- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Allow OSPF traffic over IPSEC tunnel
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Allow OSPF traffic over IPSEC tunnel
Hi all
We have spend a lot of time trying to get IPSEC FG to FG to work as shown in this video. http://www.youtube.com/watch?v=01KEgxqC4WI
The plan is to use OSPF as the routing protocol, so that should WAN 1 fail WAN 2 becomes the new route etc.
We managed to get the tunnel up and working....(we are using the latest version of FW 5.2.1, so we had to add in quick mode selector ip's for the local lan AND the ipsec interfaces)
Eventually we managed to pass pings from a PC over the tunnel, but had to use static routes to get it to work.
No matter what we tried we cannot get OSPF updates over the tunnel, so without the static routes one side cant reach the other!
Having the static routes in place defeats the whole purpose of using the routing protocol.
(running cli commands to see the OSPF neighbour show nothing on both sides)
Just a thought, but I suspect the FW rules are restricting OSPF traffic, if I look at the rules they tend to only allow traffic from internal to external and visa versa. Is there a way to specific allow OSPF traffic from FW1 in on Interface ipsec 1 for example ?
Any help would be very much appreciated
Thanks
greg
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi again
We managed to get this to work eventually.
The video is outdated as the new FW version 5.2.1 requires quick mode selectors in the IPSEC setup.
We had to specify 0.0.0.0 0.0.0.0 as the local and remote side on both FW's for OSPF traffic to pass. (as they were the default ip's assigned in the OSPF setup) You also have to specify the ipsec tunnel interfaces local and remote on both sides in the quick mode selector setup.
Took us a good bit of time to find this out.
I have one other question
As we are using OSPF now we don't have any static routes specified.
In fact when we specified a default static route it caused our VPN fail over behavior to become very flaky.
When we removed any static routes the IPSEC VPN failover works fine.
What is the best way now to force internet traffic (non vpn) over one of the WAN links without introducing static IP routes.
Thanks for your help
greg
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I never seen or have used fwpolicies to ospf working. Here's what I would do;
1: double check you have address assigned to the interfaces ( I'm assuming your using rt-based mode policy based will not do ospf )
2:Ensure the local<>remote fgt1 and <remote to local > fgt2 ) matches
3: make sure you applied and enabled ospf on the actual tunnel interfaces & in the right areas and the ares matches
4: run the diag sniffer packet < tunnel name> "any" and see if ospf packets are coming and going
I hope that helps or share your tunnel interface cfg and router ospf cfg
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi again
We managed to get this to work eventually.
The video is outdated as the new FW version 5.2.1 requires quick mode selectors in the IPSEC setup.
We had to specify 0.0.0.0 0.0.0.0 as the local and remote side on both FW's for OSPF traffic to pass. (as they were the default ip's assigned in the OSPF setup) You also have to specify the ipsec tunnel interfaces local and remote on both sides in the quick mode selector setup.
Took us a good bit of time to find this out.
I have one other question
As we are using OSPF now we don't have any static routes specified.
In fact when we specified a default static route it caused our VPN fail over behavior to become very flaky.
When we removed any static routes the IPSEC VPN failover works fine.
What is the best way now to force internet traffic (non vpn) over one of the WAN links without introducing static IP routes.
Thanks for your help
greg
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I you are running into what we say "recursive routing" So no you probably don't want to route a default over the vpn but if you do you need to probably set "host /32 specific routes to your internet ISP uplink next-hop.
Is that what you trying to do? Inject a default thru the vpn via OSPF so the site#2 sends all traffic to site #1 like branch to headquarters.
If you need to control what you push thru the OSPF dynamic routing protocol updates, you will need to build a route-policy and allow or drop prefixes that you don't want advertised over the tunnel.
Back to your QM selectors, yes when you use FGT-2-FGT with dynamic routing protocols like OSPF, you typically set 0.0.0.0./0:0, but I'm not quite catching you on the following part tho.
You also have to specify the ipsec tunnel interfaces local and remote on both sides in the quick mode selector setup.
Can you post what you actually configured on the vpn-phase2 settings? None of my cfg have the actually tunnel interface address in a P2-selector.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
- VXLAN, Virtual Switch and MTU 75 Views
- IPSec tunnel error : no SA... 140 Views
- SD-WAN IPSec Main Backup tunnels with... 124 Views
- IPSEC Down After Changing the IP... 68 Views
- Multiple phase 2 selectors needed for... 173 Views
Labels
-
FortiGate
6,527 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
59 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.