Hello.
How to configure OSPF over IPSec with Fortigate.
IPSec Tunnel ist up an running. Configured Networks are reachable.
There is no possibility to configure OSPF Endpoints,
Hello,
First of all, make sure you are on the latest firmware version.
You mention that IPSec is up and running. What about a tunnel? Do you have GRE configured, for example?
I may miss some points, but in general:
In Services → VPN → GRE :
- Open GRE tunnel settings and add a new connection (GRE1) Select tunnel source. (WAN interface which you will be using)
- Add remote endpoint IP address. (WAN address of the other router)
- Add local GRE interface IP address (like 172.16.1.1)
- Add subnet mask. (255.255.255.252)
- Configure GRE on Fortigate appropriately.
OSPF:
To configure OSPF navigate to Network → Routing → Dynamic Routes → OSPF Protocol (You may need to download OSPF (FRR) from Services → Package manager)
-
Enable OSPF and VTY
-
Add ‘connected’ to the list of Redistribution routes and set everything else according to your requirements.
-
Add OSPF Interface, after saving depending on your network (using GRE in this case) select the interface.
-
Create OSPF Area and OSPF Networks.
Note: If you are using Point-to-Point or Non-Broadcast type (available in OSPF interface settings), make sure to specify OSPF neighbor.
In order to display the routing data of OSPF, navigate to Status → Routes → Dynamic route s. Data is only displayed once a protocol is configured and enabled.
Testing OSPF via commands:
Command used to see IP routing tables:
route
ip r show
Command to enter vtysh shell (from where you can use other commands):
vtysh
Command to display the OSPF topology table:
sh ip ospf route
Command to display the OSPF neighbors:
sh ip ospf neigbor
Command to display the OSPF link-state database:
sh ip ospf database
Useful links:
OSPF
OSPF example
GRE/IPSEC
Configuration examples
Kind Regards,
Hello. Thanks for your answer.
I’ve configured an IPSec Tunnel to Fortigate an it works (ping site A to site B an back).
I can configure ospf, but I don’t have an IPSec interface to choose from. There is only lan, loopback and mobile. So it is not possible to learn routes from the Fortigate.
A Ciso router is connected to the same LAN as RUTX50 with vrrp. The RUTX50 does not learn any routes from the Cisco either.
I’ve configured all possible ospf interfaces as type broadcast.
FortiGate(static_IP)<=IPSec=>(dyn._IP)RUTX50(LAN_192.168.250.253)<=VRRP=>LAN_192.168.250.252)Cisco.
Security Associations (1 up, 0 connecting):
ToF_Gate-ToF_Gate_c[1]: ESTABLISHED 48 minutes ago, 10.132.210.247[tst2.2@nordfrost.intra]…80.149.35.33[fortigate@nordfrost.intra]
ospf Config:
root@Teltonika-RUTX50:~# ip r show
default dev qmimux0 proto static scope link src 10.132.210.247 metric 4
10.132.210.247 dev qmimux0 proto static scope link metric 4
192.168.250.0/24 dev br-lan proto static scope link metric 1
root@Teltonika-RUTX50:~#
Teltonika# sh ip ospf route
============ OSPF network routing table ============
N 192.168.250.0/24 [10] area: 0.0.0.10
directly attached to br-lan
N 192.168.250.254/32 [10] area: 0.0.0.10
directly attached to br-lan
============ OSPF router routing table =============
============ OSPF external routing table ===========
Teltonika# sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
Teltonika-RUTX50.com# sh ip ospf data
OSPF Router with ID (10.0.0.254)
Router Link States (Area 0.0.0.10)
Link ID ADV Router Age Seq# CkSum Link count
10.0.0.254 10.0.0.254 1227 0x80000005 0xa6a8 2
AS External Link States
Link ID ADV Router Age Seq# CkSum Route
0.0.0.0 10.0.0.254 1267 0x80000002 0xf0cd E2 0.0.0.0/0 [0x0]
10.132.210.247 10.0.0.254 1257 0x80000002 0xdd7d E2 10.132.210.247/32 [0x0]
Teltonika# sh ip ospf route
============ OSPF network routing table ============
N 192.168.250.0/24 [10] area: 0.0.0.10
directly attached to br-lan
N 192.168.250.254/32 [10] area: 0.0.0.10
directly attached to br-lan
============ OSPF router routing table =============
============ OSPF external routing table ===========
Teltonika# sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
Teltonika-RUTX50.com# sh ip ospf data
OSPF Router with ID (10.0.0.254)
Router Link States (Area 0.0.0.10)
Link ID ADV Router Age Seq# CkSum Link count
10.0.0.254 10.0.0.254 1227 0x80000005 0xa6a8 2
AS External Link States
Link ID ADV Router Age Seq# CkSum Route
0.0.0.0 10.0.0.254 1267 0x80000002 0xf0cd E2 0.0.0.0/0 [0x0]
10.132.210.247 10.0.0.254 1257 0x80000002 0xdd7d E2 10.132.210.247/32 [0x0]
Teltonika#
ospfd.conf
hostname
password
enable password
!
