Technical Tip: OSPF over dynamic tunnel with 'net-device disable' and 'mode config'

This article describes how to configure OSPF over a dynamic tunnel with 'net-device disable' and 'mode config'.

The topology consists of two firewalls, in a hub and spoke topology.

Overlay IPs of the Spokes (10.10.10.x) can be provisioned either manually or automatically, using IKE mode-config.

In this example we will use IKE mode-config.

Configuration on the HUB.

Tunnel Interface configuration:

# config system interface

    edit "TO_SPOKE"

        set vdom "root"

        set ip 10.10.10.1 255.255.255.255

        set allowaccess ping

        set type tunnel

        set remote-ip 10.10.10.254 255.255.255.0

        set snmp-index 24

        set interface "port7"

    next

end

IPsec configuration:

# config vpn ipsec phase1-interface

    edit "TO_SPOKES"

        set type dynamic

        set interface "port7"

        set keylife 3600

        set mode aggressive

        set peertype any

        set net-device disable

        set exchange-interface-ip enable

        set mode-cfg enable

        set proposal aes256-sha256

        set add-route disable

        set dpd on-idle

        set dhgrp 14

        set tunnel-search nexthop

        set ipv4-start-ip 10.10.10.2

        set ipv4-end-ip 10.10.10.253

        set ipv4-netmask 255.255.255.0

        set psksecret ENC my_encrypted_password

        set dpd-retryinterval 60

    next

end

# config vpn ipsec phase2-interface

    edit "TO_SPOKES"

        set phase1name "TO_SPOKES "

        set proposal aes256-sha256

        set dhgrp 14

        set keylifeseconds 1800

    next

end

OSPF configuration:

# config router ospf

    set router-id 10.10.10.1

    # config area

        edit 0.0.0.0

        next

    end

    # config ospf-interfac

        edit "TO_SPOKES"

            set interface "TO_SPOKES"

            set dead-interval 40

            set hello-interval 10

            set mtu-ignore enable

            set network-type point-to-multipoint

        next

    end

    # config network

        edit 1

            set prefix 172.16.103.0 255.255.255.0

        next

        edit 2

            set prefix 10.10.10.0 255.255.255.0

        next

Spoke configuration.

Tunnel interface configuration:

# config system interface

    edit "TO_HUB"

        set vdom "root"

        set allowaccess ping

        set type tunnel

        set snmp-index 27

        set interface "port16"

    next

end

IPsec configuration:

# config vpn ipsec phase1-interface

    edit "TO_HUB"

        set interface "port16"

        set keylife 3600

        set mode aggressive

        set peertype any

        set net-device disable

        set exchange-interface-ip enable

        set mode-cfg enable

        set proposal aes256-sha256

        set add-route disable

        set dhgrp 14

        set remote-gw 192.168.103.1

        set psksecret ENC my_encrypted password

    next

end

# config vpn ipsec phase2-interface

    edit "TO_HUB"

        set phase1name "TO_HUB"

        set proposal aes256-sha256

        set dhgrp 14

        set auto-negotiate enable

        set keylifeseconds 1800

    next

end

OSPF configuration:

# config router ospf

    set router-id 10.10.10.2

    # config area

        edit 0.0.0.0

        next

    end

    # config ospf-interface

        edit "TO_HUB"

            set interface "TO_HUB"

            set mtu-ignore enable

            set network-type point-to-point

        next

    end

    # config network

        edit 1

            set prefix 172.16.104.0 255.255.255.0

        next

        edit 2

            set prefix 10.10.10.0 255.255.255.0

        next

    end

Result.

# get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor    ID Pri State   Dead Time Address    Interface
10.10.10.2     1        Full/ - 00:00:39    10.10.10.2 TO_SPOKES