Hi everybody,
I'm trying to configure a configuration with 2 OPNsense Firewall in 2 different datacenter.
There a connected via a routed IPSEC link and are running OSPF v2 to share route.
If I add a static route, I see it directly on second firewall via OSPF.
But if I connect an IPSEC tunnel (runnel mode), the tunnel work well, I see the route in the route table, but I don't see it in OSFP route diagnostic on any of the firewall...
Is there a limitation in FRR for this kind of road the only difference I've seen is falgs of the route :
US for the IPSEC tunnel route
UGS for the static route
Any idea ?
Thanks for you help.
Regards,
Renaud.
Hi Renaud,
If I understand your question correctly - you're trying to find out why the VTI interface (ipsec1000 for example) is not seen as a route and propagated via the OSPF.
This is because OSPF sees that type of VTI interface as "IP unnumbered" one. The funniest thing is when you try to redistribute it into OSPF (or even BGP) - for instance, assuming that given ipsec1000 vti is on FW1 and you redistribute it via OSPF
ipsec1000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
tunnel inet 10.1.1.1 --> 10.1.1.2
inet6 fe80::250:56ff:fe2d:b801%ipsec1000 prefixlen 64 scopeid 0xc
inet 172.16.41.1 --> 172.16.41.2 netmask 0xffffffff
groups: ipsec
reqid: 1000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
The assumption here is that 172.16.41.1/32 is advertised as OSPF E2 route originated from FW1...however the reality is FW1 is originating 172.16.41.2/32 (which should be the other end of the tunnel).
I have no idea why it behaves that way.
If that's the case I guess you need that route to allow FW locally originated traffic (like NTP, DNS, etc) from FW (using VTI IP address as source IP) to be able to return back. Personally I fixed that problem using a static routes...
Regards,
Plamen
I'm quite sure I had this running in a lab.
Most important is to change the network type in interface tab
Some outputs from my lab (FW3 with router ID: 10.30.10.1, peering with 10.70.1.1, area 0.0.0.3 via VTI - ipsec1000 configured with OSPF P2P network type)
FW3.localdomain# sh ip ospf
OSPF Routing Process, Router ID: 10.30.10.1
Supports only single TOS (TOS0) routes
This implementation conforms to RFC2328
RFC1583Compatibility flag is disabled
OpaqueCapability flag is disabled
Initial SPF scheduling delay 0 millisec(s)
Minimum hold time between consecutive SPFs 50 millisec(s)
Maximum hold time between consecutive SPFs 5000 millisec(s)
Hold time multiplier is currently 1
SPF algorithm last executed 12.320s ago
Last SPF duration 51 usecs
SPF timer is inactive
LSA minimum interval 5000 msecs
LSA minimum arrival 1000 msecs
Write Multiplier set to 20
Refresh timer 10 secs
Number of external LSA 2. Checksum Sum 0x00017d78
Number of opaque AS LSA 0. Checksum Sum 0x00000000
Number of areas attached to this router: 1
Area ID: 0.0.0.3
Shortcutting mode: Default, S-bit consensus: no
Number of interfaces in this area: Total: 4, Active: 4
Number of fully adjacent neighbors in this area: 1
Area has no authentication
Number of full virtual adjacencies going through this area: 0
SPF algorithm executed 4 times
Number of LSA 7
Number of router LSA 2. Checksum Sum 0x000097f1
Number of network LSA 0. Checksum Sum 0x00000000
Number of summary LSA 4. Checksum Sum 0x00027f98
Number of ASBR summary LSA 1. Checksum Sum 0x00002622
Number of NSSA LSA 0. Checksum Sum 0x00000000
Number of opaque link LSA 0. Checksum Sum 0x00000000
