Dialup User IPSec VPN with dynamic routing enabled (OSPF)

Michael_Boskovic · ‎07-28-2014

Hi, Has anyone ever attempted and been successful at creating a dialup user IPSec VPN tunnel and getting OSPF to work across the tunnel? I have a remote site with two Internet connections: 1 with a static IP and the backup ISP service which only provides a dynamic public IP. Our ideal solution is to have an IPSec VPN tunnel over both links back to the head office and run OSPF over each tunnel for failover. Our issue is that when I create a dialup user VPN for the dynamic IP, it creates a connected route in the routing table that is preferred over the OSPF route and thus the primary IPSec VPN tunnel. I was able to get everything to work using DDNS, instead of dialup user, but I prerfer not to create a DDNS entry for all our remote sites.

Michael Boskovic CCIE, CCDP, CCNP, CCNA, FCNSP, FCNSA

Istvan_Takacs_FTNT · ‎08-10-2014

Hi Michael, I' m interested to know how you solved this issue. To my knowledge you need to define static OSPF neighbors to advertise OSPF routes over a point-to-point network. This lets you broadcast OSPF advertisements across an existing VPN connection. Not sure how else you could specify those neighbors than DDNS since they receive dynamic IPs. Thanks!

Benoit_Rech_FTNT · ‎08-11-2014

Hello, I confirm that OSPF over IPsec dialup tunnel is supported, but you need to adjust your configuration compare to classical IPsec tunnel 1/ In static mode, IP addresses are assigned to the IPsec tunnel (inner addresses), and then the OSPF neighbor relationship can form. OSPF Routes are exchanged between the OSPF peers. 2/ In dynamic mode, there is no inner addresses that are assigned to the IPsec tunnel. An interface (<phase1>_<index>) is created, but this interface doesn' t have an IP address. To solve that you need to use mode-cfg on the hub and on the spokes. The hub will act as an IP server. You also need to disable the ' add-route' which is used to push the routes associated to the selectors. For example: 10.121.1.153 | [R1/HUB]-Loopback 10.2.1.153 172.31.193.153 | Router | 172.31.225.185 [R2/SPOKE]-loopback 10.2.1.185 10.84.1.185 Configuration on the HUB: config vpn ipsec phase1-interface edit " HUB" set type dynamic set interface " port3" set mode aggressive set mode-cfg enable <-------------------- to associate IP address to the IPsec tunnel set proposal 3des-sha1 aes128-sha1 set add-route disable <-------------------- IMPORTANT, otherwise selectors from phase2 will be used. set ipv4-start-ip 192.168.255.0 <----- ip range. set ipv4-end-ip 192.168.255.255 <----- set psksecret ENC bWFpbgoVxDP89ru9ni9Ob9ulxYyFlnSrp3I7RRf9caGri/nTK/MhIV5J2MZ7c6+iH3lyXakWgFTaBapVCq+Vtoss3JTdzc4PtBw77AniaifJQzoBtG95vA3EXKHa0m/NfP6fIN9qIJ9axjzuxWYEifeilbXrx506pJhCY/1EdcFMHQRnXvF4vHzEXx3gD1MEskeNZg== next end IP address assignement: First dialer : (local)192.168.255.2 â†” (remote)192.168.255.1 Second dialer : (local)192.168.255.6 â†” (remote)192.168.255.5 And so on... You can check the address using ' diag ip address list | grep HUB' hub: R1 # diagnose ip address list | grep HUB IP=192.168.255.2->192.168.255.2/255.255.255.252 index=62 devname=HUB_0 R1 # spoke: R2 # diagnose ip address list | grep HUB IP=192.168.255.1->192.168.255.1/255.255.255.252 index=14 devname=TO_HUB R2 # config router ospf config area edit 0.0.0.0 next end config network edit 1 set prefix 192.168.255.0 255.255.255.0 next edit 2 set prefix 10.2.1.153 255.255.255.255 next end config ospf-interface edit " TO_SPOKE" set dead-interval 40 set hello-interval 10 set interface " HUB" set network-type point-to-point next end set router-id 10.2.1.153 end ----- on the spoke ----- config vpn ipsec phase1-interface edit " TO_HUB" set interface " port3" set mode aggressive set mode-cfg enable <------- will use a IP address to the tunnel set proposal 3des-sha1 aes128-sha1 set remote-gw 172.31.225.153 set add-route disable <--------------- IMPORTANT set psksecret ENC bWFpbgoVxDP89ru9ni9Ob9ulxYyFlnSrp3I7RRf9caGri/nTK/MhIV5J2MZ7c6+iH3lyXakWgFTaBapVCq+Vtoss3JTdzc4PtBw77AniaifJQzoBtG95vA3EXKHa0m/NfP6fIN9qIJ9axjzuxWYEifeilbXrx506pJhCY/1EdcFMHQRnXvF4vHzEXx3gD1MEskeNZg== next end config router ospf config area edit 0.0.0.0 next end config network edit 1 set prefix 10.2.1.185 255.255.255.255 next edit 2 set prefix 192.168.255.0 255.255.255.0 next end config ospf-interface edit " TO_HUB" set dead-interval 40 set hello-interval 10 set interface " TO_HUB" set network-type point-to-point next end set router-id 10.2.1.185 end ----- On the hub, we can see the loopback from the spoke: R1 # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S* 0.0.0.0/0 [10/0] via 172.31.227.254, port3 C 10.2.1.153/32 is directly connected, R1_LOOPBACK O 10.2.1.185/32 [110/200] via 192.168.255.1, HUB_0, 00:00:34 <------ through the IPsec tunnel C 10.121.0.0/22 is directly connected, port1 C 172.31.224.0/22 is directly connected, port3 C 192.168.255.0/30 is directly connected, HUB_0 is directly connected, HUB_0 R1 # --- and on the spoke, the loopback from the hub: R2 # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S* 0.0.0.0/0 [10/0] via 172.31.195.254, port3 O 10.2.1.153/32 [110/200] via 192.168.255.2, TO_HUB, 00:00:19 <----- loopback of the spoke through the tunnel C 10.2.1.185/32 is directly connected, R2_LOOPBACK C 10.84.0.0/22 is directly connected, port1 C 172.31.192.0/22 is directly connected, port3 C 192.168.255.0/30 is directly connected, TO_HUB is directly connected, TO_HUB R2 # -- For the network distribution, it' s pure OSPF. Benoit