Understanding vpn and ospf



  • hi folks… it’s me again (i’m afraid with a confusing question again)
    ok, here it is: when i want to do my routing with ospf and i have a vpn, on which interface do i have to enable ospf and do i have to configure a static route to the other side of the vpn

    actual setup:

    SSG550_HUB
    ethernet1, trust, 192.168.6.193/24
    ethernet2, untrust, 192.168.5.98/224
    tunnel.1, trust, unnumbered
    default route: 0.0.0.0/0 via ethernet2
    external router: 192.168.5.97

    SSG550_SPOKE
    ethernet1, trust, 192.168.6.224/24
    ethernet2, untrust, 192.168.5.162/224
    tunnel.1, trust, unnumbered
    default route: 0.0.0.0/0 via ethernet2
    source routing enable (for using only the tunnel and not the untrust interface for not-vpn traffic - it has to go to the SSG550_HUB)
    external router: 192.168.5.161

    i hope, i might answer some questions soon, to pay back all the help i got in here.

    kind regards

    nimrod



  • Happy holidays to you too.

    🙂



  • i have to take a look in the new a year… atm i’m in my holidays… but thank you for this hint… i will figure that out soon and give a reply then…

    merry christmas and a happy new year to all of you



  • P2MP type tunnel interface has some limitations. For one thing, all tunnel interfaces for all your peers must all be part of the same logical subnet for OSPF to work. For example, your hub would be 10.10.10.1/24, one spoke could be 10.10.10.2/24, another spoke could be 10.10.10.3/24, etc. If you use unnumbered tunnel interfaces or your tunnel interfaces are all in different subnets then this will fail. Finally only the hub should be configured for p2mp, all spokes should be p2p.

    Hope this helps.



  • OFFTOPIC: why can’t i edit my posts ???
    ONTOPIC: i fixed it… the NS5GT_SPOKE’s trust interface was in nat-mode… i changed it to route-mode and now everything is fine for me…
    btw: my config says
    set interface trust zone trust
    set interface trust ip 192.168.6.65/27
    set interface trust route

    well… now i’m happy… despite one thing… perhaps someone may explain me: it’s this p2mp-tunnel thing i mentioned above. i heard some rumors about mulitcast traffic not being sent through a ipsec vpn… is that right and have i to configure therefore one tunnel for each spoke?



  • ok… finally i did it (i really don’t know how, but i did it)
    i had to do a little compromise… i have now for every spoke a seperate tunnel interface on the hub… but the routes are made in between them via ospf… (i know that this might not be the securest way to handle multiple vpns, but, well you now^^)

    i thank you all for your help. i didn’t make it without you guys here (i think i said it also in another thread :lol:)…

    i fell over one thing… when adding a ns5gt to my network with the same config as there is for the SSG550_SPOKE / SSG20_SPOKE the vpn is coming up, but the routing-tables are not filled by ospf…

    (on ns5gt) debug ospf all:

    2007-12-12 20:30:57 : ospf: send hello dr 0.0.0.0 bdr 0.0.0.0 active neighbors:

    2007-12-12 20:30:57 : 192.168.6.193

    2007-12-12 20:30:57 : ospf: send hello pkt to 224.0.0.5 on tunnel.1 len 48

    2007-12-12 20:30:57 : ospf: retransmit timer expired in vrouter trust-vr for neighbor 192.168.6.193 on tunnel.1

    2007-12-12 20:30:57 : ospf: send DBD to 192.168.6.193 on tunnel.1 seq 0x7c13 flag SLAVE len 52

    2007-12-12 20:30:57 : ospf: process rx pak len 48 from 192.168.6.193 on tunnel.1 in vr trust-vr router-id 192.168.6.65

    2007-12-12 20:30:57 : ospf: recv pkt on tunnel.1, 192.168.6.193->224.0.0.5

    2007-12-12 20:30:57 : ospf: recv hello from neighbor 192.168.6.193 192.168.6.193 (Id) in area 0.0.0.0 state EXCHANGE

    2007-12-12 20:30:57 : ospf: process rx pak len 32 from 192.168.6.193 on tunnel.1 in vr trust-vr router-id 192.168.6.65

