Technical Tip: Setting up 2 OSPF neighbors on Single dial-up IPsec tunnel

acvaldez · ‎08-29-2020

Description

This article describes establishing 2 OSPF neighbors on a single IPsec dial-up tunnel.

Scope

For version 6.2.5.

Solution

Diagram.

Configuration.

FortiGate dial-up server.

IPsec Configuration.

config vpn ipsec phase1-interface
    edit "tunnel netdev"
        set type dynamic
        set interface "port1"
        set peertype any
        set net-device enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set add-route disable
        set dpd on-idle
        set auto-discovery-sender enable
        set auto-discovery-receiver enable
        set auto-discovery-forwarder enable
        set psksecret ENC 0S4yt76mhwUoRqNHybMB129Cur3TcH4XGXZfgXUW9WGkRkZoChYn+rToYo+4saEFRBpbn9YjpqFq2ngL4HvdcPUma8S+n/Fv47clMcWdhPDQjd2R5uP5nuyyA8bQd9XxMa4/HjaRQvDMlVm+04qVnyX056QZ/hR4rC2tmnkcx+Pe5iWDFQUc1J5HWQrdrAK9NR6i/g==
        set dpd-retryinterval 60
    next
end

config vpn ipsec phase2-interface
    edit "tunnel netdev"
        set phase1name "tunnel netdev"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end

config system interface
    edit "tunnel netdev"
        set vdom "root"
        set ip 1.1.1.1 255.255.255.255
        set allowaccess ping https http
        set type tunnel
        set remote-ip 1.1.2.1 255.255.255.0
        set snmp-index 12
        set interface "port1"
    Next
end

Firewall policy.

config firewall policy
    edit 2
        set name "firewall 2"
        set uuid adb63976-e916-51ea-0712-bf025b038caa
        set srcintf "port2"
        set dstintf "tunnel netdev"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set comments " (Copy of firewall1)"
    next
    edit 1
        set name "firewall1"
        set uuid a875bb08-e916-51ea-7641-255f83075c3d
        set srcintf "tunnel netdev"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

OSPF configuration on FortiGate dial-up server.

config router ospf
    set router-id 1.1.1.1
config area
edit 0.0.0.0
next
end
  config ospf-interface
edit "tunnel1"
set interface "tunnel netdev"
set network-type point-to-point
next
end
  config network
edit 1
set prefix 1.1.1.1 255.255.255.255
next
edit 2
set prefix 1.1.2.1 255.255.255.255
next
edit 3
set prefix 30.30.30.0 255.255.255.0
next
edit 4
set prefix 1.1.2.2 255.255.255.255
            next
end
  config redistribute "connected"
end
  config redistribute "static"
end
  config redistribute "rip"
end
  config redistribute "bgp"
end
  config redistribute "isis"
end
end

FortiGate dial-up client-1.

IPsec configuration.

config vpn ipsec phase1-interface
    edit "tunnel netdev"
        set interface "port1"
        set peertype any
        set net-device enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set auto-discovery-sender enable
        set auto-discovery-receiver enable
        set auto-discovery-forwarder enable
        set remote-gw 192.168.175.156
        set psksecret ENC aSZ+/ERBdQ6urLam6kH69xnKjPufcaP/f7c0Hcrdx2kb9j02Ox6gftQsHirvsN0OnQsw+rl1aR/zxriPCjH315zgW4JPJSR4RjMTrMeIIOlyYZBUHpXjuJF8wdov+9iY5FbWfubwsPB8DpOF3kKYOkKXJRelCICfKXNaQjoclYk9HMCNlglFlYO9KtgANqwdvpyvVQ==
    next
end

config vpn ipsec phase2-interface
    edit "tunnel netdev"
        set phase1name "tunnel netdev"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end

config system interface
    edit "tunnel netdev"
        set vdom "root"
        set ip 1.1.2.1 255.255.255.255
        set allowaccess ping https ssh http
        set type tunnel
        set remote-ip 1.1.1.1 255.255.255.255
        set snmp-index 12
        set interface "port1"
    next
end

Firewall policy.

config firewall policy
    edit 1
        set name "firewall1"
        set uuid c65e873a-e916-51ea-8779-74634acc8726
        set srcintf "port2"
        set dstintf "tunnel netdev"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 2
        set name "firewall 2"
        set uuid d49ab134-e916-51ea-73a0-6c544c6a7779
        set srcintf "tunnel netdev"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        next
end

OSPF configuration on FortiGate dial-up client-1.

config router ospf
    set router-id 1.1.2.1
config area
edit 0.0.0.0
next
end
  config ospf-interface
edit "tunnel1"
set interface "tunnel netdev"
set network-type point-to-point
next
end
  config network
edit 1
set prefix 1.1.1.1 255.255.255.255
next
edit 2
set prefix 1.1.2.1 255.255.255.255
next
edit 3
set prefix 40.40.40.0 255.255.255.0
next
end
     config redistribute "connected"
end
  config redistribute "static"
end
  config redistribute "rip"
end
  config redistribute "bgp"
end
  config redistribute "isis"
end
end

FortiGate dial-up client–2.

IPsec configuration.

config vpn ipsec phase1-interface
    edit "tunnel netdev"
        set interface "port1"
        set peertype any
        set net-device enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set auto-discovery-sender enable
        set auto-discovery-receiver enable
        set auto-discovery-forwarder enable
        set remote-gw 192.168.175.156
        set psksecret ENC Wkb5Fvzp301Wr4ZUrR/V5QkeX/IGoEDBqbiQFPtxZgJ/qecI3PfCRXeUlaj1CREZIbBMqhyA9AKZN7o/peNpp+JdJ+7siUiJ/2kjZyarhlSjl+YSAhNoDV4LeRzfa6gfr20uMNr4MDWRQxjAbfE0M0WJZc0/w4/b70uiCDzEskl7amf6vVSLDhNLkoAzdg4gDt8tUg==
    next
end

config vpn ipsec phase2-interface
    edit "tunnel netdev"
        set phase1name "tunnel netdev"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end

config system interface
    edit "tunnel netdev"
        set vdom "root"
        set ip 1.1.2.2 255.255.255.255
        set allowaccess ping https ssh http
        set type tunnel
        set remote-ip 1.1.1.1 255.255.255.255
        set snmp-index 12
        set interface "port1"
    next
end

Firewall policy.

config firewall policy
    edit 1
        set name "firewall 1"
        set uuid b7e234ec-e919-51ea-189d-109576fc3610
        set srcintf "port1"
        set dstintf "tunnel netdev"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set name "firewall 2"
        set uuid c579f360-e919-51ea-3a1c-7e93acd5c09e
        set srcintf "tunnel netdev"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

OSPF configuration on FortiGate dial-up client-2.

config router ospf
    set router-id 1.1.2.2
  config area
edit 0.0.0.0
next
end
  config ospf-interface
edit "tunnel1"
set interface "tunnel netdev"
set network-type point-to-point
next
end
  config network
edit 1
set prefix 1.1.1.1 255.255.255.255
next
edit 2
set prefix 1.1.2.2 255.255.255.255
next
edit 3
set prefix 1.1.2.1 255.255.255.255
next
edit 4
set prefix 50.50.50.0 255.255.255.0
next
end
     config redistribute "connected"
end
  config redistribute "static"
end
  config redistribute "rip"
end
  config redistribute "bgp"
end
  config redistribute "isis"
end
end

Troubleshooting.

FortiGate dial-up server.

DIALUP_SERVER # get router info ospf stat
Routing Process "ospf 0" with ID 1.1.1.1
Process is not up
Process bound to VRF default
Conforms to RFC2328, and RFC1583Compatibility flag is disabled
Supports only single TOS(TOS0) routes
Supports opaque LSA
Do not support Restarting
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Refresh timer 10 secs
Number of incomming current DD exchange neighbors 0/5
Number of outgoing current DD exchange neighbors 0/5
Number of external LSA 0. Checksum 0x000000
Number of opaque AS LSA 0. Checksum 0x000000
Number of non-default external LSA 0
External LSA database is unlimited.
Number of LSA originated 1
Number of LSA received 23
Number of areas attached to this router: 1
    Area 0.0.0.0 (BACKBONE)
        Number of interfaces in this area is 4(4)
        Number of fully adjacent neighbors in this area is 2
        Area has no authentication
        SPF algorithm last executed 00:10:26.870 ago
        SPF algorithm executed 6 times
        Number of LSA 3. Checksum 0x01cbd0

DIALUP_SERVER # get router info ospf neig

OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.2.1           1   Full/ -         00:00:30    1.1.2.1         tunnel netdev_0
1.1.2.2           1   Full/ -         00:00:32    1.1.2.2         tunnel netdev_1

DIALUP_SERVER # get router info routing-table ospf

Routing table for VRF=0
O       1.1.1.0/24 [110/100] via tunnel netdev, 04:29:40
O       40.40.40.0/24 [110/101] via 1.1.2.1, tunnel netdev_0, 00:12:29
O       50.50.50.0/24 [110/101] via 1.1.2.2, tunnel netdev_1, 04:29:00

DIALUP_SERVER # get router info routing-table all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 192.168.175.2, port1
O       1.1.1.0/24 [110/100] via tunnel netdev, 00:02:28
C       1.1.1.1/32 is directly connected, tunnel netdev
                   is directly connected, tunnel netdev_0
                   is directly connected, tunnel netdev_1
C       1.1.2.0/24 is directly connected, tunnel netdev
C       1.1.2.1/32 is directly connected, tunnel netdev_0
C       1.1.2.2/32 is directly connected, tunnel netdev_1
C       30.30.30.0/24 is directly connected, port2
O       40.40.40.0/24 [110/101] via 1.1.2.1, tunnel netdev_0, 00:02:03
O       50.50.50.0/24 [110/101] via 1.1.2.2, tunnel netdev_1, 00:02:03
C       192.168.175.0/24 is directly connected, port1

Another command possible to use to troubleshoot OSPF is the ff:

diag ip router ospf all enable
diag ip router ospf level info
diag debug enableTo stop that ospf debugging.

diag debug disable
diag ip router ospf all disable
diag ip router ospf level noneTo clear OSPF process.

execute router clear ospf process

The key configuration change (aside from the specific routing protocol config) from using iBGP, is that the server has the setting set net-device enable.

This means that for each user that dials into the server, a new dynamic interface will be created, with 'tunnel-name_index#'.

For OSPF to properly create adjacency, a new dynamic interface per spoke is necessary.

Technical Tip: Setting up 2 OSPF neighbors on Single dial-up IPsec tunnel

You are leaving our website