OSPF over IPSec with Sophos UTM

Hi Community,

I need help creating active redundant Data-Chanels for a customer system.

Heres my Setup (also see picture):

I have 2 UTM-Clusters on two sites "1" + "2",
Connected via transparent DWDM-Transfer-Interface,
OSPF active for redundancy and automatic internal Routing,
Remote Site "C" running two Cisco-Routers "C1" and "C2" (also in OSPF-Redundancy).
Had to use two E1-Lines for the Customer-Connect.
UTM-Cluster "A" has working IPSec-Tunnel to "C1".
UTM-Cluster "B" has working IPSec-Tunnel to "C2".
Trying to reach multiple Systems in Subnet "" on Site "C" redundantly with Help of OSPF.
OSPF deliveres when active still first the direct Routes via IPSec, and the when one connection fails a redundant route from the second cluster to the remote Subnet.


I'm trying to get OSPF through (or over) IPSec-Tunnel running, to be able to get redundancy to target VLAN behind two remote Single Cisco-WAN-Routers.
While IPSec is active on the Routing-Interface OSPF will not detect any OSPF-Device on the other side.

- What is needed to do, to allow OSPF over the IPSec-Tunnel?
- Is OSPF and then IPSec on the same Interface possible?

- I already tried "Bind  Tunnel to Interface" but had no luck
- I tried disabling IPSec and was able to "see" the OSPF-Neighbor (but received no routes or Subnet-Infos)
- I also tried policy routes and conditional routing

State (now:)
- Not using OSPF right now
- Using static Routes
- Customer ist not satisfied with routes based on conditions (wants OSPF)

Parents Reply
  • Hi Bob, i already tried this (ignoring the last post - Should have tried that).

    By your anwer i'd suspect the last post is from your "sophisticated client" ;-)

    Will have to try this, if i get another chance by my customer. Hope so.
    As this is a live environment, those "Tests-Windows" are equaly rare as having a sit in with the famous Yeti.

    After reading that post i'm a little confused about what adress assigning for the IPSec-Tunnel over GRE.
    Next I believe that the network-stack on Sophos UTM ist hard coded meaning there is no option to allow OSPF using that GRE-IPSec-Tunnel. (at least i don't know one).
    Please let me know any clue any one of you all community-members might have.

    Sorry,  that for now i cannot mark one Answer as a solution but your Input (also from  jprush) is greatly apreciated - always!

    CYA - Franz

    Sophos Certified Architect - UTM
    using Sophos UTM since Astaro ASG v7 ;-)

    PDV-Systeme GmbH est. 1985 is
    Gold Solution Partner since 2009

No Data