OSPF Redistribute Remote Site-to-Site IPSEC networks

[pongafence]

Hi guys,

In out DC, we use OPNsense almost exclusively now.  With the exception for one server that runs our old Sophos UTM appliance.

We would like to decommission this, we can complete an Site-to-Site IPSEC tunnel.  And traffic flows behind the OPNsense firewall, its internal networks, and our branch site and it's internal networks.  But we have a separate OPNsense firewall as well that protects another network, which we use OSPF to publish routes between the two.

So the question is, how do we redistribute Site-to-Site IPSEC tunnel networks to the OSPF Areas?  Ive tried selecting Kernel Routes, Static Routes and Connected Routes as well for redistribution.

[fabian]

If you have a router in two areas, it will become an ASBR and should do that automatically.

[pongafence]

Yup, they are, however none of the other firewalls/routers that are connected to the Shared network are receiving the routes.

[pongafence]

Also, I noticed that when I go into "Diagnostics" -> "OSPF" -> "Routing Table".

My remote IPSEC site does not show up in the list, only the locally connected route.

[fabian]

You may check the output of ifconfig. You may have an issue because there is no local interface for IPsec traffic.

[pongafence]

Roger thank, will do.  And should there be no local interface?  I am noticing as well in my firewall rules, that it's blocking almost all but ICMP traffic coming in over the IPSEC tunnel.

[fabian]

Usually in a site to site tunnel, there is no interface because ESP is handled in kernel. The problem in this case is, that the firewall has no shared network between your sites which is afaik a requirement for OSPF.

You may need to tunnel another protocol inside of ESP to get this working or use BGP between the routers and redistribute OSPF/BGP so the connection between the routers will use a TCP based connection.

[pongafence]

Thank you for the suggestion!  I'll give it a go and try use BGP between IPSEC tunnels.