In its default configuration, OSPF will not work through a pure IPsec tunnel (without GRE etc). The reason for this is that OSPF uses multicast traffic to communicate between devices, and a pure IPsec tunnel will not support multicast.

This is why GRE is often used in conjunction with IPsec for OSPF (and other) implementations, because it is capable of transmitting multicast traffic.

Another solution to implementing OSPF over an IPsec tunnel that doesn’t support multicast is to use another network type, such as point-to-point. By default, the network type is set to use broadcast which will use multicast traffic for neighbor discovery.

Create an IPsec tunnel on the local FortiGate and remote FortiGate.

Primary FortiGate configuration.

Configure VPN phase-1:

config vpn ipsec phase1-interface

    edit "ipsec"

        set interface "port1"

        set peertype any

        set net-device disable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set comments "VPN: ipsec (Created by VPN wizard)"

        set remote-gw 10.9.10.198

        set psksecret ENC 9O4yQRw8YoDXz54KIsc9l+wBlTle2LPs854rEguoJINkaw5x9vNMMzx6u

        kmEUVOaHpvwrGelglYfL8n4Sf4wQfs3KSfqFUXUCjkVXPm5xLYsHOsN0MSThuR02IEbtQgyWh2S9

        Dx4Dybuv42c2JCPOzJ8w+9cJoDCQQyZMVEs45kz9IuhThR98zNX/45sBtXZn9lVkllmMjY3dkVA

next

end

Configure VPN phase-2:

config vpn ipsec phase2-interface

    edit "ipsec"

        set phase1name "ipsec"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

        set comments "VPN: ipsec (Created by VPN wizard)"

        set src-addr-type name

        set dst-addr-type name

        set src-name "ipsec_local"

        set dst-name "ipsec_remote"

    next

end

IPsec configuration on the remote FortiGate:

config vpn ipsec phase1-interface

    edit "ipsec_test"

        set interface "port1"

        set peertype any

        set net-device disable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set comments "VPN: ipsec_test (Created by VPN wizard)"

        set remote-gw 10.9.12.2

        set psksecret ENC o6/cfZl62xMpdGCe4C6vP0tAuD8r6uwoAbk4I7jPhzNjWdAkPMSKjeKEp3R2gzNZWNRc2USG8f

        5B9iKfFb4442noqCbRE9vEj5g5qWGT93q/Bm3p0f60lCGo1T+UShth03ToxZGFGY1CTp3f1ahlOCEANCxNwnzP3pTUwr

        IaSfvn9h9CJPT+sKoQ1nj9I2pv/kg1A==

    next

end

Configure phase 2 on the remote FortiGate:

config vpn ipsec phase2-interface

edit "ipsec_test"

set phase1name "ipsec_test"

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set comments "VPN: ipsec_test (Created by VPN wizard)"

set src-addr-type name

set dst-addr-type name

set src-name "ipsec_test_local"

set dst-name "ipsec_test_remote"

next

end

Assigned IP addresses on IPsec interfaces on both firewalls:

local fortigate tunnel interface
config system interface

edit "ipsec"

        set vdom "root"

        set ip 192.168.26.2 255.255.255.255

        set type tunnel

        set remote-ip 192.168.26.1 255.255.255.252

        set snmp-index 15

        set interface "port1"

    next

end

Remote FortiGate tunnel interface:

config system interface

edit "ipsec_test"

set vdom "root"

set ip 192.168.26.1 255.255.255.255

set allowaccess ping

set type tunnel

set remote-ip 192.168.26.2 255.255.255.252

set snmp-index 15

set interface "port1"

next

end

Note: It is necessary to use a shared subnet to include both tunnel interface IPs such as /30 instead of /32. This will make sure that IP addresses of peers must be in the same subnet with the same mask and form adjacency accordingly.

