Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SmokeyMountian_Tech
New Contributor

Created on ‎07-17-2020 06:58 AM

OSPF VS Static Routes (When IPsec tunnel is active we lose internet access)

60D 6.0.9

The primary internet connection is on a dedicated private fiber line using OSPF, and also has a 0.0.0.0 static route.

A backup internet connection with an IPsec tunnel back to the main office is also configured.

 

What happens is when the IPsec tunnel is active on the backup internet connection, we lose our internet access.

IPsec tunnel has a Static route with higher value Distance and Priority settings than the Static Route for the primary fiber connection.

 

They still have access to the private network, but lose internet access.

 

Sorry, I haven't done much with OSPF so lots of questions:

How do I have OSPF as a primary connection with IPsec backup? (I know you can set a monitor on the IPsec tunnel, but our primary connection to our main office is over Wan port and not another IPsec tunnel)

 

Would I add the IPsec to the interface list under OSPF and set it to a higher cost?

If that's the case, do I still need the static route entry for the IPsec tunnel? 

The IPsec tunnel is linking 192.168.7.x to 10.4.1.x and 10.1.1.x subnets. 

OSPF is currently set up on 10.255.255.x network. 

So if I add the IPsec interface into OSPF, would I need to add the 10.4.1.x and 10.1.1.x into the Networks box on OSPF?

If I add 10.4.1.x and 10.1.1.x to OSPF on my remote side, our main office firewall would also need to have those subnets configured too right?

2591
0 Kudos
2 REPLIES 2
live89
Contributor

Created on ‎07-19-2020 06:14 AM

hey

 

could you post the output of the active routing table ?

get router info routing-table all

If I understood you correctly , you ospf neighbor is advertising to you 0.0.0.0/0 default route

If that so, the distance for the OSPF should be lower than the IPSEC Static route

By default:

Static routes distance is 10, and OSPF is 110

So , you should configure the IPSEC static let say 120 for example

 

And you may need to execute the "exec router restart” to new distance conf to be effective.

Thanks

Thanks
1514
0 Kudos
SmokeyMountian_Tech
New Contributor
In response to live89

Created on ‎07-20-2020 08:38 AM

That's probably what's needed. 

I wonder why OSPF routes default to 110, when a default on Static Route is 10?

 

If you have your networks defined in OSPF, do you need to program Static Routes to reach the same networks?

 

Routing table for VRF=0
S* 0.0.0.0/0 [20/0] via 10.255.255.1, wan2
 [20/0] via xxx.xxx.xxx.xxx, dmz, [10/0]
O E2 10.0.0.0/9 [110/10] via 10.255.255.1, wan2, 4d17h22m
O 10.1.85.0/24 [110/2] via 10.255.255.3, wan2, 5d19h54m
O 10.2.85.0/24 [110/2] via 10.255.255.2, wan2, 5d19h54m
O 10.4.1.0/24 [110/2] via 10.255.255.1, wan2, 4d17h22m
O E2 10.212.130.0/24 [110/10] via 10.255.255.1, wan2, 4d17h22m
C 10.255.255.0/24 is directly connected, wan2
O E2 xxx.xxx.xxx.xxx/32 [110/10] via 10.255.255.1, wan2, 4d17h22m
O E2 xxx.xxx.xxx.xxx/32 [110/10] via 10.255.255.1, wan2, 4d17h22m
O E2 xxx.xxx.xxx.xxx/32 [110/10] via 10.255.255.1, wan2, 4d17h22m
O E2 xxx.xxx.xxx.xxx/32 [110/10] via 10.255.255.1, wan2, 4d17h22m
O E2 xxx.xxx.xxx.xxx/32 [110/10] via 10.255.255.1, wan2, 4d17h22m
O E2 xxx.xxx.xxx.xxx/32 [110/10] via 10.255.255.1, wan2, 4d17h22m
O E2 xxx.xxx.xxx.xxx/32 [110/10] via 10.255.255.1, wan2, 4d17h22m
--More-- O E2 xxx.xxx.xxx.xxx/32 [110/10] via 10.255.255.1, wan2, 4d17h22m
O E2 xxx.xxx.xxx.xxx/32 [110/10] via 10.255.255.1, wan2, 4d17h22m
O E2 xxx.xxx.xxx.xxx/32 [110/10] via 10.255.255.1, wan2, 4d17h22m
O E2 xxx.xxx.xxx.xxx/28 [110/10] via 10.255.255.1, wan2, 4d17h22m
C xxx.xxx.xxx.xxx/30 is directly connected, dmz
O E2 xxx.xxx.xxx.xxx/27 [110/10] via 10.255.255.1, wan2, 4d17h22m
O E2 xxx.xxx.xxx.xxx/29 [110/10] via 10.255.255.1, wan2, 2d02h24m
C xxx.xxx.xxx.xxx/24 is directly connected, wan1
O E2 172.16.16.0/24 [110/10] via 10.255.255.1, wan2, 4d17h23m
O E2 172.16.51.69/32 [110/10] via 10.255.255.1, wan2, 00:18:17
O E2 172.30.254.0/24 [110/10] via 10.255.255.1, wan2, 4d17h22m
O E2 192.168.0.0/16 [110/10] via 10.255.255.1, wan2, 4d17h22m
O 192.168.1.0/24 [110/2] via 10.255.255.12, wan2, 5d19h54m
O 192.168.2.0/24 [110/11] via 10.255.255.6, wan2, 5d19h54m
O 192.168.4.0/24 [110/2] via 10.255.255.4, wan2, 5d19h54m
O 192.168.5.0/24 [110/2] via 10.255.255.5, wan2, 5d19h54m
O E2 192.168.6.0/24 [110/10] via 10.255.255.1, wan2, 4d17h22m
C 192.168.7.0/24 is directly connected, internal
O 192.168.8.0/24 [110/2] via 10.255.255.8, wan2, 5d19h54m
O 192.168.9.0/24 [110/2] via 10.255.255.9, wan2, 5d19h54m
O E2 192.168.10.0/24 [110/10] via 10.255.255.1, wan2, 4d17h22m
O E2 192.168.11.0/24 [110/10] via 10.255.255.1, wan2, 03:10:22
O E2 192.168.12.0/24 [110/10] via 10.255.255.1, wan2, 4d17h22m
O 192.168.13.0/24 [110/2] via 10.255.255.13, wan2, 4d02h43m
--More-- O 192.168.14.0/24 [110/2] via 10.255.255.11, wan2, 5d19h54m
O 192.168.15.0/24 [110/2] via 10.255.255.14, wan2, 5d19h54m
O E2 192.168.16.0/24 [110/10] via 10.255.255.1, wan2, 3d09h38m
O 192.168.17.0/24 [110/2] via 10.255.255.10, wan2, 5d19h54m
O E2 192.168.18.0/24 [110/10] via 10.255.255.1, wan2, 4d17h22m
S xxx.xxx.xxx.xxx/27 [20/0] is directly connected, VPN2Wallingford
O E2 xxx.xxx.xxx.xxx/30 [110/10] via 10.255.255.1, wan2, 4d17h22m

1515
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.