No OSPF Interface showed

gilbertog · ‎06-01-2018

Hello,

Actually we are moving on a dynamic VPN tunnels topology. We configured site A with B tunnel successfully, with OSPF over IPSec configuration. Then, we started to configure site A with C, but when we finished, no route was added. We did exactly the same we did between sites A - B, but no same result.

Trying to resolve this, we did a get router info ospf interface and there is not the tunnels interfaces listed on both sites, just A - B interfaces and internal routing, but then we made an get router info protocols and there are listed network prefixes for sites A - B.

Checking everything, is the same configuration on both cases, but one works but the other doesn't.

I appreciate your answers. Thanks.

ericli_FTNT · ‎06-04-2018

Hi, here is my test based on your config. I simplified some parts:

FGT_A：

VPN setting:

FGT_A # sh vpn ipsec phase1-interface 
config vpn ipsec phase1-interface
    edit "to_B"
        set interface "vlan40"
        set peertype any
        set proposal 3des-sha1 3des-md5
        set localid "MAPLANTAVLN"
        set dhgrp 2
        set remote-gw 192.168.4.130
        set psksecret ENC sKgwI+Rr4ARv5YyTc6q3VU9HrY+L1RT/L1PJmtLaeMd78quVm9zuUfvkTj5ycj0UCwWauxml70VQ+vXIZWZ29HEEydWqpUFEcL1iZvU1DOlO9bJDrVzDKtOgs8Ohk6YTa7p55FBlHvGqL73oszcWuQklFHHtQXFjFRzsRl8Kt6NwpXtZuMe/KX44igmS+O7HqZb3Bw==
    next
end

FGT_A # sh vpn ipsec phase2-interface 
config vpn ipsec phase2-interface
    edit "to_B_2"
        set phase1name "to_B"
        set proposal 3des-sha1 3des-md5
        set dhgrp 2
        set auto-negotiate enable
    next
end

Firewall Policy allow IKE from phase1 interface to real interface:

FGT_A # sh firewall policy 1 
config firewall policy
    edit 1
        set uuid f8a4d0c0-6847-51e8-47fb-bb7c6bd25ab2
        set srcintf "to_B"
        set dstintf "vlan40"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

Tunnel interface:

FGT_A # sh sys int to_B 
config system interface
    edit "to_B"
        set vdom "root"
        set ip 10.10.10.132 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 10.10.10.130 255.255.255.255
        set snmp-index 57
        set interface "vlan40"
    next
end

OSPF:

FGT_A # sh router ospf 
config router ospf
    set router-id 10.10.10.132
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "1"
            set interface "to_B"
            set network-type point-to-point
        next
    end
    config network
        edit 1
            set prefix 10.10.10.132 255.255.255.255
        next
    end
    config redistribute "connected"
    end
    config redistribute "static"
    end
    config redistribute "rip"
    end
    config redistribute "bgp"
    end 
    config redistribute "isis"
    end
end

OSPF interface is up, which means that it's sending hello to 224.0.0.5 and listen to hello:

FGT_A # get router info ospf interface 
to_B is up, line protocol is up
  Internet Address 10.10.10.132/32, Area 0.0.0.0, MTU 1446
  Process ID 0, Router ID 10.10.10.132, Network Type POINTOPOINT, Cost: 100
  Transmit Delay is 1 sec, State Point-To-Point
  Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:04
  Neighbor Count is 1, Adjacent neighbor count is 0
  Crypt Sequence Number is 9910
  Hello received 1 sent 1, DD received 0 sent 1
  LS-Req received 0 sent 0, LS-Upd received 0 sent 0
  LS-Ack received 0 sent 0, Discarded 0

Now OSPF neighbor is up:

FGT_A # get router info ospf neighbor 

OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
10.10.10.130 1 Full/ - 00:00:33 10.10.10.130 to_B

Same output on FGT_B is ready for you.

PS:

Double check:

sh sys int gw_KP_WAN1xWAN2, I guess something wrong at this part.

View solution in original post

ericli_FTNT · ‎06-11-2018

Glad to hear that! NP.

