Monday, March 24, 2008

Dynamic Routing Protocols over IPSEC VPNs

This article describes how to configure dynamic routing protocols such as OSPF or BGP when using IPSEC VPNs. BGP is fairly easy since you define static neighbors. It does get a little more tricky when using multicast-based protocols such as OSPF. But despair not for help is nigh ;)

Start by building your site-to-site VPN tunnels in interface mode (see here for more info on interface mode). Important Note: Make sure your Phase 2 quick mode selectors are set to

Once you have your tunnels configured go to Network -> Interface and expand the blue triangle next to the interface to which you have the tunnel attached:

Something which is not immediately obvious is that you can define an IP address on the tunnel interface. Edit the tunnel interface and assign unique IP addresses (i.e. something that is not in use on your network, typically a private IP) for the local and remote IP:

On the other side of the tunnel perform the same operation, reversing the settings for local and remote IP.

Now on to the OSPF side of things. Under Router -> Dynamic -> OSPF define Area (the backbone). Then configure a Network which includes the network of the tunnel interface and place it in area Under Interfaces create an interface tied to the tunnel interface. You can leave the IP as

Repeat the same on the other end and you should see your routes starting to come in as OSPF dynamic routes. To control which routes are advertised you can redistribute networks under the Advanced Options in OSPF. You can also apply router access lists to filter networks from being advertised. More on router access lists (used for OSPF) and router prefix lists (used for BGP) in another post.


Allan M said...

Mate your a champion! Was having problems getting OSPF working over my tunnels and your guide just sorted it all out!

Bookmarked your site.. I have a feeling it will come in handy again in the future :)

Matt G said...

Very helpful post. Was trying to figure out how to get the OSPF multicast traffic over the VPN, 0/0 quick mode selectors being the key.

nopat pending said...

hello, have you had a chance to try it on 5.2? i've had an issue where the router upgraded no longer establishes an ospf session with one that is running 5.0. so i upgraded a second one and ospf came up, but the 3rd site (not upgraded) still will not setup ospf with either updated router via the tunnel.

so now i'm at a place where if i upgrade the 3rd its going to break a few other remote ones that can't be upgraded to 5.2.

just wondering if you've tried it, or know where i could look. I'm going to poke around the cli, but i'm more of a juniper/cisco person.