Create a firewall policy on both FortiGates from the internal network interface to the tunnel interface.

config firewall policy

edit 3

set name "vpn_ipsec_remote_0"

set uuid 39fdf9c6-5436-51ef-6a01-a4e0daf731af

set srcintf "ipsec"

set dstintf "port3"

set action accept

set srcaddr "ipsec_remote"

set dstaddr "ipsec_local"

set schedule "always"

set service "ALL"

set comments "VPN: ipsec (Created by VPN wizard)"

next

end

config firewall policy

edit 1

set name "vpn_ipsec_local_0"

set uuid 39edd0be-5436-51ef-e5f4-7904f63d87a8

set srcintf "port3"

set dstintf "ipsec"

set action accept]

set srcaddr "ipsec_local"

set dstaddr "ipsec_remote"

set schedule "always"

set service "ALL"

set comments "VPN: ipsec (Created by VPN wizard)"

next

end

OSPF configuration on primary FortiGate:

config router ospf

set router-id 192.168.26.2

config area

edit 0.0.0.0

next

end

config ospf-interface

edit "ipsec"

set interface "ipsec"

set network-type point-to-point 

next

end

config network

edit 2

set prefix 192.168.26.0 255.255.255.252

next

end

config redistribute "connected"

set status enable

end

config redistribute "static"

end

config redistribute "rip"

end

config redistribute "bgp"

end

config redistribute "isis"

end

end

OSPF configuration on secondary FortiGate:

config router ospf

set router-id 192.168.26.1

config area

edit 0.0.0.0

next

end

config ospf-interface

edit "ipsec"

set interface "ipsec_test"

set network-type point-to-point

next

end

config network

edit 2

set prefix 192.168.26.0 255.255.255.252

next

end

config redistribute "connected"

set status enable

end

config redistribute "static"

end

config redistribute "rip"

end

config redistribute "bgp"

end

config redistribute "isis"

end

end

Troubleshooting:

Check two-way communication of proto 89 in a sniffer over the IPsec tunnel.

diagnose sniffer packet any " proto 89 " 4 0 l

Using Original Sniffing Mode

interfaces=[any]

filters=[ proto 89 ]

2024-08-07 09:52:28.737463 ipsec out 192.168.26.2 -> 224.0.0.5:  ip-proto-89 48

2024-08-07 09:52:30.241473 ipsec in 192.168.26.1 -> 224.0.0.5:  ip-proto-89 48

get router info ospf interface

ipsec is up, line protocol is up

  Internet Address 192.168.26.2/32, Area 0.0.0.0, MTU 1420

  Process ID 0, VRF 0, Router ID 192.168.26.2, Network Type POINTOPOINT, Cost: 100

  No bandwidth information from kernel

  Transmit Delay is 1 sec, State Point-To-Point

  Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5

    Hello due in 00:00:09

  Neighbor Count is 1, Adjacent neighbor count is 1

  Crypt Sequence Number is 71621

  Hello received 232 sent 232, DD received 4 sent 5

  LS-Req received 1 sent 1, LS-Upd received 7 sent 9

  LS-Ack received 8 sent 6, Discarded 0

Primary FortiGate:

get router info ospf neighbor

OSPF process 0, VRF 0:

Neighbor ID     Pri   State           Dead Time   Address         Interface

192.168.26.1      1   Full/ -         00:00:34    192.168.26.1    ipsec(tun-id:10.9.10.198)

Secondary FortiGate:

get router info ospf neighbor

OSPF process 0, VRF 0:

Neighbor ID     Pri   State           Dead Time   Address         Interface

192.168.26.2      1   Full/ -         00:00:34    192.168.26.2    ipsec_test(tun-id:10.9.12.2)

get router info routing-table all

S*      0.0.0.0/0 [10/0] via 10.9.15.254, port1, [1/0]

C       10.9.0.0/20 is directly connected, port1

O E2    192.168.12.0/24 [110/10] via ipsec_test tunnel 10.9.12.2, 00:37:01, [1/0]

O E2    192.168.13.0/24 [110/10] via ipsec_test tunnel 10.9.12.2, 00:36:24, [1/0]