Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gilbertog
New Contributor

OSPF over IPSec VPN Tunnel

Hi everyone.

 

I'm presenting some issues in an OSPF over IPSec configuration.

 

I have two FTGs connected by a VPN Tunnel working by OSPF routing protocol. They are working properly configured as in this guide: https://docs.fortinet.com/uploaded/files/1693/using-redundant-OSPF-routing-over-IPsec-VPN.pdf

 

As you can see, in this document they configure Phase two of the VPN tunnel with 0.0.0.0 local and remote Addresses. The thing is we need to set this address as the company have (previously we had the tunnels configured with a static route and the local and remote subnets established in Phase Two) but when we set up this there is no OSPF traffic so no OSPF routes are visualized in routing table.

 

Thanks everyone.

 

4 Solutions
emnoc
Esteemed Contributor III

Can you explain what's the problem? !st fo you see  OSPF between the two tunnels ? ( diag sniffer packet < interfacename > " dst net 224"  )

 

Do you have neighborship ?

 

Are you redist-static/connect/etc.....

 

Ken

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

romanr
Valued Contributor

gilbertog wrote:

As you can see, in this document they configure Phase two of the VPN tunnel with 0.0.0.0 local and remote Addresses. The thing is we need to set this address as the company have (previously we had the tunnels configured with a static route and the local and remote subnets established in Phase Two) but when we set up this there is no OSPF traffic so no OSPF routes are visualized in routing table.

 

Hi,

 

if you are running this configuration from Fortigate to Fortigate I would stronly suggest to switch to ip wildcard selectors on your IPSec phase 2! Otherwise you making things unnecessarily complex.

 

if you are not setting your phase 2 selectors with wildcards (0.0.0.0/0) you need to setup addidtional phase 2 selectors which will allow OSPF multicasts to happen. (eg 224.0.0.0/24 should be fine for both sides of the tunnel)

Also the ip addresses of the tunnel interfaces must be reflected in your phase 2 settings...

 

Br,

Roman

View solution in original post

emnoc
Esteemed Contributor III

224.0.0.5/6 are the two OSPF address, .6 would be if you have  DR selections and DR which in a pt2pt is not a requirement.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

romanr
Valued Contributor

Hi,

 

Ken is right - 224.0.0.5 would be sufficient for a point-to-point connection.

I would stay with 224.0.0.0/24 - as these local subnet only and must not be routed.

 

Really using multicasts over VPN would need a proper planing first...

 

Br,

Roman

View solution in original post

6 REPLIES 6
emnoc
Esteemed Contributor III

Can you explain what's the problem? !st fo you see  OSPF between the two tunnels ? ( diag sniffer packet < interfacename > " dst net 224"  )

 

Do you have neighborship ?

 

Are you redist-static/connect/etc.....

 

Ken

 

 

PCNSE 

NSE 

StrongSwan  

romanr
Valued Contributor

gilbertog wrote:

As you can see, in this document they configure Phase two of the VPN tunnel with 0.0.0.0 local and remote Addresses. The thing is we need to set this address as the company have (previously we had the tunnels configured with a static route and the local and remote subnets established in Phase Two) but when we set up this there is no OSPF traffic so no OSPF routes are visualized in routing table.

 

Hi,

 

if you are running this configuration from Fortigate to Fortigate I would stronly suggest to switch to ip wildcard selectors on your IPSec phase 2! Otherwise you making things unnecessarily complex.

 

if you are not setting your phase 2 selectors with wildcards (0.0.0.0/0) you need to setup addidtional phase 2 selectors which will allow OSPF multicasts to happen. (eg 224.0.0.0/24 should be fine for both sides of the tunnel)

Also the ip addresses of the tunnel interfaces must be reflected in your phase 2 settings...

 

Br,

Roman

Toshi_Esumi
Esteemed Contributor II

I agree with romanr. Then check ospf neighboring with "get router info ospf neighbor" to see if it's established. You should see "FULL" state as its status.

gilbertog

Thank you very much. This was the solution. I added a Multicast address to both sites of the tunnels and it worked. Now there's full neighborship.

 

Also, its just a question. The multicast IP range address is 224.0.0.0 - 239.255.255.255, would you recommend to me add this IP range to the configuration? (In the future, there is an expectation of growing, like eight places with a full mesh topology). Or (as you said) just 224.0.0.0/24 will be fine for that?

 

Again, thank you very much.

emnoc
Esteemed Contributor III

224.0.0.5/6 are the two OSPF address, .6 would be if you have  DR selections and DR which in a pt2pt is not a requirement.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

romanr
Valued Contributor

Hi,

 

Ken is right - 224.0.0.5 would be sufficient for a point-to-point connection.

I would stay with 224.0.0.0/24 - as these local subnet only and must not be routed.

 

Really using multicasts over VPN would need a proper planing first...

 

Br,

Roman