Technical Tip: Setting up multiple OSPF neighbors on Single dial-up IPsec tunnel (net-device disable)

lestopace · ‎04-05-2021

Description

This article describes how to establish multiple OSPF neighbor on single IPsec dial-up tunnel(net-device disable).

The setup includes single hub with several spokes location which would be using static IP addresses on their respective tunnel interfaces.

When upgrading from a FortiOS version which does not have 'net-device' setting, 'set net-device enable' is added to all dialup phase1.

This is done to retain the former dialup behavior of creating a dynamic interface for each dialer.

However, for stability reasons, it is strongly recommended to switch to using the new dialup behavior with 'set net-device disable'.

Solution

Settings.

Hub	Spoke 1	Spoke 2
Port2(WAN): 172.19.19.1/24	Port2(WAN): 172.19.19.2/24	Port2(WAN): 172.19.19.3/24
Port3(LAN): 10.40.40.1/24	Port3(LAN): 10.41.41.1/24	Port3(LAN): 10.42.42.1/24
HQ(Tunnel):172.30.65.1/32	BR-1(Tunnel):172.30.65.2/32	BR-1(Tunnel):172.30.65.3/32

Hub Configuration.

Hub – IPSec VPN configuration:

# config vpn ipsec phase1-interface
    edit "HQ"
        set type dynamic
        set interface "port2"
        set mode aggressive
        set peertype any
        set exchange-interface-ip enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set add-route disable
        set tunnel-search nexthop
        set psksecret ENC cV4mkWIvFFBKsmO6dt4WGZu6gykqo19Q9pcrox0S3qv79M9h19hMStFKYP94cjV/QUmUEU2oNhxc5wnp0rhZNvjYNWBskF2L8naw0/a9Z747gvsiPYndgYZ
cMA8D2i+3FQbnFjgsrutKg1bBfUpHPa996AvVqDTn1BCCMD+J9N3ceNwEGLPGizELlvUYpJva+owZxw==
        set dpd-retryinterval 60
    next
end
# config vpn ipsec phase2-interface
    edit "HQ"
        set phase1name "HQ"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set keepalive enable
        set src-addr-type name
        set dst-addr-type name
        set src-name "all"
        set dst-name "all"
    next
end
# config system interface
    edit "HQ"
        set vdom "root"
        set ip 172.30.65.1 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 172.30.65.254 255.255.255.0
        set interface "port2"          next
end

Hub – Firewall Policy configuration:

# config firewall policy
    edit 0
        set name "VPN_To_LAN"
        set srcintf "HQ"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set name "LAN_To_VPN"
        set srcintf "port3"
        set dstintf "HQ"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"         next
end

Hub – OSPF configruation:

# config router ospf
    set router-id 172.30.65.1
    config area
        edit 0.0.0.0                                                          next
end
    # config ospf-interface
        edit "HQ"
            set interface "HQ"
            set mtu-ignore enable
            set network-type point-to-multipoint
        next
    end
    # config network
        edit 0
            set prefix 172.30.65.0 255.255.255.0         next
        edit 0
            set prefix 10.40.40.0 255.255.255.0         next                                                                                     end
   end

Spoke Configuration.

Spoke – IPSec VPN configuration:

# config vpn ipsec phase1-interface
    edit "BR-1"
        set interface "port2"
        set mode aggressive
        set peertype any
        set exchange-interface-ip enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set remote-gw 172.19.19.1
        set psksecret ENC ePO47+mKAtKZSljiMs/2GTRCIc6GSa5xXjworVcP9oAKVVEJWLyjEBmN5p+oDM+SiJYePQ7OmC1yI+qSPJeV8u579aOjzTrYOLhX3wbgE58eqpEaKbWtCl0
j036KncqxIXJracMDw+ZrhPQkQwA/kDkVFqqGAnpwEEOOPy4NGhftAg5OpxodBbEDFy20YrIjztd06Q==             next
end
# config vpn ipsec phase2-interface
    edit "BR-1"
        set phase1name "BR-1"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set auto-negotiate enable
    next
end
# config system interface
    edit "BR-1"
        set vdom "root"
        set ip 172.30.65.2 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 172.30.65.1 255.255.255.0
        set interface "port2"
    next
end

Spoke – Firewall Policy configuration:

# config firewall policy
    edit 0
        set name "VPN_To_LAN"
        set srcintf "BR-1"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set name "LAN_To_VPN"
        set srcintf "port3"
        set dstintf "BR-1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

Spoke– OSPF configruation:

# config router ospf
    set router-id 172.30.65.2
    config area
        edit 0.0.0.0                                                          next
end
    # config ospf-interface
        edit "BR-1"
            set interface "BR-1"
            set mtu-ignore enable
            set network-type point-to-point                        next
    end
    # config network
        edit 1
            set prefix 172.30.65.0 255.255.255.0 next
        edit 2
            set prefix 10.41.41.0 255.255.255.0                   next
    end
end

Results.

HUB:

Note.

Setting 'tunnel-search nexthop' on the Dial-up VPN configuration is necessary when using a dynamic routing with net-device disable to avoid issues.

Results when 'tunnel-search nexthop' is not implemented: