Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Distribute IPSec site-to-site network via OSPF

Hello,
I found a solution where IPSec networks are distributed via OSPF and would like to know if this is correct? Can I use this in a productive environment?

1. SSH -> 4. Device Console
2. system ipsec_route add net 192.168.123.0/255.255.255.0 tunnelname IPSEC-TUNNEL-NAME

3. SSH -> 3.  Route Configuration -> 1. Configure Unicast Routing -> 2. Configure OSPF
4. enable -> configure terminal -> router ospf -> redistribute kernel
8. exit -> write memory

The routes previously defined with ipsec_route are distributed with redistribute kernel. The VPN tunnel has to be online as well. Can I use redistribute kernel or is this not recommended?

Thanks,
Patrick



Added TAGs
[edited by: Raphael Alganes at 9:14 AM (GMT -7) on 10 Oct 2024]
Parents Reply Children
  •  ,  With the approach mentioned in your initial post, do you see OSPF neighbourship established between SFOS and other gateway? I doubt the session comes up; unless the session is up, how will the networks be distributed over OSPF?

    What local and remote subnets you have in you policy based IPsec tunnel?

  • Yes I see OSPF neighbourship established between SFOS and other gateway on the local (LAN) Interface. The OSPF session is established. Currently I do not need OSPF via IPsec, I want the many IPsec subnets to my routers on the LAN side. Sorry for the confusion.

    I have

    redistribute kernel
    redistribute connected
    redistribute static

    in a test environment to local OSPF neighbours.

    With ‘redistribute connected’, all local subnets are distributed. With ‘redistribute static’, all static subnets from the GUI list are distributed. With ‘redistribute kernel’, the policy-based IPSec subnets are distributed. This works fine, but I can't find any documentation or indication if it is ok to use ‘redistribute kernel’. So everything works in my test environment. My only question is if it is allowed to use it in a sophos production environment?

  •  Hi  ,

    Yes, "redistribute kernel" CLI can be used to advertise such ipsec routes into OSPF domain. The command would include all the routes directly installed in the kernel, as part of the OSPF advertisements.  The routes would be advertised as any other redistributed route(External routes, Type 5). 

    Thanks. 

  • Thanks! In my test with ‘redistribute kernel’ only the ipsec routes are transmitted. When using ‘redistrubute connected’, I was able to prevent unwanted routes (HA-Interface/MGM/WAN-Interface) with route map.