OSPF over IPSEC Tunnels

jgauthier · ‎07-30-2014

Afternoon all, Have any of you figured out a way to setup OSPF over IPSEC Tunnels for Dialup Clients (offsite FG80CM routers) ? Been at this for a while... Thanks for your help JF

rwpatterson · ‎07-30-2014

I don' t believe there is a way to accomplish that. I flipped a few routers from dynamic DNS to dialup when DYNDNS.com forced users to pay. Once that happened, the dialup clients no longer had a virtual interface to link to OSPF.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

HA · ‎07-30-2014

Hello, This kind of configuration is supported (but I never tested it). I tried to upload the PDF file but it' s too large. On the Server config vpn ipsec phase1-interface edit " server-P1" set type dynamic set interface " port1" set mode-cfg enable set proposal 3des-sha1 aes128-sha1 set add-route disable set ipv4-start-ip 10.10.101.0 set ipv4-end-ip 10.10.101.255 set psksecret ENC <key> On the client config vpn ipsec phase1-interface edit " client-p1" set interface " wan1" set mode-cfg enable set proposal 3des-sha1 aes128-sha1 set remote-gw 192.168.118.152 set add-route disable set psksecret ENC <key> next Regards, HA

Benoit_Rech_FTNT · ‎08-11-2014

Hello Antonio, I confirm that OSPF over IPsec dialup tunnel is supported, but you need to adjust your configuration compare to classical IPsec tunnel 1/ In static mode, IP addresses are assigned to the IPsec tunnel (inner addresses), and then the OSPF neighbor relationship can form. OSPF Routes are exchanged between the OSPF peers. 2/ In dynamic mode, there is no inner addresses that are assigned to the IPsec tunnel. An interface (<phase1>_<index>) is created, but this interface doesn' t have an IP address. To solve that you need to use mode-cfg on the hub and on the spokes. The hub will act as an IP server. You also need to disable the ' add-route' which is used to push the routes associated to the selectors. For example: 10.121.1.153 | [R1/HUB]-Loopback 10.2.1.153 172.31.193.153 | Router | 172.31.225.185 [R2/SPOKE]-loopback 10.2.1.185 10.84.1.185 Configuration on the HUB: config vpn ipsec phase1-interface edit " HUB" set type dynamic set interface " port3" set mode aggressive set mode-cfg enable <-------------------- to associate IP address to the IPsec tunnel set proposal 3des-sha1 aes128-sha1 set add-route disable <-------------------- IMPORTANT, otherwise selectors from phase2 will be used. set ipv4-start-ip 192.168.255.0 <----- ip range. set ipv4-end-ip 192.168.255.255 <----- set psksecret ENC bWFpbgoVxDP89ru9ni9Ob9ulxYyFlnSrp3I7RRf9caGri/nTK/MhIV5J2MZ7c6+iH3lyXakWgFTaBapVCq+Vtoss3JTdzc4PtBw77AniaifJQzoBtG95vA3EXKHa0m/NfP6fIN9qIJ9axjzuxWYEifeilbXrx506pJhCY/1EdcFMHQRnXvF4vHzEXx3gD1MEskeNZg== next end IP address assignement: First dialer : (local)192.168.255.2 â†” (remote)192.168.255.1 Second dialer : (local)192.168.255.6 â†” (remote)192.168.255.5 And so on... You can check the address using ' diag ip address list | grep HUB' hub: R1 # diagnose ip address list | grep HUB IP=192.168.255.2->192.168.255.2/255.255.255.252 index=62 devname=HUB_0 R1 # spoke: R2 # diagnose ip address list | grep HUB IP=192.168.255.1->192.168.255.1/255.255.255.252 index=14 devname=TO_HUB R2 # config router ospf config area edit 0.0.0.0 next end config network edit 1 set prefix 192.168.255.0 255.255.255.0 next edit 2 set prefix 10.2.1.153 255.255.255.255 next end config ospf-interface edit " TO_SPOKE" set dead-interval 40 set hello-interval 10 set interface " HUB" set network-type point-to-point next end set router-id 10.2.1.153 end ----- on the spoke ----- config vpn ipsec phase1-interface edit " TO_HUB" set interface " port3" set mode aggressive set mode-cfg enable <------- will use a IP address to the tunnel set proposal 3des-sha1 aes128-sha1 set remote-gw 172.31.225.153 set add-route disable <--------------- IMPORTANT set psksecret ENC bWFpbgoVxDP89ru9ni9Ob9ulxYyFlnSrp3I7RRf9caGri/nTK/MhIV5J2MZ7c6+iH3lyXakWgFTaBapVCq+Vtoss3JTdzc4PtBw77AniaifJQzoBtG95vA3EXKHa0m/NfP6fIN9qIJ9axjzuxWYEifeilbXrx506pJhCY/1EdcFMHQRnXvF4vHzEXx3gD1MEskeNZg== next end config router ospf config area edit 0.0.0.0 next end config network edit 1 set prefix 10.2.1.185 255.255.255.255 next edit 2 set prefix 192.168.255.0 255.255.255.0 next end config ospf-interface edit " TO_HUB" set dead-interval 40 set hello-interval 10 set interface " TO_HUB" set network-type point-to-point next end set router-id 10.2.1.185 end ----- On the hub, we can see the loopback from the spoke: R1 # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S* 0.0.0.0/0 [10/0] via 172.31.227.254, port3 C 10.2.1.153/32 is directly connected, R1_LOOPBACK O 10.2.1.185/32 [110/200] via 192.168.255.1, HUB_0, 00:00:34 <------ through the IPsec tunnel C 10.121.0.0/22 is directly connected, port1 C 172.31.224.0/22 is directly connected, port3 C 192.168.255.0/30 is directly connected, HUB_0 is directly connected, HUB_0 R1 # --- and on the spoke, the loopback from the hub: R2 # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S* 0.0.0.0/0 [10/0] via 172.31.195.254, port3 O 10.2.1.153/32 [110/200] via 192.168.255.2, TO_HUB, 00:00:19 <----- loopback of the spoke through the tunnel C 10.2.1.185/32 is directly connected, R2_LOOPBACK C 10.84.0.0/22 is directly connected, port1 C 172.31.192.0/22 is directly connected, port3 C 192.168.255.0/30 is directly connected, TO_HUB is directly connected, TO_HUB R2 # -- For the network distribution, it' s pure OSPF. Benoit