This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec, OSPF and RED Tunnels

Hello,

 

                 I wanted to share some information for those of you that are looking to build OSPF network via RED Tunnels and might currently still have IPsec in play. If you have IPec tunnels built to sites that have RED tunnels that are in use with OSPF. The IPsec tunnels will always win and the traffic will pass over the IPsec connection instead of flowing through the RED tunnel. I believe that this is because a "silent" metric is with IPsec that makes the UTM. Also if you use OSPF make sure that if you want remote sites to use their own WAN gateway for non-OSPF related routes that the metric of the interface is set to 1. otherwise remote sites will push all traffic to the ASBR. I hope this helps folks and I am currently building a multi-area OSPF network with 26 UTMs ranging from the 105 series to the 230 so if I find more information that I can pass along to help others. I surely will! 

 

 

Thanks,

Alex



This thread was automatically locked due to age.
  • I believe you have the option with IPsec VPN's to bind the tunnel to the local interface in which case no route is created. This is also used in cases where there is a redundant tunnel between two UTM's using availability groups and interface groups. Without binding the tunnel to the local interface it is not possible to create two IPsec tunnels between the same networks. Then it's also possible to use OSPF to advertise routes. 

    I am thinking that this could also work when there's only 1 IPsec connections using 1 WAN-interface.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hi, Alex, and welcome to the UTM Community!

    It's great that your first post here is a valuable contribution.

    Bravo, apijnappels!  I believe that this was introduced with V9.1 or V9.2.  I've not played with the capability, but have discussed this with others that have.  It's a great new way to use Static Routes and Multipathing with IPsec tunnels.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you for sharing that information!

  • Thank you! I hope to be able contribute more as time goes by.

  • If anyone comes across the below error message in the live OSPFD logs it indicates an LSA mismatch. I hadn't realized it but I set an upstream ABR as a normal area type and it was supposed to be a stub area. I fixed it and it immediately resolved the issue with the two UTM devices not forming an adjacency (neighborship). hth

    Packet 1.1.1.1 [Hello:RECV]: my options: 0, his options 2