This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OSPF over IPSec with Sophos UTM

Hi Community,

I need help creating active redundant Data-Chanels for a customer system.

Heres my Setup (also see picture):

I have 2 UTM-Clusters on two sites "1" + "2",
Connected via transparent DWDM-Transfer-Interface,
OSPF active for redundancy and automatic internal Routing,
Remote Site "C" running two Cisco-Routers "C1" and "C2" (also in OSPF-Redundancy).
Had to use two E1-Lines for the Customer-Connect.
UTM-Cluster "A" has working IPSec-Tunnel to "C1".
UTM-Cluster "B" has working IPSec-Tunnel to "C2".
Trying to reach multiple Systems in Subnet "172.24.22.0/24" on Site "C" redundantly with Help of OSPF.
OSPF deliveres when active still first the direct Routes via IPSec, and the when one connection fails a redundant route from the second cluster to the remote Subnet.

Target:

I'm trying to get OSPF through (or over) IPSec-Tunnel running, to be able to get redundancy to target VLAN behind two remote Single Cisco-WAN-Routers.
While IPSec is active on the Routing-Interface OSPF will not detect any OSPF-Device on the other side.

Questions:
- What is needed to do, to allow OSPF over the IPSec-Tunnel?
- Is OSPF and then IPSec on the same Interface possible?

Ideas:
- I already tried "Bind  Tunnel to Interface" but had no luck
- I tried disabling IPSec and was able to "see" the OSPF-Neighbor (but received no routes or Subnet-Infos)
- I also tried policy routes and conditional routing

State (now:)
- Not using OSPF right now
- Using static Routes
- Customer ist not satisfied with routes based on conditions (wants OSPF)



This thread was automatically locked due to age.
  • Wow, that's a very sophisticated setup!  If there's an easy answer, ich habe keine Ahnung.  I would open a case with Sophos Support and escalate it immediately.  I suspect your client will need to invest in a Sophos consultant.  Please let us know your result.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • In general the answer is that no you can not run OSPF over just an IPSec connection. You need some kind of tunnel to transport the multicast traffic. Historically that has been solved by using GRE tunnels with IPSec. Cisco has introduced a feature called VTI (Virtual Tunnel Interface) which allows running dynamic routing protocols without requiring the processing of GRE (and without requiring the crypto map configuration required with GRE tunnels). I have configured quite a few VTI tunnels and they work quite well.

    Here is a link with some additional information about VTI.

    http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html

    Source: https://community.cisco.com/t5/vpn/ospf-over-ipsec/td-p/1770787

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Maybe this helps to solve your use case in another way:

    https://support.sophos.com/support/s/article/KB-000034749?language=en_US

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hey JP,

    you think there is a way to transport the OSPF-Multicast via Multicast-Routing (PIM-SM-Feature)?
    Could this help in this special scenario?

    Greetings

    Franz

    Sophos Certified Architect - UTM
    using Sophos UTM since Astaro ASG v7 ;-)

    PDV-Systeme GmbH est. 1985 is
    Gold Solution Partner since 2009

  • Thanks for the Tip with the VTI.

    My Problem is, that the customer doesn't want to change to Cisco or Fortinet.
    Here i would have solutions prepared (GRE & VTI).

    The customer redirects its Network-Setup to Juniper.
    But than that's the End for me.

    Sophos Certified Architect - UTM
    using Sophos UTM since Astaro ASG v7 ;-)

    PDV-Systeme GmbH est. 1985 is
    Gold Solution Partner since 2009

  • Here's a 10-year-old tip on using GRE with UTM.  I have one very-sophisticated client that also did this on his own - I haven't tried it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob, i already tried this (ignoring the last post - Should have tried that).

    By your anwer i'd suspect the last post is from your "sophisticated client" ;-)

    Will have to try this, if i get another chance by my customer. Hope so.
    As this is a live environment, those "Tests-Windows" are equaly rare as having a sit in with the famous Yeti.

    After reading that post i'm a little confused about what adress assigning for the IPSec-Tunnel over GRE.
    Next I believe that the network-stack on Sophos UTM ist hard coded meaning there is no option to allow OSPF using that GRE-IPSec-Tunnel. (at least i don't know one).
    Please let me know any clue any one of you all community-members might have.

    Sorry,  that for now i cannot mark one Answer as a solution but your Input (also from  jprush) is greatly apreciated - always!

    CYA - Franz

    Sophos Certified Architect - UTM
    using Sophos UTM since Astaro ASG v7 ;-)

    PDV-Systeme GmbH est. 1985 is
    Gold Solution Partner since 2009