Description |
This article describes how to achieve OSPF routing over a site-to-site VPN tunnel. |
Scope | FortiGate. |
Solution |
In its default configuration, OSPF will not work through a pure IPsec tunnel (without GRE etc). The reason for this is that OSPF uses multicast traffic to communicate between devices, and a pure IPsec tunnel will not support multicast. This is why GRE is often used in conjunction with IPsec for OSPF (and other) implementations, because it is capable of transmitting multicast traffic. Another solution to implementing OSPF over an IPsec tunnel that doesn’t support multicast is to use another network type, such as point-to-point. By default, the network type is set to use broadcast which will use multicast traffic for neighbor discovery.
Create an IPsec tunnel on the local FortiGate and remote FortiGate. Primary FortiGate configuration.
Configure VPN phase-1:
config vpn ipsec phase1-interface edit "ipsec" set interface "port1" set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set comments "VPN: ipsec (Created by VPN wizard)" set remote-gw 10.9.10.198 set psksecret ENC 9O4yQRw8YoDXz54KIsc9l+wBlTle2LPs854rEguoJINkaw5x9vNMMzx6u kmEUVOaHpvwrGelglYfL8n4Sf4wQfs3KSfqFUXUCjkVXPm5xLYsHOsN0MSThuR02IEbtQgyWh2S9 Dx4Dybuv42c2JCPOzJ8w+9cJoDCQQyZMVEs45kz9IuhThR98zNX/45sBtXZn9lVkllmMjY3dkVA next end
Configure VPN phase-2:
config vpn ipsec phase2-interface edit "ipsec" set phase1name "ipsec" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set comments "VPN: ipsec (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set src-name "ipsec_local" set dst-name "ipsec_remote" next end
IPsec configuration on the remote FortiGate:
config vpn ipsec phase1-interface edit "ipsec_test" set interface "port1" set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set comments "VPN: ipsec_test (Created by VPN wizard)" set remote-gw 10.9.12.2 set psksecret ENC o6/cfZl62xMpdGCe4C6vP0tAuD8r6uwoAbk4I7jPhzNjWdAkPMSKjeKEp3R2gzNZWNRc2USG8f 5B9iKfFb4442noqCbRE9vEj5g5qWGT93q/Bm3p0f60lCGo1T+UShth03ToxZGFGY1CTp3f1ahlOCEANCxNwnzP3pTUwr IaSfvn9h9CJPT+sKoQ1nj9I2pv/kg1A== next end
Configure phase 2 on the remote FortiGate:
config vpn ipsec phase2-interface edit "ipsec_test" set phase1name "ipsec_test" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set comments "VPN: ipsec_test (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set src-name "ipsec_test_local" set dst-name "ipsec_test_remote" next end
Assigned IP addresses on IPsec interfaces on both firewalls:
local fortigate tunnel interface edit "ipsec" set vdom "root" set ip 192.168.26.2 255.255.255.255 set type tunnel set remote-ip 192.168.26.1 255.255.255.252 set snmp-index 15 set interface "port1" next end
Remote FortiGate tunnel interface:
config system interface edit "ipsec_test" set vdom "root" set ip 192.168.26.1 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 192.168.26.2 255.255.255.252 set snmp-index 15 set interface "port1" next end
Note: It is necessary to use a shared subnet to include both tunnel interface IPs such as /30 instead of /32. This will make sure that IP addresses of peers must be in the same subnet with the same mask and form adjacency accordingly.
config firewall policy edit 3 set name "vpn_ipsec_remote_0" set uuid 39fdf9c6-5436-51ef-6a01-a4e0daf731af set srcintf "ipsec" set dstintf "port3" set action accept set srcaddr "ipsec_remote" set dstaddr "ipsec_local" set schedule "always" set service "ALL" set comments "VPN: ipsec (Created by VPN wizard)" next end
config firewall policy edit 1 set name "vpn_ipsec_local_0" set uuid 39edd0be-5436-51ef-e5f4-7904f63d87a8 set srcintf "port3" set dstintf "ipsec" set action accept] set srcaddr "ipsec_local" set dstaddr "ipsec_remote" set schedule "always" set service "ALL" set comments "VPN: ipsec (Created by VPN wizard)" next end
OSPF configuration on primary FortiGate: config router ospf set router-id 192.168.26.2 config area edit 0.0.0.0 next end config ospf-interface edit "ipsec" set interface "ipsec" set network-type point-to-point next end config network edit 2 set prefix 192.168.26.0 255.255.255.252 next end config redistribute "connected" set status enable end config redistribute "static" end config redistribute "rip" end config redistribute "bgp" end config redistribute "isis" end end
OSPF configuration on secondary FortiGate:
set router-id 192.168.26.1 config area edit 0.0.0.0 next end config ospf-interface edit "ipsec" set interface "ipsec_test" set network-type point-to-point next end config network edit 2 set prefix 192.168.26.0 255.255.255.252 next end config redistribute "connected" set status enable end config redistribute "static" end config redistribute "rip" end config redistribute "bgp" end config redistribute "isis" end end
Troubleshooting:
diagnose sniffer packet any " proto 89 " 4 0 l Using Original Sniffing Mode interfaces=[any] filters=[ proto 89 ] 2024-08-07 09:52:28.737463 ipsec out 192.168.26.2 -> 224.0.0.5: ip-proto-89 48 2024-08-07 09:52:30.241473 ipsec in 192.168.26.1 -> 224.0.0.5: ip-proto-89 48
get router info ospf interface ipsec is up, line protocol is up Internet Address 192.168.26.2/32, Area 0.0.0.0, MTU 1420 Process ID 0, VRF 0, Router ID 192.168.26.2, Network Type POINTOPOINT, Cost: 100 No bandwidth information from kernel Transmit Delay is 1 sec, State Point-To-Point Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:09 Neighbor Count is 1, Adjacent neighbor count is 1 Crypt Sequence Number is 71621 Hello received 232 sent 232, DD received 4 sent 5 LS-Req received 1 sent 1, LS-Upd received 7 sent 9 LS-Ack received 8 sent 6, Discarded 0
Primary FortiGate:
get router info ospf neighbor OSPF process 0, VRF 0: Neighbor ID Pri State Dead Time Address Interface 192.168.26.1 1 Full/ - 00:00:34 192.168.26.1 ipsec(tun-id:10.9.10.198)
Secondary FortiGate:
get router info ospf neighbor OSPF process 0, VRF 0: Neighbor ID Pri State Dead Time Address Interface 192.168.26.2 1 Full/ - 00:00:34 192.168.26.2 ipsec_test(tun-id:10.9.12.2) get router info routing-table all S* 0.0.0.0/0 [10/0] via 10.9.15.254, port1, [1/0] C 10.9.0.0/20 is directly connected, port1 O E2 192.168.12.0/24 [110/10] via ipsec_test tunnel 10.9.12.2, 00:37:01, [1/0] O E2 192.168.13.0/24 [110/10] via ipsec_test tunnel 10.9.12.2, 00:36:24, [1/0] |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.