- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- OSPF over IPSec VPN Tunnel
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OSPF over IPSec VPN Tunnel
Hello.
I'm having a trouble setting up OSPF over IPSec in the network of my company.
We actually have created VPN tunnels between each branch office. This tunnels are in a simple configuration with static routes working well. We want to configure OSPF over this tunnels for, in a future, establish a dynamic full mesh topology.
I thought it was just like configuring any device for OSPF, however I was wrong. I need to know what Networks in the OSPF web based manager means. Let me explained. I thought I should establish there the networks i want to broadcast OSPF files by, so it would be the public network IP. I did this but it didn't work. Then, I put the IP intern network and neither work. I've already configure Interfaces (the tunnel interfaces) and established to redistribute connected networks and static ones. I'm getting crazy. If you know something, everything can help.
Thanks a lot.
Labels:
- Labels:
-
5.6
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I thought it was just like configuring any device for OSPF, however I was wrong
Actually your wrong, dynamic-routing over ipsec-tunnel is like any other interface. In fact the OSPF proc has no ideal it's a vpn-tunnel interface vrs a vlan802.1q vrs phy.
Outside of many setting a address over the tunnel and the ospf-type of tunnel it's absolutely has the same feel of a ethernet interface.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:I thought it was just like configuring any device for OSPF, however I was wrong
Actually your wrong, dynamic-routing over ipsec-tunnel is like any other interface. In fact the OSPF proc has no ideal it's a vpn-tunnel interface vrs a vlan802.1q vrs phy.
Outside of many setting a address over the tunnel and the ospf-type of tunnel it's absolutely has the same feel of a ethernet interface.
Ken
What would you recommend to me? What should I put in OSPF networks part? I've tried with the public IP and the private one, with their own respective mask. What the OSPF networks means in Fortigate?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First off, you should stick to CLI to configure any routing protocol on FG. Web interface is very limited.
Then under "config network" you should put prefix include the interface IP. We regularly allocate a /30 private range on both side so the prefix would be like
config network
edit 1
set prefix 10.10.10.0 255.255.255.252
next
end
in case FG's tunnel interface is 10.10.10.1 and the peer has 10.10.10.2.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gilbertog wrote:Hello.
I'm having a trouble setting up OSPF over IPSec in the network of my company.
We actually have created VPN tunnels between each branch office. This tunnels are in a simple configuration with static routes working well. We want to configure OSPF over this tunnels for, in a future, establish a dynamic full mesh topology.
I thought it was just like configuring any device for OSPF, however I was wrong. I need to know what Networks in the OSPF web based manager means. Let me explained. I thought I should establish there the networks i want to broadcast OSPF files by, so it would be the public network IP. I did this but it didn't work. Then, I put the IP intern network and neither work. I've already configure Interfaces (the tunnel interfaces) and established to redistribute connected networks and static ones. I'm getting crazy. If you know something, everything can help.
Thanks a lot.
Hi there,
1. Routing-based IPSEC is always recommended for later dynamic routing configuration. Try to avoid policy-based IPSEC in this situation. So, make sure your IPSEC configuration is under "config vpn ipsec phase1-interface".
2. After your IPSEC tunnel is built up, go to the tunnel interface (the same name as your phase1-interface), config 32-bit local and remote IP address.
3. OSPF should be running on these tunnel interface. Once you configured the interface, the network type would be set to "point-to-point" automatically.
4. After you finished your OSPF configuration, please check if the interface is running OSPF first, by "get router info ospf interface", you should see the tunnel interface is in the list.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now after you have the ospf interface up your next-hop routing for the "destination subnets can be check ". DYN-RT + RT-BASED vpn eliminates the needs to apply static routes and makes it simple to have redundant tunnels or paths imho
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Gilbertog,
I think i have exactly same settings in my company and its working like charm. My scenario is like this. I have configured site-to-site vpn on public interface(WAN interface) with my Head office and Branch office. When I first created VPN tunnels in 5.6.2 in GUI then in the Network-->Interface section automatically tunnels interface created. After that I changed that tunnel interface and put my own VPN tunnel private ip address on the tunnel interface. Then in the Networ-->OSPF section in GUI I did the following:
Area section: Area=0.0.0.0 TYpe=Regular Authentication= "As per your need"
Networks section: Click new network and put the VPN tunnel network which automatically created after creating VPN tunnels and put area 0.
Interface section: Click "Create New" then Put any name for Name portion. In the interface section select the VPN tunnels name when you created the tunnel during VPN tunnel creation. In the IP section you will put the VPN tunnel Interface IP (for me I put private IP) which you put in the Network-->Interface section. It must match otherwise it will show error. The use authentication as per your need and Put cost. The cost will be based on your requirements and the priority of your VPN tunnels. You can keep Hello and Dead interval intact.
After doing that you VPN tunnel should come up. One think you need to remember that if you are crating VPN tunnel with other vendor like cisco then you may face the problem with tunnels. In my case ospf adjacency did not came up because of mtu value. in that case you need to adjust MTU value to bring the tunnel up.
Thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, i'm new in here but, i really appreciated the discussion about IPSEC + OSPF routing.
I'll try to deploy a cenario with two internet links on HQ and two internet links on Branch Offices, and we have five Brach Offices.
The only especific thing is, actually, i use static routes in a simple way to deploy IPSEC, but, all the traffic to internet are routed to the HQ to be treated (Web Filter, Application Control, SSL Inspection, whatever more), and i do this using Policy Route, caring about the sequence of policy routes so that traffic between the branches does not have to pass through the HQ, so, the route policies wich route the internet traffic to HQ are the last ones. It works perfectly.
That's the question, how do i do the same cenario switching static routes to OSPF ? hehe
Thanks in advance by the support and i hope to help someone one day if possible with my little knowledge.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Gilbertog,
I can share you some documentations to configure OSPF over dynamic IPSec VPN
For your problem of "what Networks in the OSPF web based manager means" (Advanced inter-area Network)
Then I can not help you if I don't have your topology and the troubleshooting commands, please provide them if it is possible.
So if I understand, you want, in a future, to replace your static routes and replace them by OSPF to configure dynamically your route table for each Fortigate.
But in my view you are going to get some problem because if you build a full mesh topology under OSPF over IPSec you are going to generate lots of control traffic which will be not scalable, and not efficient.
I can suggest you an other way to configure dynamically your full mesh topology under IPSec. It is better to use this topology, ADVPN hub-and-spoke (KB links). This one allows a traditional hub and spoke VPN’s spokes to establish dynamic, on-demand direct tunnels between each other so as to avoid routing through the topology’s hub device (useful link 3 and 4).
Be careful: ADVPN run under BGP, (i.e : you have to abandon OSPF and re-create your configuration under BGP).
I hope my help has been useful.
Related Posts
- VXLAN, Virtual Switch and MTU 69 Views
- IPSec tunnel error : no SA... 131 Views
- SD-WAN IPSec Main Backup tunnels with... 121 Views
- IPSEC Down After Changing the IP... 63 Views
- Force the routing of a domain... 102 Views
Labels
-
FortiGate
6,525 -
FortiClient
1,301 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
241 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.