Hello,
Actually we are moving on a dynamic VPN tunnels topology. We configured site A with B tunnel successfully, with OSPF over IPSec configuration. Then, we started to configure site A with C, but when we finished, no route was added. We did exactly the same we did between sites A - B, but no same result.
Trying to resolve this, we did a get router info ospf interface and there is not the tunnels interfaces listed on both sites, just A - B interfaces and internal routing, but then we made an get router info protocols and there are listed network prefixes for sites A - B.
Checking everything, is the same configuration on both cases, but one works but the other doesn't.
I appreciate your answers. Thanks.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi, here is my test based on your config. I simplified some parts:
FGT_A:
VPN setting:
FGT_A # sh vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "to_B"
set interface "vlan40"
set peertype any
set proposal 3des-sha1 3des-md5
set localid "MAPLANTAVLN"
set dhgrp 2
set remote-gw 192.168.4.130
set psksecret ENC sKgwI+Rr4ARv5YyTc6q3VU9HrY+L1RT/L1PJmtLaeMd78quVm9zuUfvkTj5ycj0UCwWauxml70VQ+vXIZWZ29HEEydWqpUFEcL1iZvU1DOlO9bJDrVzDKtOgs8Ohk6YTa7p55FBlHvGqL73oszcWuQklFHHtQXFjFRzsRl8Kt6NwpXtZuMe/KX44igmS+O7HqZb3Bw==
next
end
FGT_A # sh vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "to_B_2"
set phase1name "to_B"
set proposal 3des-sha1 3des-md5
set dhgrp 2
set auto-negotiate enable
next
end
Firewall Policy allow IKE from phase1 interface to real interface:
FGT_A # sh firewall policy 1
config firewall policy
edit 1
set uuid f8a4d0c0-6847-51e8-47fb-bb7c6bd25ab2
set srcintf "to_B"
set dstintf "vlan40"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
Tunnel interface:
FGT_A # sh sys int to_B
config system interface
edit "to_B"
set vdom "root"
set ip 10.10.10.132 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.10.10.130 255.255.255.255
set snmp-index 57
set interface "vlan40"
next
end
OSPF:
FGT_A # sh router ospf
config router ospf
set router-id 10.10.10.132
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "1"
set interface "to_B"
set network-type point-to-point
next
end
config network
edit 1
set prefix 10.10.10.132 255.255.255.255
next
end
config redistribute "connected"
end
config redistribute "static"
end
config redistribute "rip"
end
config redistribute "bgp"
end
config redistribute "isis"
end
end
OSPF interface is up, which means that it's sending hello to 224.0.0.5 and listen to hello:
FGT_A # get router info ospf interface
to_B is up, line protocol is up
Internet Address 10.10.10.132/32, Area 0.0.0.0, MTU 1446
Process ID 0, Router ID 10.10.10.132, Network Type POINTOPOINT, Cost: 100
Transmit Delay is 1 sec, State Point-To-Point
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:04
Neighbor Count is 1, Adjacent neighbor count is 0
Crypt Sequence Number is 9910
Hello received 1 sent 1, DD received 0 sent 1
LS-Req received 0 sent 0, LS-Upd received 0 sent 0
LS-Ack received 0 sent 0, Discarded 0
Now OSPF neighbor is up:
FGT_A # get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
10.10.10.130 1 Full/ - 00:00:33 10.10.10.130 to_B
Same output on FGT_B is ready for you.
PS:
Double check:
sh sys int gw_KP_WAN1xWAN2, I guess something wrong at this part.
Glad to hear that! NP.
Thanks a lot! I appreciate it.
Did you run any diag sniffer packet < tunnel name > and look for ospf-adj traffic ?
Ken
PCNSE
NSE
StrongSwan
Hi, here is my test based on your config. I simplified some parts:
FGT_A:
VPN setting:
FGT_A # sh vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "to_B"
set interface "vlan40"
set peertype any
set proposal 3des-sha1 3des-md5
set localid "MAPLANTAVLN"
set dhgrp 2
set remote-gw 192.168.4.130
set psksecret ENC sKgwI+Rr4ARv5YyTc6q3VU9HrY+L1RT/L1PJmtLaeMd78quVm9zuUfvkTj5ycj0UCwWauxml70VQ+vXIZWZ29HEEydWqpUFEcL1iZvU1DOlO9bJDrVzDKtOgs8Ohk6YTa7p55FBlHvGqL73oszcWuQklFHHtQXFjFRzsRl8Kt6NwpXtZuMe/KX44igmS+O7HqZb3Bw==
next
end
FGT_A # sh vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "to_B_2"
set phase1name "to_B"
set proposal 3des-sha1 3des-md5
set dhgrp 2
set auto-negotiate enable
next
end
Firewall Policy allow IKE from phase1 interface to real interface:
FGT_A # sh firewall policy 1
config firewall policy
edit 1
set uuid f8a4d0c0-6847-51e8-47fb-bb7c6bd25ab2
set srcintf "to_B"
set dstintf "vlan40"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
Tunnel interface:
FGT_A # sh sys int to_B
config system interface
edit "to_B"
set vdom "root"
set ip 10.10.10.132 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.10.10.130 255.255.255.255
set snmp-index 57
set interface "vlan40"
next
end
OSPF:
FGT_A # sh router ospf
config router ospf
set router-id 10.10.10.132
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "1"
set interface "to_B"
set network-type point-to-point
next
end
config network
edit 1
set prefix 10.10.10.132 255.255.255.255
next
end
config redistribute "connected"
end
config redistribute "static"
end
config redistribute "rip"
end
config redistribute "bgp"
end
config redistribute "isis"
end
end
OSPF interface is up, which means that it's sending hello to 224.0.0.5 and listen to hello:
FGT_A # get router info ospf interface
to_B is up, line protocol is up
Internet Address 10.10.10.132/32, Area 0.0.0.0, MTU 1446
Process ID 0, Router ID 10.10.10.132, Network Type POINTOPOINT, Cost: 100
Transmit Delay is 1 sec, State Point-To-Point
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:04
Neighbor Count is 1, Adjacent neighbor count is 0
Crypt Sequence Number is 9910
Hello received 1 sent 1, DD received 0 sent 1
LS-Req received 0 sent 0, LS-Upd received 0 sent 0
LS-Ack received 0 sent 0, Discarded 0
Now OSPF neighbor is up:
FGT_A # get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
10.10.10.130 1 Full/ - 00:00:33 10.10.10.130 to_B
Same output on FGT_B is ready for you.
PS:
Double check:
sh sys int gw_KP_WAN1xWAN2, I guess something wrong at this part.
Thank you very much and so sorry for delay in answer. I'll try it, will let you know results.
Do a "show full config" on the OSPF interface from the CLI. The MTU may be zero. That happened in older versions of code and it prevented anything from working.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
We made it.
It was a problem with the interface. We were working on web environment and, maybe it's a bug, it did not set remote IP on the interface. Just did in the CLI and worked.
Thanks a lot to you and everyone who helped.
Glad to hear that! NP.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.