    2007-12-12 20:30:57 : ospf: recv pkt on tunnel.1, 192.168.6.193->224.0.0.5

    2007-12-12 20:30:57 : ospf: recv DBD from nbr 192.168.6.193 on tunnel.1 seq 0x7c13…

    flags INIT,MORE,MASTER len 0 mtu 1500 state EXCHANGE

    2007-12-12 20:30:57 : ospf: send DBD to 192.168.6.193 on tunnel.1 seq 0x7c13 flag SLAVE len 52

    2007-12-12 20:30:57 : ospf: send pkt to 192.168.6.193 on tunnel.1 len 52

    2007-12-12 20:31:05 : ospf: retransmit timer expired in vrouter trust-vr for neighbor 192.168.6.193 on tunnel.1

    2007-12-12 20:31:05 : ospf: send DBD to 192.168.6.193 on tunnel.1 seq 0x7c13 flag SLAVE len 52

    2007-12-12 20:31:05 : ospf: process rx pak len 32 from 192.168.6.193 on tunnel.1 in vr trust-vr router-id 192.168.6.65

    2007-12-12 20:31:05 : ospf: recv pkt on tunnel.1, 192.168.6.193->224.0.0.5

    2007-12-12 20:31:05 : ospf: recv DBD from nbr 192.168.6.193 on tunnel.1 seq 0x7c13…

    flags INIT,MORE,MASTER len 0 mtu 1500 state EXCHANGE

    2007-12-12 20:31:05 : ospf: send DBD to 192.168.6.193 on tunnel.1 seq 0x7c13 flag SLAVE len 52

    2007-12-12 20:31:05 : ospf: send pkt to 192.168.6.193 on tunnel.1 len 52

    2007-12-12 20:31:07 : ospf: send hello dr 0.0.0.0 bdr 0.0.0.0 active neighbors:

    2007-12-12 20:31:07 : 192.168.6.193

    i must say, i really do not understand all of that (in fact not nearly a bit) of what i am reading there… but i’m wondering about the “retransmit” but i have no clue what that could be… (i hope this might be my last problem… naye, but i don’t think so -.-’)

    have a nice day

    nimrod



  • i tried that, but the interface is set automatically to p2p after clicking apply… hum
    //edit:
    i changed my setup a bit not to run in that p2p-problem and made a seperate tunnel interface for every spoke. don’t know, if it is a “good” setup, but it works (partially)…

    i get ospf routes:
    SSG550_SPOKE -> SSG550_HUB
    SSG550_SPOKE -> SSG20_SPOKE
    SSG550_HUB -> SSG20_SPOKE
    SSG20_SPOKE -> SSG550_HUB
    now the strange thing:
    no route from:
    SSG550_HUB -> SSG550_SPOKE
    even more strange:
    all vpns come up (from hub to each spoke)

    when i strated the machines today morning the SSG550_SPOKE had a problem booting (neither webui, nor console)… might there a hardware-problem???^^



  • Everytime I have had this specific issue it is because the OSPF process is enabled on the interface.  Make sure you disable OSPF first and click apply.  Then enable P2MP and click apply.  Then reenable OSPF and click apply.



  • ok… i’ll try that

    //edit:
    it didn’t work… always when trying to set point-to-mulitpoint (via webui), p2p is chosen after applying… same in cli…

    here my config for the hub-device (SSG550_HUB):

