Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jm-barreto
New Contributor III

Created on ‎05-04-2023 06:52 PM

OSPF with vxlan over IPSec

Hi

 

I have 2 remote site router connected using vxlan over ipsec. I can ping, telnet and ssh between the routers. I want to do an ospf adjacency between them but even though they ping, the neighborship won't come up. When I debug ospf I see that ospf is sending hello packets on both routers but they don't receive any. I'm allowing all between the vxlan and vlan in the firewall policy. It's as if multicast traffic is being block. 

 

And I want to know if is possible to get an adjacency between the routers using vxlan over ospf. 

 

 

 

 

JBC
JBC
Labels:
4023
0 Kudos
2 Solutions
aguerriero
Contributor II

Created on ‎05-11-2023 05:25 PM Edited on ‎05-11-2023 06:05 PM

Create a multicast policy and allow the ospf address 224.0.0.5/224.0.0.6 depending on your network type.

 

Also link local multicast like an ospf hello has a TTL of 1. You may also need to set the fortigate to not decrement the TTL.

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/968606/multicast-processing-and-basic-mu...

View solution in original post

3891
jm-barreto
New Contributor III
In response to aguerriero

Created on ‎05-11-2023 08:03 PM

Hi @aguerriero 

 

Thanks for the info. That what I was missing. I created the policy and its working. 

JBC

View solution in original post

JBC
3879
0 Kudos
10 REPLIES 10
aionescu
Staff
Staff

Created on ‎05-05-2023 01:40 AM

Hi @jm-barreto, welcome to the community.

Can you share with us the ospf configuration?

Also, please update us with the output of the get router info ospf neighbor command and of the ones from https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-check-OSPF-packets-flow-with-functi...

 

 

3577
akristof
Staff
Staff

Created on ‎05-05-2023 05:13 AM

Hello,

I just want to add, vxlan is capable of carrying broadcast and multicast, that's its purpose. But depends how Vxlan over ipsec is configured, if you are using VTEPs, if you are using virtual-wire-pair or software switch and if you are trying establish ospf adjacency between FortiGates directly or between some devices in local networks.

Adrian
3568
0 Kudos
jm-barreto
New Contributor III
In response to akristof

Created on ‎05-05-2023 12:35 PM

Hi @akristof @aionescu 

This is my lab
Screenshot 2023-05-05 153055.png

 I want OSPF on the routers not on the fortigate.

Here is my configuration


HUB

config vpn ipsec phase1-interface
edit "MASTER"
set type dynamic
set interface "wan1"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256
set dpd on-idle
set psksecret XXXXX
set dpd-retryinterval 60
next
end

config vpn ipsec phase2-interface
edit "MASTER"
set phase1name "MASTER"
set proposal aes128-sha256
next
end

config system interface
edit "internal2"
set vdom "root"
set type physical
set alias "MAIN TRUNK TO SW G0/1"
set device-identification enable
set lldp-transmission enable
set snmp-index 10
next

edit "VLAN20"
set vdom "root"
set alias "20"
set device-identification enable
set role lan
set snmp-index 24
set interface "internal2"
set vlanid 20
next

edit "vxlan20"
set vdom "root"
set type vxlan
set snmp-index 19
set interface "MASTER"
next

config system switch-interface
edit "VXLAN20"
set vdom "root"
set member "VLAN20" "vxlan20"
next
end

config firewall policy

edit 2
set name "vpn"
set uuid 084eddfc-e92d-51ed-ba85-2fefd7d70152
set srcintf "MASTER"
set dstintf "MASTER"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
edit 3
set name "VXLAN20"
set uuid 5c77cd10-ea79-51ed-8532-f53e2788e47e
set srcintf "any"
set dstintf "any"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next

 

---------------------------------------------------------------------------------------------------------------

