OSPF over IPSec with Sophos UTM

Hi Community,

I need help creating active redundant Data-Chanels for a customer system.

Heres my Setup (also see picture):

I have 2 UTM-Clusters on two sites "1" + "2",
Connected via transparent DWDM-Transfer-Interface,
OSPF active for redundancy and automatic internal Routing,
Remote Site "C" running two Cisco-Routers "C1" and "C2" (also in OSPF-Redundancy).
Had to use two E1-Lines for the Customer-Connect.
UTM-Cluster "A" has working IPSec-Tunnel to "C1".
UTM-Cluster "B" has working IPSec-Tunnel to "C2".
Trying to reach multiple Systems in Subnet "172.24.22.0/24" on Site "C" redundantly with Help of OSPF.
OSPF deliveres when active still first the direct Routes via IPSec, and the when one connection fails a redundant route from the second cluster to the remote Subnet.

Target:

I'm trying to get OSPF through (or over) IPSec-Tunnel running, to be able to get redundancy to target VLAN behind two remote Single Cisco-WAN-Routers.
While IPSec is active on the Routing-Interface OSPF will not detect any OSPF-Device on the other side.

Questions:
- What is needed to do, to allow OSPF over the IPSec-Tunnel?
- Is OSPF and then IPSec on the same Interface possible?

Ideas:
- I already tried "Bind  Tunnel to Interface" but had no luck
- I tried disabling IPSec and was able to "see" the OSPF-Neighbor (but received no routes or Subnet-Infos)
- I also tried policy routes and conditional routing

State (now:)
- Not using OSPF right now
- Using static Routes
- Customer ist not satisfied with routes based on conditions (wants OSPF)

Parents Reply
  • Hi Bob, i already tried this (ignoring the last post - Should have tried that).

    By your anwer i'd suspect the last post is from your "sophisticated client" ;-)

    Will have to try this, if i get another chance by my customer. Hope so.
    As this is a live environment, those "Tests-Windows" are equaly rare as having a sit in with the famous Yeti.

    After reading that post i'm a little confused about what adress assigning for the IPSec-Tunnel over GRE.
    Next I believe that the network-stack on Sophos UTM ist hard coded meaning there is no option to allow OSPF using that GRE-IPSec-Tunnel. (at least i don't know one).
    Please let me know any clue any one of you all community-members might have.

    Sorry,  that for now i cannot mark one Answer as a solution but your Input (also from  jprush) is greatly apreciated - always!

    CYA - Franz

    Sophos Certified Architect - UTM
    using Sophos UTM since Astaro ASG v7 ;-)

    PDV-Systeme GmbH est. 1985 is
    Gold Solution Partner since 2009

Children
No Data