View solution in original post

gilbertog · ‎06-04-2018

Thanks a lot! I appreciate it.

emnoc · ‎06-04-2018

Did you run any diag sniffer packet < tunnel name > and look for ospf-adj traffic ?

Ken

PCNSE

NSE

StrongSwan

ericli_FTNT · ‎06-04-2018

Hi, here is my test based on your config. I simplified some parts:

FGT_A：

VPN setting:

FGT_A # sh vpn ipsec phase1-interface 
config vpn ipsec phase1-interface
    edit "to_B"
        set interface "vlan40"
        set peertype any
        set proposal 3des-sha1 3des-md5
        set localid "MAPLANTAVLN"
        set dhgrp 2
        set remote-gw 192.168.4.130
        set psksecret ENC sKgwI+Rr4ARv5YyTc6q3VU9HrY+L1RT/L1PJmtLaeMd78quVm9zuUfvkTj5ycj0UCwWauxml70VQ+vXIZWZ29HEEydWqpUFEcL1iZvU1DOlO9bJDrVzDKtOgs8Ohk6YTa7p55FBlHvGqL73oszcWuQklFHHtQXFjFRzsRl8Kt6NwpXtZuMe/KX44igmS+O7HqZb3Bw==
    next
end

FGT_A # sh vpn ipsec phase2-interface 
config vpn ipsec phase2-interface
    edit "to_B_2"
        set phase1name "to_B"
        set proposal 3des-sha1 3des-md5
        set dhgrp 2
        set auto-negotiate enable
    next
end

Firewall Policy allow IKE from phase1 interface to real interface:

FGT_A # sh firewall policy 1 
config firewall policy
    edit 1
        set uuid f8a4d0c0-6847-51e8-47fb-bb7c6bd25ab2
        set srcintf "to_B"
        set dstintf "vlan40"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

Tunnel interface:

FGT_A # sh sys int to_B 
config system interface
    edit "to_B"
        set vdom "root"
        set ip 10.10.10.132 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 10.10.10.130 255.255.255.255
        set snmp-index 57
        set interface "vlan40"
    next
end

OSPF:

FGT_A # sh router ospf 
config router ospf
    set router-id 10.10.10.132
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "1"
            set interface "to_B"
            set network-type point-to-point
        next
    end
    config network
        edit 1
            set prefix 10.10.10.132 255.255.255.255
        next
    end
    config redistribute "connected"
    end
    config redistribute "static"
    end
    config redistribute "rip"
    end
    config redistribute "bgp"
    end 
    config redistribute "isis"
    end
end

OSPF interface is up, which means that it's sending hello to 224.0.0.5 and listen to hello:

FGT_A # get router info ospf interface 
to_B is up, line protocol is up
  Internet Address 10.10.10.132/32, Area 0.0.0.0, MTU 1446
  Process ID 0, Router ID 10.10.10.132, Network Type POINTOPOINT, Cost: 100
  Transmit Delay is 1 sec, State Point-To-Point
  Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:04
  Neighbor Count is 1, Adjacent neighbor count is 0
  Crypt Sequence Number is 9910
  Hello received 1 sent 1, DD received 0 sent 1
  LS-Req received 0 sent 0, LS-Upd received 0 sent 0
  LS-Ack received 0 sent 0, Discarded 0

Now OSPF neighbor is up:

FGT_A # get router info ospf neighbor 

OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
10.10.10.130 1 Full/ - 00:00:33 10.10.10.130 to_B

Same output on FGT_B is ready for you.

PS:

Double check:

sh sys int gw_KP_WAN1xWAN2, I guess something wrong at this part.

gilbertog · ‎06-11-2018

Thank you very much and so sorry for delay in answer. I'll try it, will let you know results.

rwpatterson · ‎06-11-2018

Do a "show full config" on the OSPF interface from the CLI. The MTU may be zero. That happened in older versions of code and it prevented anything from working.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

gilbertog · ‎06-11-2018

We made it.

It was a problem with the interface. We were working on web environment and, maybe it's a bug, it did not set remote IP on the interface. Just did in the CLI and worked.

Thanks a lot to you and everyone who helped.

ericli_FTNT · ‎06-11-2018

Glad to hear that! NP.