Number of opaque area LSA 0. Checksum Sum 0x00000000
The P2P adjacency (not sure why FRR displays it with DRother, there souldn't be any DR/BDR/DROther election on P2P network type:
FW3.localdomain# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
10.70.1.1 1 Full/DROther 3.780s 172.16.31.1 ipsec1000:172.16.31.2 0 0 0
OSPF VTI interface details with manually changed hello/dead intervals (not important here). Note the This interface is UNNUMBERED):
FW3.localdomain# show ip ospf interface ipsec1000
ipsec1000 is up
ifindex 12, MTU 1400 bytes, BW 0 Mbit <UP,POINTOPOINT,RUNNING,MULTICAST>
This interface is UNNUMBERED, Area 0.0.0.3
MTU mismatch detection: enabled
Router ID 10.30.10.1, Network Type POINTOPOINT, Cost: 10
Transmit Delay is 1 sec, State Point-To-Point, Priority 1
No backup designated router on this network
Multicast group memberships: OSPFAllRouters
Timer intervals configured, Hello 1s, Dead 4s, Wait 4s, Retransmit 5
Hello due in 0.567s
Neighbor Count is 1, Adjacent neighbor count is 1
FW3.localdomain#
FW3's OSPF LSA1 (there're 2 stub network 10.30.10.0/24 and 10.30.20.0/24 and P2P VTI network with strange (Link Data) Router Interface address: 0.0.0.12 (no idea how 0.0.0.12 was extracted here):
FW3.localdomain# show ip ospf database router 10.30.10.1
OSPF Router with ID (10.30.10.1)
Router Link States (Area 0.0.0.3)
LS age: 44
Options: 0x2 : *|-|-|-|-|-|E|-
LS Flags: 0x3
Flags: 0x0
LS Type: router-LSA
Link State ID: 10.30.10.1
Advertising Router: 10.30.10.1
LS Seq Number: 80000007
Checksum: 0x4ddb
Length: 60
Number of Links: 3
Link connected to: Stub Network
(Link ID) Net: 10.30.10.0
(Link Data) Network Mask: 255.255.255.0
Number of TOS metrics: 0
TOS 0 Metric: 100
Link connected to: Stub Network
(Link ID) Net: 10.30.20.0
(Link Data) Network Mask: 255.255.255.0
Number of TOS metrics: 0
TOS 0 Metric: 100
Link connected to: another Router (point-to-point)
(Link ID) Neighboring Router ID: 10.70.1.1
(Link Data) Router Interface address: 0.0.0.12
Number of TOS metrics: 0
TOS 0 Metric: 10
FW3.localdomain#
ipsec1000 interface on FW3 is:
FW3.localdomain# sh int ipsec1000
Interface ipsec1000 is up, line protocol is up
Link ups: 1 last: 2021/03/26 13:05:43.47
Link downs: 0 last: (never)
vrf: default
index 12 metric 1 mtu 1400 speed 0
flags: <UP,POINTOPOINT,RUNNING,MULTICAST>
Type: Unknown
inet 172.16.31.2/32 peer 172.16.31.1/32 unnumbered
inet6 fe80::250:56ff:fe27:b201/64
Interface Type Other
input packets 181916, bytes 11272315, dropped 0, multicast packets 0
input errors 0
output packets 197212, bytes 12238119, multicast packets 0
output errors 0
collisions 0
FW3.localdomain#
Which is locally connected but in the routing table the "peer-ip" of the tunnel is presented:
FW3.localdomain# sh ip route connected
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued route, r - rejected route
....
C>* 172.16.31.1/32 [0/1] is directly connected, ipsec1000, 00:02:29
The VTI interface from BSD:
root@FW3:~ # ifconfig ipsec1000
ipsec1000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
tunnel inet 10.64.123.3 --> 10.64.123.1
inet6 fe80::250:56ff:fe27:b201%ipsec1000 prefixlen 64 scopeid 0xc
inet 172.16.31.2 --> 172.16.31.1 netmask 0xffffffff
groups: ipsec
reqid: 1000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
root@FW3:~ #
So bottom line is - with "redistrubute connected" on FW3, you're going to redistribute 172.16.31.1/32 which lives on the other end of the tunnel (the other FW) and not your own IP address - 172.16.31.2/32