. This adds necessary connected/static routes between the peers that are required for dynamic routing (BGP, OSPF, etc.,) to function correctly.
  
  
• The add-route disable option prevents routes from being automatically added based on Phase 2 selectors (useful to avoid routing conflicts with OSPF and other dynamic routing protocols).

OSPF configuration:

config router ospf

    set router-id 10.10.10.1
        config area

            edit 0.0.0.0
            next

        end
        config ospf-interface

            edit 'TO_SPOKES'

                set interface 'TO_SPOKES'
                set dead-interval 40
                set hello-interval 10
                set mtu-ignore enable <----- Optional (set on Hub and Spokes if IPsec interface MTU does not match).
                set network-type point-to-multipoint

            next

        end
        config network

            edit 1

                set prefix 172.16.103.0 255.255.255.0

            next
            edit 2

                set prefix 10.10.10.0 255.255.255.0 <----- Enable OSPF for the VPN overlay subnet.

            next

        end

end

Notes:

• It is mandatory to set the hello-interval and dead-interval on the Hub's ospf-interface configuration entry since the default interval settings for network-type point-to-multipoint are different from network-type point-to-point used on the Spoke FortiGates (30 hello/120 dead vs. 10 hello/40 dead, respectively). If these intervals do not match between Hub and Spoke, then OSPF neighborships will not establish (they will not even enter the Init state).
  
  
• The network-type point-to-multipoint is necessary for the Hub FortiGate since the singular dial-up tunnel breaks out to multiple point-to-point connections with the Spokes. It is not necessary to configure entries under the config neighbor sub-section for this deployment.

Configuration on the Spoke:

IPsec Tunnel Interface configuration:

config system interface

    edit 'TO_HUB'

        set vdom 'root'
        set allowaccess ping
        set type tunnel
        set interface 'port6'

    next

end

Note:

There is no need for manual IP address assignment on the Spokes since the Hub FortiGate will dynamically assign an IP address via mode-config.

IPsec VPN configuration:

config vpn ipsec phase1-interface

    edit 'TO_HUB'

        set interface 'port6'
        set keylife 3600
        set mode aggressive
        set peertype any
        set net-device enable <--- See notes below.
        set exchange-interface-ip enable
        set mode-cfg enable
        set proposal aes256-sha256
        set add-route disable
        set dhgrp 14
        set remote-gw 192.168.103.1
        set psksecret ENC my_encrypted password

    next

end

config vpn ipsec phase2-interface

    edit 'TO_HUB'

        set phase1name 'TO_HUB'
        set proposal aes256-sha256
        set dhgrp 14
        set auto-negotiate enable <----- Spoke will automatically bring up Phase 2 without waiting for user traffic.
        set keylifeseconds 1800

    next

end

Notes:

• For Spokes, the net-device must be set to enable when using SD-WAN and ADVPN, as SD-WAN relies on separate kernel interfaces being created for the VPN shortcut tunnels to function properly.
  
  
• In this scenario, there is no ADVPN being utilized (just a more simplistic hub-and-spoke topology), and so net-device can be safely set to disable if preferred (though there is no downside to using net-device enable on the Spokes).

OSPF configuration:

config router ospf

    set router-id 10.10.10.2
        config area

            edit 0.0.0.0
            next

        end
        config ospf-interface

            edit 'TO_HUB'

                set interface 'TO_HUB'
                set mtu-ignore enable <--- Optional (set on Hub and Spokes if IPsec interface MTU does not match).
                set network-type point-to-point

            next

        end
        config network

            edit 1

                set prefix 172.16.104.0 255.255.255.0

            next
            edit 2

                set prefix 10.10.10.0 255.255.255.0 <--- Enable OSPF for the VPN overlay subnet.

            next

        end

end

Note:

Spokes are set to network-type point-to-point since they only form neighborships back to the Hub FortiGate (the dialup VPN is a non-broadcast network, and so Spokes will not form neighborships with other Spokes).

Result:

Once the above configurations are applied to the Hub and Spoke, the Spoke FortiGates will be able to:

1. Establish an IPsec tunnel.
2. Receive an IP address dynamically from the Hub FortiGate.
3. Establish a Full OSPF neighborship via Multicast to the Hub FortiGate.

get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor    ID Pri State   Dead Time Address    Interface
10.10.10.2     1        Full/ - 00:00:39    10.10.10.2 TO_SPOKES