Cannot run ospf over ipsec

last person joined: yesterday

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Back to discussions

Expand all | Collapse all

Cannot run ospf over ipsec

Jump to Best Answer

1. Cannot run ospf over ipsec

Recommend

Erdem

Posted 03-11-2015 16:48

Hello !

For some reason I can not set up dynamic routing ( ospf ) over ipsec tunnel ! tell me, please, what is wrong?

[edit]
root@ADM# run show ospf neighbor interface st0.0                            
OSPF instance is not running

Such schema and config:

root@SRX650# show | no-more 
## Last changed: 2015-03-11 07:39:24 UTC
version 12.1X46-D30.2;
system {
    root-authentication {
        encrypted-password "$1$pW8QL5L3$EVUDG0UQUcMTrgPtmmOdn/"; ## SECRET-DATA
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.7.2/30;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 212.0.0.2/30;
            }
        }
    }
    st0 {
        unit 0 {
            family inet {
                address 10.0.0.1/30;
            }
        }
    }
}
routing-options {
    static {
        route 194.200.0.1/32 next-hop 193.200.0.2;
        route 172.16.1.0/24 next-hop st0.0;
        route 218.0.0.0/30 next-hop 212.0.0.1;
    }
    rib-groups {
        ACESS_OSPF {
            import-rib [ INET.inet.0 ACESS.inet.0 ];
        }
        INET_OSPF {
            import-rib [ ACESS.inet.0 INET.inet.0 ];
        }
    }
}
policy-options {
    policy-statement EXPORT-OSPF {
        term 1 {
            from {
                instance INET;
                protocol [ ospf direct ];
            }
        }
        then accept;
    }
}
security {
    ike {
        policy IKE-POLICY {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$DaHPQ/9pEhrqm1hSyW8DiHmz3p0B"; ## SECRET-DATA
        }
        gateway IKE-GATE {
            ike-policy IKE-POLICY;
            address 218.0.0.1;
            external-interface ge-0/0/1;
        }
    }
    ipsec {
        policy IPSEC-POLICY {
            proposal-set standard;
        }
        vpn IPSEC-VPN {
            bind-interface st0.0;
            ike {
                gateway IKE-GATE;
                ipsec-policy IPSEC-POLICY;
            }
            establish-tunnels immediately;
        }
    }
    address-book {
        global {
            address 10.32.0.0/24 10.32.0.0/24;
            address 172.16.1.0/24 172.16.1.0/24;
        }
    }
    policies {
        from-zone Access to-zone VPN {
            policy to_remote {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Access {
            host-inbound-traffic {
                system-services {
                    ping;
                }
                protocols {
                    ospf;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone VPN {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                st0.0;
            }
        }
        security-zone INET {
            host-inbound-traffic {
                system-services {
                    ike;
                    ping;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
    }
}
routing-instances {
    ACESS {
        interface ge-0/0/0.0;
        protocols {
            ospf {
                rib-group INET_OSPF;
                area 0.0.0.0 {
                    interface ge-0/0/0.0;
                }
            }
        }
    }
    INET {
        interface st0.0;
        protocols {
            ospf {
                rib-group ACESS_OSPF;
                export EXPORT-OSPF;
                area 0.0.0.0 {
                    interface st0.0 {
                        interface-type p2p;
                        neighbor 10.0.0.2;
                    }
                }
            }
        }
    }
}

SRX-2:

root@ADM# show | no-more                                   
## Last changed: 2015-03-11 07:38:01 UTC
version 12.1X46-D30.2;
system {
    root-authentication {
        encrypted-password "$1$XpGxHAVt$r59lBUupr.1f/Ltln9kXp/"; ## SECRET-DATA
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 218.0.0.1/30;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.16.5.1/30;
            }
        }
    }
    st0 {
        unit 0 {
            family inet {
                address 10.0.0.2/30;
            }
        }
    }
}
routing-options {
    static {
        route 193.200.0.1/32 next-hop 194.200.0.2;
        route 212.0.0.0/30 next-hop 218.0.0.2;
    }
}
security {
    ike {
        policy IKE_POLICY {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$m5390OReK8QFyKMW-dmf5FCtRhS"; ## SECRET-DATA
        }
        gateway IKE-GATE {
            ike-policy IKE_POLICY;
            address 212.0.0.2;
            external-interface ge-0/0/0;
        }
    }
    ipsec {
        policy IPSEC-POLICY {
            proposal-set standard;
        }
        vpn IPSEC-VPN {
            bind-interface st0.0;
            ike {
                gateway IKE-GATE;
                ipsec-policy IPSEC-POLICY;
            }
            establish-tunnels immediately;
        }
    }
    address-book {
        global {
            address Remote 172.16.1.0/24;
            address Access 10.32.0.0/24;
        }
    }
    policies {
        from-zone VPN to-zone Remote {
            policy to_remote {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Remote {
            host-inbound-traffic {
                system-services {
                    ping;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone VPN {
            host-inbound-traffic {
                system-services {
                    ping;
                }
                protocols {
                    ospf;
                }
            }
            interfaces {
                st0.0;
            }
        }
        security-zone INET {
            host-inbound-traffic {
                system-services {
                    ike;
                    ping;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
    }
}
routing-instances {
    INET {
        interface st0.0;
        protocols {
            ospf {
                area 0.0.0.0 {
                    interface st0.0 {
                        interface-type p2p;
                        neighbor 10.0.0.1;
                    }
                }
            }
        }
    }
    REMOTE {
        interface ge-0/0/1.0;
        protocols {
            ospf {
                area 0.0.0.0 {
                    interface ge-0/0/1.0;
                }
            }
        }
    }
}

2. RE: Cannot run ospf over ipsec

0 Recommend
MarcTB
Posted 03-12-2015 01:09

Reply Reply Privately
Can you try to run the following command ? Looks like you forgot to mention the instance you are working at

run show ospf interface st0.0 instance INET
3. RE: Cannot run ospf over ipsec

0 Recommend
Erdem
Posted 03-12-2015 11:44

Reply Reply Privately
Hello, MarcTB and samc! Thanks for your answers? Really, I must allow protocol ospf to zone VPN. I has added.

Now I need in correct configuring RIB-GROUPS, import-rib or export-rib to acheive all routing instances be in one ospf domen (here ACCESS and INET on SRX-1 and INET and REMOTE on srx-2). I will try to do it as well and gracefully 🙂
4. RE: Cannot run ospf over ipsec

0 Recommend
MarcTB
Posted 03-12-2015 23:24

Reply Reply Privately
You are welcome 🙂
5. RE: Cannot run ospf over ipsec
Best Answer

0 Recommend
samc
Posted 03-12-2015 06:26

Reply Reply Privately
Hello,

Doesn't look as if the first SRX has OSPF allowed for host-inbound traffic.

        security-zone VPN {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                st0.0;
            }
        }

Can you double check?

Regards,

Sam

SRX

Cannot run ospf over ipsec

Erdem03-11-2015 16:48

MarcTB03-12-2015 01:09

Erdem03-12-2015 11:44

MarcTB03-12-2015 23:24

samc03-12-2015 06:26Best Answer

1. Cannot run ospf over ipsec

2. RE: Cannot run ospf over ipsec

3. RE: Cannot run ospf over ipsec

4. RE: Cannot run ospf over ipsec

5. RE: Cannot run ospf over ipsec Best Answer

5. RE: Cannot run ospf over ipsec
Best Answer