Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Distribute IPSec site-to-site network via OSPF

Hello,
I found a solution where IPSec networks are distributed via OSPF and would like to know if this is correct? Can I use this in a productive environment?

1. SSH -> 4. Device Console
2. system ipsec_route add net 192.168.123.0/255.255.255.0 tunnelname IPSEC-TUNNEL-NAME

3. SSH -> 3.  Route Configuration -> 1. Configure Unicast Routing -> 2. Configure OSPF
4. enable -> configure terminal -> router ospf -> redistribute kernel
8. exit -> write memory

The routes previously defined with ipsec_route are distributed with redistribute kernel. The VPN tunnel has to be online as well. Can I use redistribute kernel or is this not recommended?

Thanks,
Patrick



Added TAGs
[edited by: Raphael Alganes at 9:14 AM (GMT -7) on 10 Oct 2024]
Parents Reply
  • Yes I see OSPF neighbourship established between SFOS and other gateway on the local (LAN) Interface. The OSPF session is established. Currently I do not need OSPF via IPsec, I want the many IPsec subnets to my routers on the LAN side. Sorry for the confusion.

    I have

    redistribute kernel
    redistribute connected
    redistribute static

    in a test environment to local OSPF neighbours.

    With ‘redistribute connected’, all local subnets are distributed. With ‘redistribute static’, all static subnets from the GUI list are distributed. With ‘redistribute kernel’, the policy-based IPSec subnets are distributed. This works fine, but I can't find any documentation or indication if it is ok to use ‘redistribute kernel’. So everything works in my test environment. My only question is if it is allowed to use it in a sophos production environment?

Children