OSPF über VPN/IKEV2 - 10.90 RC2

[Henri]

Hallo,

ich würde gerne eine OSPF Verbindung über IKEV2 zu fliegen bekommen.
Lt. OSPF ist das IKEV2 Interface down, lt. IPV4-INT ist es up.

Danke und mit vielen Grüßen

Henri

root@GW2:
> sh ipv4-int test
IP-Heap: 5000 (5000)

TEST : Rtg-Tag: 0 VLAN-ID: 0 Peer: TEST
Interface-ID: 53, oper status is up
primary dns: not available
secondary dns: not available

root@GW2:
> sh ospf-nei
Instance OSPF_ROOT, router ID 172.19.1.2 is operating and has areas:
Area (refcount = 0x0 (0) has interfaces:
TEST state: (down) (refcount = 2) has no neighbors
VLAN90_TP state: (backup) IP: 172.19.1.2/255.255.255.0 MTU: 1500 DR: 172.19.1.5 BDR: 172.19.1.2 (refcount = 12) has neighbors:
Router ID Prio State Dead Timer IP Address rtL reqL dbsL
172.19.1.5 100 FULL DR 39.920s 172.19.1.5 0 0 0
172.19.1.12 1 FULL DROther 33.719s 172.19.1.12 0 0 0


---

root@Router:/Setup/Routing-Protocols/OSPF
> sh ipv4-int test
IP-Heap: 5000 (5000)

TEST : Rtg-Tag: 0 VLAN-ID: 0 Peer: TEST
Interface-ID: 19, oper status is up
primary dns: not available
secondary dns: not available

root@Router:/Setup/Routing-Protocols/OSPF
> sh ospf-nei
Instance PRAXIS1, router ID 172.22.0.1 is operating and has areas:
Area (refcount = 6) 0x0 (0) has interfaces:
INTRANET state: (backup) IP: 172.22.0.1/255.255.254.0 MTU: 1500 DR: 172.22.0.2 BDR: 172.22.0.1 (refcount = 6) has neighbors:
Router ID Prio State Dead Timer IP Address rtL reqL dbsL
172.22.0.2 10 FULL DR 33.826s 172.22.0.2 0 0 0

Instance OSPF_ROOT, router ID 172.19.2.1 is operating and has areas:
Area (refcount = 3) 0x0 (0) has interfaces:
TEST state: (down) (refcount = 2) has no neighbors

[Frühstücksdirektor]

Hallo Henri,

Du hast jetzt nicht Deine Konfiguration, insb. von OSPF verraten. Daher kann ich nur vermuten:

1) OSPF läuft standardmäßig nicht auf "unnumbered Interfaces", d.h. Du musst dem VPN-Tunnel IP-Adressen im gemeinsamen Subnetz geben. Dafür einen Eintrag auf beiden Seiten in der IP-Parameter-Liste machen für den Namen des VPN-Tunnels.
2) OSPF läuft über Multicast, d.h. man benötigt im zweiten Schritt passende Netzwerkregeln/SAs wie 0.0.0.0/0 <=> 0.0.0.0/0 damit Multicast durch geht

Wenn alles läuft, sollest Du OSPF-Pakete im VPN-Packet-Trace sehen. Ggf. mal OSPF aus und wieder einschalten je nachdem wo Du herkommst mit der Konfiguration...

Viele Grüße,
Frühstücksdirektor

[5624]

Also direkt auf den VPN-Tunnel kannst du es nicht legen, außer es gibt in der 10.90RC irgendwelche Änderungen, die es doch möglich machen würden.

Damit es läuft, musst du einen GRE-Tunnel auf den IPSec-Tunnel legen.

Ich hab es vor langer Zeit mal für RIP in meinem Blog dokumentiert, mit OSPF funktioniert es aber auch. Hatte ich jahrelang so laufen und ist auch noch als Cold-Backup konfiguriert.