SPOKE


config vpn ipsec phase1-interface
edit "VPN-REMOTE-1"
set interface "wan1"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256
set localid "REMOTE1"
set remote-gw x.x.x.x
set psksecret XXXX
next
end


config vpn ipsec phase2-interface
edit "VPN-REMOTE-1"
set phase1name "VPN-REMOTE-1"
set proposal aes128-sha256
set auto-negotiate enable
set src-subnet 192.168.255.2 255.255.255.255
next
end

config system interface
edit "internal2"
set vdom "root"
set type physical
set alias "REMOTE2 TO SW G0/1"
set snmp-index 10
next
end

config system interface
edit "VLAN20"
set vdom "root"
set alias "20"
set device-identification enable
set role lan
set snmp-index 17
set interface "internal2"
set vlanid 20
next
end

config system interface
edit "VPN-REMOTE-1"
set vdom "root"
set ip 192.168.255.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 192.168.255.1 255.255.255.0
set snmp-index 18
set interface "wan1"
next
end

config system interface
edit "vxlan20"
set vdom "root"
set type vxlan
set snmp-index 19
set interface "VPN-REMOTE-1"
next
end

config system switch-interface
edit "VXLAN20-SW"
set vdom "root"
set member "vxlan20" "VLAN20"
set intra-switch-policy explicit
next
end

config firewall policy
edit 3
set name "VXLAN20"
set uuid 2ec00ac8-ea78-51ed-9df2-b59fd250f581
set srcintf "any"
set dstintf "any"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end

JBC
JBC
3520
0 Kudos
aionescu
Staff
Staff
In response to jm-barreto

Created on ‎05-08-2023 02:14 AM

Hi, can you share the output of the following commands, ran on both FortiGates.

 

diagnose debug reset
diagnose debug console timestamp enable
diagnose debug flow filter addr x.x.x.x <------------where x.x.x.x is the IP of an OSPF router
diagnose debug flow trace start 1000
diagnose debug enable

To disable the debug:
diagnose debug disable
diagnose debug reset

3513
0 Kudos
jm-barreto
New Contributor III

Created on ‎05-05-2023 12:40 PM

I use dynamic vpn for fast deployment of the remote site because sometime I don't have access to the remote IP information.

JBC
JBC
3556
0 Kudos
Christian_89
Contributor III

Created on ‎05-06-2023 12:24 AM

If you are unable to establish an OSPF adjacency between two remote site routers connected using VXLAN over IPsec, despite being able to ping, telnet, and SSH between them, it's possible that the issue is related to multicast traffic being blocked.

OSPF relies on multicast traffic for neighbor discovery and exchange of routing information. If multicast traffic is blocked, OSPF packets will not be received, which could prevent the OSPF adjacency from being established.

To resolve the issue, you may need to ensure that multicast traffic is allowed to pass between the routers over the VXLAN tunnel. This may involve checking firewall policies and ensuring that multicast routing is properly configured.

Additionally, you may want to verify that the OSPF settings on both routers are correctly configured, including the OSPF network type and interface settings. For example, if the OSPF network type is set to point-to-point, but the interface is actually configured as broadcast, this could prevent the OSPF adjacency from being established.

As for your question about establishing an adjacency between the routers using VXLAN over OSPF, it is possible to use OSPF over VXLAN, provided that the OSPF network type and interface settings are properly configured. However, keep in mind that VXLAN encapsulates layer 2 traffic over layer 3 networks, so the OSPF adjacency will need to be established over the VXLAN tunnel interface rather than the physical interface.

3545
0 Kudos
Corriero-ITV
New Contributor

Created on ‎05-11-2023 08:44 AM

Check for MTU mismatch or MTU ignore. We had an issue like this between Fortinet and VMware NSX-T. Very little showed when debugged, but it ended working when we corrected MTU mismatch.

3487
aguerriero
Contributor II

Created on ‎05-11-2023 05:25 PM Edited on ‎05-11-2023 06:05 PM

Create a multicast policy and allow the ospf address 224.0.0.5/224.0.0.6 depending on your network type.

 

Also link local multicast like an ospf hello has a TTL of 1. You may also need to set the fortigate to not decrement the TTL.

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/968606/multicast-processing-and-basic-mu...

3892
jm-barreto
New Contributor III
In response to aguerriero

Created on ‎05-11-2023 08:03 PM

Hi @aguerriero 

 

Thanks for the info. That what I was missing. I created the policy and its working. 

JBC
JBC
3880
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.