    set hostname SSG550_HUB
    set interface ethernet1 zone trust
    set interface ethernet1 ip 192.168.6.193/27
    set interface ethernet1 nat
    set interface ethernet2 zone untrust
    set interface ethernet2 ip 192.168.5.98/27
    set interface tunnel.1 zone trust
    set interface tunnel.1 ip unnumbered interface ethernet1
    set address trust Home_LAN 192.168.6.192/27
    set address trust SSG550_SPOKE__LAN 192.168.6.224/27
    set address trust SSG20_SPOKE_LAN 192.168.6.0/27
    set ike gateway to_SSG550_SPOKE address 192.168.5.162 main outgoing-interface ethernet2 preshare 12345678 proposal pre-g2-3des-sha
    set ike gateway to_SSG20_SPOKE address 192.168.5.67 main outgoing-interface ethernet2 preshare 12345678 proposal pre-g2-3des-sha
    set vpn VPN550_HUB_550_SPOKE gateway to_SSG550_SPOKE sec-level compatible
    set vpn VPN550_HUB_550_SPOKE bind interface tunnel.1
    set vpn VPN550_HUB_550_SPOKE proxy-id local-ip 192.168.6.192/27 remote-ip 192.168.6.224/27 any
    set vpn VPN550_HUB_20_SPOKE gateway to_SSG20_SPOKE sec-level compatible
    set vpn VPN550_HUB_20_SPOKE bind interface tunnel.1
    set vpn VPN550_HUB_20_SPOKE proxy-id local-ip 192.168.6.192/27 remote-ip 192.168.6.0/27 any
    set vrouter trust-vr route 0.0.0.0/0 interface ethernet2 gateway 192.168.5.97
    set vrouter trust-vr route 192.168.6.224/27 interface tunnel.1
    set vrouter trust-vr route 192.168.6.0/27 interface tunnel.1
    set vrouter trust-vr protocol ospf
    set vrouter trust-vr protocol ospf enable
    set interface tunnel.1 protocol ospf area 0
    set interface tunnel.1 protocol ospf link-type p2mp
    set interface tunnel.1 protocol ospf enable
    set policy from trust to untrust “Home_LAN” “Any” any permit
    set policy from untrust to trust “Any” “Home_LAN” any permit
    set policy from trust to untrust “SSG550_SPOKE__LAN” “Any” any permit
    set policy from untrust to trust “Any” “SSG550_SPOKE__LAN” any permit
    set policy from trust to untrust “SSG20_SPOKE_LAN” “Any” any permit
    set policy from untrust to trust “Any” “SSG20_SPOKE_LAN” any permit
    set vpn VPN550_HUB_550_SPOKE monitor
    set vpn VPN550_HUB_20_SPOKE monitor
    set ssh enable
    set interface ethernet2 manage web
    set interface ethernet2 manage ssh
    set interface ethernet2 manage telnet
    set interface ethernet2 manage ping
    save

    i wonder, where my mistake is -.-’

    //edit:
    i should have said, taht i see one neighbor… the other is rejected due to p2p (just for info)

    /edit:
    ok, i’m not sure how to solve the problem, but i think it has something to do with the tunnel-interface or the whole config (what is obvious 0o)… i just don’t get it, how to manage the tunnel.1 to be p2mp



  • In order to configure point-to-multipoint on a tunnel interface you must first disable the OSPF process on the interface.  Then configure the tunnel for P2MP.  Once you have configured P2MP, then re-enable the OSPF process.  This should solve your problem.



  • argh… i found the problem… the tunnel interface on SSG550_HUB is in point-to-point mode… the error message says, that the second neighbor was rejected due to this fact… but i cannot change it… it always sets the link type to point-to-point… have i to configure another tunnel interface??? i thought it might be possible to make the ospf routing and vpn through one tunnel  :?



  • thanks, max… it works… i got an ospf route (though i wonder what i did different yesterday^^^)… now another problem… i tried the same with a ssg20… but there seems to be no ospf… are there any differences in ospf handling and configuration between ssg550 and ssg20??

    greez

    nimrod



  • ok… thanks, i’ll try that tomorrow (it’s 10pm right now here^^)
    i configured it the way you said today, and i saw the ospf hello pakets with wireshark, but there were no routes in the destination-routing-table… but: the tunnel came up, but i wasn’t able to ping through the tunnel (ping is enabled)… i am very confused aboutthat… i’ll set it up again, when i’m back in business 😉

    another security question beside of my problem: isn’t it problematic, when i see the ospf pakets from the trust side in the transfer network? just thought of that issue, because the trust lan might be corruptable due to the fact, that it is known to the “bad bad internet”^^

    good night from germany

    nimrod



  • First, you should configure OSPF in the VR. I am assuming all your interfaces are in trust-vr so enable it there. Second you need to configure OSPF on your tunnel interface. You should also configure OSPF on your trusted interfaces which would be ethernet1. That way the trusted subnets will get advertised to the peer on the other side of the tunnel. However, if you do not have any other OSPF peers off of ethernet1 then you may want to configure ethernet1 in passive mode.

    With the above you would not need to configure any static routes for your remote VPN subnets.


 

33
Online

38.4k
Users

12.7k
Topics

44.5k
Posts