Ich habe mich vor längerer Zeit aber dafür entschieden, es nicht mehr mit LANCOM zu machen, da diese bei vielen Technologien, die andere Anbieter schon seit sehr langer Zeit unterstützen, einfach nicht mitspielen. OSPFv3 z.B. aber IPv6 ist ja Neuland.

[sebsch134]

Doch natürlich geht das über einen VPN Tunnel. Hatte aber vergessen zu erwähnen das der Tunnel selbst eine IP benötigt, wie hier schon korrekt erwähnt wurde.

[Henri]

Danke!

Ich habe ein Netz (2*/24) definiert, welches pingbar ist und über das (andere Geschichte) auch ein GRE Tunnel läuft.
1.) Muss ich darauf ein /24 machen?
2.) Wo genau sind die IP Adressen zu definieren?
3.) Im Fall des GRE Tunnels, sollte sich OSPF doch gleich zu einer Ethernet Verbindung verhalten, korrekt?

Danke

Henri

Hier noch die OSPF Configs:

GW2:
- OSPFv2 instance OSPF_ROOT, router ID 172.19.1.2, routing tag 0
- Area 0.0.0.0
- Broadcast interface TEST
output cost 1, router priority 100, rxmt interval 5,
inf trans delay 1, hello interval 10, router dead interval 40, passive 0
cryptographic MD5 authentication
- Broadcast interface VLAN90_TP
output cost 1, router priority 100, rxmt interval 5,
inf trans delay 1, hello interval 10, router dead interval 40, passive 0
cryptographic MD5 authentication
- Redistribute connected routes as type 1 external paths with tag 0,
metric from source protocol, filter list Prefix_VLAN1 (default action: accept)
- Redistribute connected routes as type 1 external paths with tag 100,
metric from source protocol, filter list Prefix_VLAN100 (default action: accept)
- Redistribute connected routes as type 1 external paths with tag 0,
metric from source protocol, filter list Prefix_VLAN120 (default action: accept)
- Redistribute connected routes as type 1 external paths with tag 20,
metric from source protocol, filter list Prefix_VLAN20 (default action: accept)
- Redistribute connected routes as type 1 external paths with tag 5,
metric from source protocol, filter list Prefix_VLAN5 (default action: accept)
- Redistribute static routes as type 1 external paths with tag 5,
metric from source protocol, filter list Prefix_VLAN50 (default action: accept)
- Redistribute static routes as type 1 external paths with tag 5,
metric from source protocol, filter list Prefix_VLAN55 (default action: accept)
- Redistribute connected routes as type 1 external paths with tag 74,
metric from source protocol, filter list Prefix_VLAN74 (default action: accept)
- Redistribute connected routes as type 1 external paths with tag 78,
metric from source protocol, filter list Prefix_VLAN78 (default action: accept)


Router:
> sh ospf-config

Current OSPF configuration

- OSPFv2 instance OSPF_ROOT, router ID 172.19.2.1, routing tag 1
- Area 0.0.0.0
- Broadcast interface TEST
output cost 1, router priority 1, rxmt interval 5,
inf trans delay 1, hello interval 10, router dead interval 40, passive 0
cryptographic MD5 authentication
- Redistribute connected routes as type 1 external paths with tag 0,
metric from source protocol, filter list VLAN1 (default action: accept)
- Redistribute connected routes as type 1 external paths with tag 0,
metric from source protocol, filter list VLAN10 (default action: accept)
- Redistribute connected routes as type 1 external paths with tag 100,
metric from source protocol, filter list VLAN100 (default action: accept)
- Redistribute connected routes as type 1 external paths with tag 0,
metric from source protocol, filter list VLAN11 (default action: accept)
- Redistribute connected routes as type 1 external paths with tag 2,
metric from source protocol, filter list VLAN2 (default action: accept)
- Redistribute connected routes as type 1 external paths with tag 3,
metric from source protocol, filter list VLAN3 (default action: accept)
- Redistribute connected routes as type 1 external paths with tag 5,
metric from source protocol, filter list VLAN5 (default action: accept)
- Redistribute connected routes as type 1 external paths with tag 55,
metric from source protocol, filter list VLAN55 (default action: accept)
- Redistribute connected routes as type 1 external paths with tag 0,
metric from source protocol, filter list VLAN_TP (default action: accept)

[Henri]

Noch eine zusätzliche Frage:

die Zentrale ist als VPN Cluster mit VRRP (nur wg. HA) ausgelegt. Der ISG5000 ist dann die zentrale Firewall/Router für alle angeschlossenen VLANs. In der Firewall die die Rules Statefull definiert. Nimmt OSPF Rücksicht darauf, welcher Router der VRRP Master ist, oder kann ich dass nur über die Priorität einstellen?

