FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akristof
Staff
Staff
Article Id 195342
Purpose

This article explains how to connect OSPF areas using a virtual-link.

Indeed, in OSPF rules, all areas need to be connected directly to Area 0 (backbone). But in some cases, it is not possible to physically connect area to backbone. For this purpose, virtual-links can be used to establish connection to backbone area through non-backbone area.

Virtual-links are established between area border routers.


Scope
Basic OSPF configuration with virtual-link.

Diagram

Diagram consists of 3 firewalls. Loopbacks on firewall FGT1 will simulate networks in area 2, not connected to backbone area.

 200.0.0.0/24

200.0.1.0/24 < AREA 2> FGT1 < - AREA1 10.222.0.0/20 - > FGT2  < - AREA0 10.223.0.0/20 - > FGT3 

200.0.2.0/24

 

Router IDs:

FGT1 – 1.1.1.1

FGT2 – 2.2.2.2

FGT3 – 3.3.3.3


Expectations, Requirements
FortiGate or any other OSPF capable router.
https://www.ietf.org/rfc/rfc2328.txt

Configuration

After basic OSPF configuration, all neighbors are in FULL state, but networks 200.0.x.0/24 are not reachable on FGT3:

FG3:

FGT3 # get router info ospf neighbor

OSPF process 0, VRF 0:

Neighbor ID     Pri   State           Dead Time   Address         Interface

2.2.2.2           1   Full/ -         00:00:39    10.223.0.184    port1

 

FGT3 # get router info routing-table all

 

Routing table for VRF=0

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default

 

S*      0.0.0.0/0 [10/0] via 10.109.31.254, wan1

C       2.2.2.2/32 is directly connected, T

C       10.109.16.0/20 is directly connected, wan1

O IA    10.222.0.0/20 [110/2] via 10.223.0.184, port1, 00:06:50

C       10.223.0.0/20 is directly connected, port1

C       192.168.100.0/24 is directly connected, lan

 

To fix this, configure virtual links between FGT1 and FGT2. These routers are area border routers for area2/area1 and area1/area0 respectively.

Important note: Virtual link is configured between router-ids (not actual IP). Also, virtual-link needs to be configured under area, that is used as transit – in our case transit area is Area1:

 

FGT1:

#FGT1 # show router ospf
config router ospf
set router-id 1.1.1.1
config area
edit 0.0.0.1
config virtual-link
edit "Area1_Virtual_link"
set peer 2.2.2.2 <<< Router ID of the peer
next
end
next
edit 0.0.0.2
next

 

FGT2:

#FGT2 # show router ospf
config router ospf
set router-id 2.2.2.2
config area
edit 0.0.0.0
next
edit 0.0.0.1
config virtual-link
edit "Area1_Virtual_link"
set peer 1.1.1.1 <<< Router ID of the peer
next
end
next
end


If needed, virtual-link also supports md5 authentication


Verification

FGT2 # get router info ospf virtual-links

Virtual Link VLINK0 to router 1.1.1.1 is up

Process ID 0, VRF 0, Router ID 2.2.2.2, Cost: 1

Transit area 0.0.0.1 via interface port1

Local address 10.222.0.184/32

Remote address 10.222.0.85/32

Transmit Delay is 1 sec, State Point-To-Point,

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

Hello due in 00:00:05

Adjacency state Full

FGT2 # get router info ospf neighbor

OSPF process 0, VRF 0:

Neighbor ID     Pri   State           Dead Time   Address         Interface

1.1.1.1           1   Full/ -         00:00:40    10.222.0.85     port1

3.3.3.3           1   Full/ -         00:00:30    10.223.0.62     port2

1.1.1.1           1   Full/ -         00:00:38    10.222.0.85     VLINK0


And final verification that virtual-link is correctly configured is that on FGT3, there are 3 additional routes:

FGT3 # get router info routing-table all

Routing table for VRF=0

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default

 

S*      0.0.0.0/0 [10/0] via 10.109.31.254, wan1

C       2.2.2.2/32 is directly connected, T

C       10.109.16.0/20 is directly connected, wan1

O IA    10.222.0.0/20 [110/2] via 10.223.0.184, port1, 00:19:09

C       10.223.0.0/20 is directly connected, port1

C       192.168.100.0/24 is directly connected, lan

O IA    200.0.0.0/24 [110/102] via 10.223.0.184, port1, 00:06:38

O IA    200.0.1.0/24 [110/102] via 10.223.0.184, port1, 00:06:38

O IA    200.0.2.0/24 [110/102] via 10.223.0.184, port1, 00:00:27



Troubleshooting
if virtual-link is not coming up, double check that peers are correctly configured with router-id and virtual-link on area-border is configured under correct area.

Contributors