I need help creating active redundant Data-Chanels for a customer system.
Heres my Setup (also see picture):
I have 2 UTM-Clusters on two sites "1" + "2", Connected via transparent DWDM-Transfer-Interface, OSPF active for redundancy and automatic internal Routing, Remote Site "C" running two Cisco-Routers "C1" and "C2" (also in OSPF-Redundancy).Had to use two E1-Lines for the Customer-Connect. UTM-Cluster "A" has working IPSec-Tunnel to "C1". UTM-Cluster "B" has working IPSec-Tunnel to "C2". Trying to reach multiple Systems in Subnet "172.24.22.0/24" on Site "C" redundantly with Help of OSPF. OSPF deliveres when active still first the direct Routes via IPSec, and the when one connection fails a redundant route from the second cluster to the remote Subnet.
I'm trying to get OSPF through (or over) IPSec-Tunnel running, to be able to get redundancy to target VLAN behind two remote Single Cisco-WAN-Routers. While IPSec is active on the Routing-Interface OSPF will not detect any OSPF-Device on the other side.
Questions: - What is needed to do, to allow OSPF over the IPSec-Tunnel? - Is OSPF and then IPSec on the same Interface possible?
Ideas:- I already tried "Bind Tunnel to Interface" but had no luck- I tried disabling IPSec and was able to "see" the OSPF-Neighbor (but received no routes or Subnet-Infos)- I also tried policy routes and conditional routing
State (now:)- Not using OSPF right now- Using static Routes- Customer ist not satisfied with routes based on conditions (wants OSPF)
Wow, that's a very sophisticated setup! If there's an easy answer, ich habe keine Ahnung. I would open a case with Sophos Support and escalate it immediately. I suspect your client will need to invest in a Sophos consultant. Please let us know your result.
Cheers - Bob
In general the answer is that no you can not run OSPF over just an IPSec connection. You need some kind of tunnel to transport the multicast traffic. Historically that has been solved by using GRE tunnels with IPSec. Cisco has introduced a feature called VTI (Virtual Tunnel Interface) which allows running dynamic routing protocols without requiring the processing of GRE (and without requiring the crypto map configuration required with GRE tunnels). I have configured quite a few VTI tunnels and they work quite well.
Here is a link with some additional information about VTI.
Mit freundlichem Gruß, best regards from Germany,
New Vision GmbH, GermanySophos Silver-Partner
If a post solves your question please use the 'Verify Answer' button.
Maybe this helps to solve your use case in another way:
you think there is a way to transport the OSPF-Multicast via Multicast-Routing (PIM-SM-Feature)? Could this help in this special scenario?
Sophos Certified Architect - UTMusing Sophos UTM since Astaro ASG v7 ;-)
PDV-Systeme GmbH est. 1985 isGold Solution Partner since 2009
Thanks for the Tip with the VTI.
My Problem is, that the customer doesn't want to change to Cisco or Fortinet. Here i would have solutions prepared (GRE & VTI).
The customer redirects its Network-Setup to Juniper. But than that's the End for me.
Here's a 10-year-old tip on using GRE with UTM. I have one very-sophisticated client that also did this on his own - I haven't tried it.
Hi Bob, i already tried this (ignoring the last post - Should have tried that).
By your anwer i'd suspect the last post is from your "sophisticated client" ;-)
Will have to try this, if i get another chance by my customer. Hope so.As this is a live environment, those "Tests-Windows" are equaly rare as having a sit in with the famous Yeti.
After reading that post i'm a little confused about what adress assigning for the IPSec-Tunnel over GRE.Next I believe that the network-stack on Sophos UTM ist hard coded meaning there is no option to allow OSPF using that GRE-IPSec-Tunnel. (at least i don't know one). Please let me know any clue any one of you all community-members might have.
Sorry,BAlfson that for now i cannot mark one Answer as a solution but your Input (also from jprusch jprush) is greatly apreciated - always!
CYA - Franz