access-list vty permit 127.0.0.0/8
access-list vty permit 192.168.250.253/24
access-list vty deny any
!
!
interface br-lan
ip ospf cost 10
ip ospf hello-interval 10
ip ospf dead-interval 40
ip ospf retransmit-interval 5
ip ospf priority 1
ip ospf network broadcast
!
interface lo
ip ospf cost 10
ip ospf hello-interval 10
ip ospf dead-interval 40
ip ospf retransmit-interval 5
ip ospf priority 1
ip ospf network broadcast
!
interface wwan0
ip ospf cost 10
ip ospf hello-interval 10
ip ospf dead-interval 40
ip ospf retransmit-interval 5
ip ospf priority 1
ip ospf network broadcast
router ospf
ospf router-id 10.0.0.254
redistribute connected
redistribute static
redistribute kernel
!
interface lo
ip ospf cost 10
ip ospf hello-interval 10
ip ospf dead-interval 40
!
interface lo
ip ospf cost 10
ip ospf hello-interval 10
ip ospf dead-interval 40
ip ospf retransmit-interval 5
ip ospf priority 1
ip ospf network broadcast
!
interface wwan0
ip ospf cost 10
ip ospf hello-interval 10
ip ospf dead-interval 40
ip ospf retransmit-interval 5
ip ospf priority 1
ip ospf network broadcast
!
router ospf
ospf router-id 10.0.0.254
redistribute connected
redistribute static
redistribute kernel
network 192.168.250.0/24 area 10
network 10.200.1.0/24 area 10
default-information originate
passive-interface eth1
!
line vty
access-class vty
Thanks in advanced
Hello,
Due to the way how Strongswan works internally, there are no IPSec interfaces. It basically matches interesting traffic and uses a WAN interface to send encrypted traffic.
It may be possible to use the WAN interface with just IPSec if the OSPF network type is set to non-broadcast and you configure a neighbour. Though I have not tried this, so I am not sure.
However, if you configure GRE between RUT and Fortigate, then you will be able to select the GRE interface and use it with other OSPF network types. So there should be no issue if you configure GRE.
Let me know how it goes.
Kind Regards,
Hi,
Andzej has already provided a lot of information, but I just want to quickly pitch in with a suggestion to simplify things. You could try to manually configure OSPF neighbors IP addresses (LAN interfaces or loopbacks) to force OSPF to use unicast communication and do not use broadcast mode (set OSPF type as non-broadcast).
Doing this should force OSPF to operate in unicast mode instead of multicast mode. This will make things much easier when it comes to operating OSPF over tunnel. You can then add each of the remote endpoints’ OSPF interfaces to IPsec traffic selectors and see if you can establish OSPF adjacency. One issue you might run into is MTU mismatch. For OSPF adjacency to establish, one of the primary requirements is matching MTUs on interfaces. You can, in theory, tell OSPF process to ignore MTU mismatch, but then some unexpected issues may arise so this is definitely not recommended.
Another way to approach this issue would be to simply try using BGP instead of OSPF (either eBGP or iBGP). This should simplify things a lot as BGP runs on top of TCP (unicast) which would simplify everything a lot - all you need to do is ensure that neighbor IPs are reachable over IPsec tunnel. You could also try using slightly more aggressive keepalive and hold timers to ensure that BGP routes do not stay in FIB for too long in case BGP tunnel goes down.
Hello.
Thanks for the solution suggestions. I will test it in the near future.
This topic was automatically closed after 15 days. New replies are no longer allowed.