Danke

Henri

[Henri]

Hallo,

habe mal die Subnetz Maske geändert. Gleiches Ergebnis.

root@Router:/
> sh ipv4-add VLAN90_TP
VLAN90_TP - Rtg-Tag: 0 VLAN-ID: 1 Interface-ID: 28 Interface: BRG-1:
172.19.2.1/22, PREFERRED, (NO DAD PERFORMED) (Type: Local LAN) valid: infinite


root@Router:/
> sh ospf-nei
Instance PRAXIS1, router ID 172.22.0.1 is operating and has areas:
Area (refcount = 4) 0x0 (0) has interfaces:
INTRANET state: (dr) IP: 172.22.0.1/255.255.254.0 MTU: 1500 DR: 172.22.0.1 BDR: 0.0.0.0 (refcount = 4) has no neighbors

Instance OSPF_ROOT, router ID 172.19.2.1 is operating and has areas:
Area (refcount = 3) 0x0 (0) has interfaces:
TEST state: (down) (refcount = 2) has no neighbors


root@Router:/
> sh ipv4-int test
IP-Heap: 5000 (5000)

TEST : Rtg-Tag: 0 VLAN-ID: 0 Peer: TEST
Interface-ID: 26, oper status is up
primary dns: not available
secondary dns: not available

root@GW2:/
> sh ipv4-add VLAN90_TP
VLAN90_TP - Rtg-Tag: 0 VLAN-ID: 90 Interface-ID: 55 Interface: BRG-1:
172.19.1.2/22, PREFERRED, (NO DAD PERFORMED) (Type: Local LAN) valid: infinite


root@GW2:/
> sh ipv4-int test
IP-Heap: 5000 (5000)

TEST : Rtg-Tag: 0 VLAN-ID: 0 Peer: TEST
Interface-ID: 53, oper status is up
primary dns: not available
secondary dns: not available

> sh ospf-nei
Instance OSPF_ROOT, router ID 172.19.1.2 is operating and has areas:
Area (refcount = 7) 0x0 (0) has interfaces:
TEST state: (down) (refcount = 2) has no neighbors
VLAN90_TP state: (dr) IP: 172.19.1.2/255.255.252.0 MTU: 1500 DR: 172.19.1.2 BDR: 0.0.0.0 (refcount = 6) has neighbors:
Router ID Prio State Dead Timer IP Address rtL reqL dbsL
172.19.1.5 200 DOWN DR 0.000s 172.19.1.5 0 0 0
172.19.1.12 1 DOWN DROther 0.000s 172.19.1.12 0 0 0

[Henri]

Falls ich die richtige Stelle gefunden habe, unterscheidet sich das Verhalten zw. 10.80RU9 und 10.90RC2.

Mit vielen Grüßen

Henri

VERSION: 10.80.0833RU9 / 15.10.2024

root@GW2:/Setup/WAN/IP-List> l

Peer IP-Address IP-Netmask Masq.-IP-Addr. Gateway DNS-Default DNS-Backup NBNS-Default NBNS-Backup
==================--------------------------------------------------------------------------------------------------------------------------------------
TEST 172.19.1.2 255.255.255.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

root@GW2:/Setup/WAN/IP-List
> cd /Status/WAN/IP-Addresses/ipv4

root@GW2:/Status/WAN/IP-Addresses/IPv4
> l

Peer type IP-Address IP-Netmask Gateway DNS-Default DNS-Backup NBNS-Default NBNS-Backup Domain
==================----------------------------------------------------------------------------------------------------------------------------------------------------------------------

root@GW2:/Status/WAN/IP-Addresses/IPv4
> sh ospf-nei
Instance OSPF_ROOT, router ID 172.19.1.2 is operating and has areas:
Area (refcount = 10) 0x0 (0) has interfaces:
TEST state: (dr) IP: 172.19.1.2/0.0.0.0 MTU(ignore):1443 DR: 172.19.1.2 BDR: 0.0.0.0 (refcount = 4) has no neighbors
VLAN90_TP state: (backup) IP: 172.19.1.2/255.255.255.0 MTU: 1500 DR: 172.19.1.12 BDR: 172.19.1.2 (refcount = 14) has neighbors:
Router ID Prio State Dead Timer IP Address rtL reqL dbsL
172.19.1.5 100 FULL DROther 36.375s 172.19.1.5 0 0 0
172.19.1.12 1 FULL DR 33.936s 172.19.1.12 0 0 0

VERSION: 10.90.0076RC2 / 25.11.2024

> l /Setup/WAN/IP-List

Peer IP-Address IP-Netmask Masq.-IP-Addr. Gateway DNS-Default DNS-Backup
==================----------------------------------------------------------------------------------------------------
TEST 172.19.2.1 255.255.255.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

> l Status/WAN/IP-Addresses/IPv4

Peer type IP-Address IP-Netmask Gateway DNS-Default DNS-Backup Domain
==================------------------------------------------------------------------------------------------------------------------------------------
TEST static 172.19.2.1 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

root@Router:/Status/WAN/IP-Addresses/IPv4
> l

Peer type IP-Address IP-Netmask Gateway DNS-Default DNS-Backup Domain
==================------------------------------------------------------------------------------------------------------------------------------------
TEST static 172.19.2.1 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

root@Router:/Status/WAN/IP-Addresses/IPv4
> sh ospf-nei
Instance PRAXIS1, router ID 172.22.0.1 is operating and has areas:
Area (refcount = 4) 0x0 (0) has interfaces:
INTRANET state: (dr) IP: 172.22.0.1/255.255.254.0 MTU: 1500 DR: 172.22.0.1 BDR: 0.0.0.0 (refcount = 4) has no neighbors

Instance OSPF_ROOT, router ID 172.19.2.1 is operating and has areas:
Area (refcount = 3) 0x0 (0) has interfaces:
TEST state: (down) (refcount = 2) has no neighbors

[Henri]

So funktioniert es mit dem IKEV2 Loadbalancer. Ich habe festgestellt, dass Windows leider kein OSPF mehr unterstützt ... daher zusätzlich noch iBGP . Ein paar Beispiele würden die Konfiguration ganz erheblich beschleunigen ...

Henri

cd /Setup/Routing-Protocols/Filter/Prefix-List
del *
tab Name IP-Address Prefix-Length Length-Min Length-Max Comment
add "Prefix_ESC" 172.20.0.0 0 16 32 ""
add "Prefix_VLAN1" 172.20.0.1 23 0 0 ""
add "Prefix_VLAN100" 10.0.100.0 24 0 0 ""
add "Prefix_VLAN120" 172.20.120.0 24 0 0 ""
add "Prefix_VLAN20" 172.20.20.0 23 0 0 ""
add "Prefix_VLAN250" 172.20.250.0 24 0 0 ""
add "Prefix_VLAN30" 172.20.30.1 23 0 0 ""
add "Prefix_VLAN5" 172.20.5.1 24 0 0 ""
add "Prefix_VLAN50" 172.20.50.1 24 0 0 ""
add "Prefix_VLAN55" 172.20.55.1 24 0 0 ""
add "Prefix_VLAN74" 172.20.74.0 23 0 0 ""
add "Prefix_VLAN78" 172.20.78.0 23 0 0 ""
add "prefix_TP" 172.19.2.1 24 0 0 ""

cd /Setup/Routing-Protocols/OSPF/Areas
del *
tab OSPF-Instance Area-ID Type Stub-Default-Cost
add "OSPF_ROOT" 0.0.0.0 Normal 0
cd /
cd /Setup/Routing-Protocols/OSPF/OSPF-Instance
del *
tab OSPF-Instance Operating Router-ID Rtg-tag Advertise-Default-Route Intra-Area-Distance Inter-Area-Distance External-Distance
add "OSPF_ROOT" Yes 172.19.1.2 0 No 110 110 110
cd /
cd /Setup/Routing-Protocols/OSPF/Interfaces
del *
tab Interface OSPF-Instance Area-ID Type Output-Cost Rxmt-Interval Inf-Trans-Delay Router-Priority Hello-Interval Router-Dead-Interval Authentication-Type Authentication-Key Passive MTU-Ignore
add "FILIALE1" "OSPF_ROOT" 0.0.0.0 NBMA 1 5 1 255 10 40 Cryptographic-MD5 "x" No Yes
add "FILIALE11" "OSPF_ROOT" 0.0.0.0 NBMA 1 5 1 255 10 40 Cryptographic-MD5 "x" No Yes
add "VLAN90_TP" "OSPF_ROOT" 0.0.0.0 Broadcast 1 5 1 255 10 40 Cryptographic-MD5 "x" No No
cd /
cd /Setup/Routing-Protocols/OSPF/NBMA-Neighbors
del *
tab OSPF-Instance Interface IP-Address Poll-Interval Eligible-As-Designated-Router
add "OSPF_ROOT" "FILIALE1" 172.19.2.1 0 No
add "OSPF_ROOT" "FILIALE11" 172.19.2.2 0 No
cd /
set /Setup/Routing-Protocols/OSPF/Operating Yes
cd /Setup/Routing-Protocols/OSPF/Route-Redistribution/BGP
del *
tab OSPF-Instance BGP-Instance Filter-List Default-Action Metric-Source Constant-Metric Path-Type External-Route-Tag
add "OSPF_ROOT" "DEFAULT" "Prefix_ESC" Accept Protocol 1 External-Type-1 0
add "OSPF_ROOT" "DEFAULT" "prefix_TP" Accept Protocol 1 External-Type-1 0
cd /
cd /Setup/Routing-Protocols/OSPF/Route-Redistribution/Connected
del *
tab OSPF-Instance Filter-List Default-Action Metric-Source Constant-Metric Path-Type External-Route-Tag
add "OSPF_ROOT" "Prefix_VLAN1" Accept Protocol 2 External-Type-1 0
add "OSPF_ROOT" "Prefix_VLAN100" Accept Protocol 2 External-Type-1 100
add "OSPF_ROOT" "Prefix_VLAN120" Accept Protocol 2 External-Type-1 0
add "OSPF_ROOT" "Prefix_VLAN20" Accept Protocol 2 External-Type-1 20
add "OSPF_ROOT" "Prefix_VLAN5" Accept Protocol 2 External-Type-1 5
add "OSPF_ROOT" "Prefix_VLAN74" Accept Protocol 2 External-Type-1 74
add "OSPF_ROOT" "Prefix_VLAN78" Accept Protocol 2 External-Type-1 78
add "OSPF_ROOT" "prefix_TP" Accept Protocol 2 External-Type-1 0
cd /
cd /Setup/Routing-Protocols/OSPF/Route-Redistribution/Static
del *
tab OSPF-Instance Filter-List Default-Action Metric-Source Constant-Metric Path-Type External-Route-Tag
add "OSPF_ROOT" "Prefix_VLAN50" Accept Protocol 1 External-Type-1 5
add "OSPF_ROOT" "Prefix_VLAN55" Accept Protocol 1 External-Type-1 5
cd /Setup/WAN/IP-List
del *
tab Peer IP-Address IP-Netmask Masq.-IP-Addr. Gateway DNS-Default DNS-Backup NBNS-Default NBNS-Backup
add "FILIALE1" 172.19.1.2 255.255.255.255 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
add "FILIALE11" 172.19.1.3 255.255.255.255 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
cd /