OSPF via GRE/IPSec

[@Vorona]

Hello!
I try to configure dynamic routing with MikroTik.
Now I have working GRE tunnel between opnsense and routerboard.
After start ospf instanses I have corrects routes on opensense. But on MikroTik I have routes without gateway address and interface.


/routing ospf> neighbor print
0 instance=default router-id=172.26.0.1 address=100.100.100.41
   interface=vorona-gate priority=1 dr-address=0.0.0.0
   backup-dr-address=0.0.0.0 state="Full" state-changes=50 ls-retransmits=0
   ls-requests=0 db-summaries=0 adjacency=23m31s

Here we can see, that address 100.100.100.41 (opensense)
But in recieved routes I have:



Why I haven't gateway address here?

Also, I haven't this route in routing table for this reason.

configs:
Tik:
/routing ospf area
set [ find default=yes ] disabled=yes
add area-id=172.16.117.0 name=area1
/routing ospf instance
set [ find default=yes ] router-id=172.16.117.1
/routing ospf interface
add passive=yes
add interface=vorona-gate network-type=point-to-point
/routing ospf network
add area=area1 network=100.100.100.40/30
add area=area1 network=172.16.117.0/24

Opensense:
frr version 7.4
frr defaults datacenter
hostname gate.vorona.su
log syslog
!
interface gre1
ip ospf area 172.16.117.0
!
interface vtnet1
ip ospf area 0.0.0.0
!
router ospf
ospf router-id 172.26.0.1
passive-interface vtnet1
!
ip prefix-list test seq 10 permit 172.26.0.0/28
!
line vty
!
end

Gre interfaces has addresses from 100.100.100.40/30 network

What I'm doing wrong?

[Patrick M. Hausen]

Have you asked at the Mikrotik forum in parallel? I think you should.

[@Vorona]

Yes, here: TAP

[Patrick M. Hausen]

What does a dump of the OSPF link state database look like on both ends? I don't know how to get that - I do OSPF in large networks with Cisco gear, only. But so I know OSPF and the database would be my first point to look.
Or maybe second point - additionally for a very first check: what does the equivalent of "show ip ospf neighbour" show on both sides?

[@Vorona]

Show neigbors:
At MikroTik:
> /routing ospf neighbor print
0 instance=default router-id=172.26.0.1 address=100.100.100.41
   interface=vorona-gate priority=1 dr-address=0.0.0.0
   backup-dr-address=0.0.0.0 state="Full" state-changes=19 ls-retransmits=0
   ls-requests=0 db-summaries=0 adjacency=8h28m11s
At opnsense:
# show ip ospf neighbor detail
Neighbor 172.16.117.1, interface address 100.100.100.42
    In the area 172.16.117.0 via interface gre1
    Neighbor priority is 1, State is Full, 5 state changes
    Most recent state change statistics:
      Progressive change 8h29m40s ago
    DR is 0.0.0.0, BDR is 0.0.0.0
    Options 2 *|-|-|-|-|-|E|-
    Dead timer due in 34.152s
    Database Summary List 0
    Link State Request List 0
    Link State Retransmission List 0
    Thread Inactivity Timer on
    Thread Database Description Retransmision off
    Thread Link State Request Retransmission on
    Thread Link State Update Retransmission on

Show links:
MikroTik:
> /routing ospf lsa print detail
instance=default area=area1 type=router id=172.16.117.1
   originator=172.16.117.1 sequence-number=0x80000100 age=66 checksum=0x8785
   options="E" body=
     flags=
     links (type, id, data, metric)
         Point-To-Point 172.26.0.1 100.100.100.42 10
         Stub 100.100.100.40 255.255.255.252 10
         Stub 172.16.117.0 255.255.255.0 10

instance=default area=area1 type=router id=172.26.0.1 originator=172.26.0.1
   sequence-number=0x80000014 age=1481 checksum=0x224A options="E"
   body=
     flags=BORDER
     links (type, id, data, metric)
         Point-To-Point 172.16.117.1 0.0.0.8 10

instance=default area=area1 type=summary-network id=172.26.0.0
   originator=172.26.0.1 sequence-number=0x80000012 age=1411 checksum=0x6C56
   options="E" body=
     netmask=255.255.255.240
     metric=10


Opnsense:
# show ip ospf database router

       OSPF Router with ID (172.26.0.1)


                Router Link States (Area 0.0.0.0)

  LS age: 1715
  Options: 0x2  : *|-|-|-|-|-|E|-
  LS Flags: 0x3
  Flags: 0x1 : ABR
  LS Type: router-LSA
  Link State ID: 172.26.0.1
  Advertising Router: 172.26.0.1
  LS Seq Number: 80000014
  Checksum: 0x22cb
  Length: 36

   Number of Links: 1

    Link connected to: Stub Network
     (Link ID) Net: 172.26.0.0
     (Link Data) Network Mask: 255.255.255.240
      Number of TOS metrics: 0
       TOS 0 Metric: 10



                Router Link States (Area 172.16.117.0)

  LS age: 211
  Options: 0x2  : *|-|-|-|-|-|E|-
  LS Flags: 0x6
  Flags: 0x0
  LS Type: router-LSA
  Link State ID: 172.16.117.1
  Advertising Router: 172.16.117.1
  LS Seq Number: 80000100
  Checksum: 0x8785
  Length: 60

   Number of Links: 3

    Link connected to: another Router (point-to-point)
     (Link ID) Neighboring Router ID: 172.26.0.1
     (Link Data) Router Interface address: 100.100.100.42
      Number of TOS metrics: 0
       TOS 0 Metric: 10

    Link connected to: Stub Network
     (Link ID) Net: 100.100.100.40
     (Link Data) Network Mask: 255.255.255.252
      Number of TOS metrics: 0
       TOS 0 Metric: 10

    Link connected to: Stub Network
     (Link ID) Net: 172.16.117.0
     (Link Data) Network Mask: 255.255.255.0
      Number of TOS metrics: 0
       TOS 0 Metric: 10


  LS age: 1625
  Options: 0x2  : *|-|-|-|-|-|E|-
  LS Flags: 0x3
  Flags: 0x1 : ABR
  LS Type: router-LSA
  Link State ID: 172.26.0.1
  Advertising Router: 172.26.0.1
  LS Seq Number: 80000014
  Checksum: 0x224a
  Length: 36

   Number of Links: 1

    Link connected to: another Router (point-to-point)
     (Link ID) Neighboring Router ID: 172.16.117.1
     (Link Data) Router Interface address: 0.0.0.8
      Number of TOS metrics: 0
       TOS 0 Metric: 10

[Patrick M. Hausen]

What does default area "area1" on a Mikrotik mean? That should be area 0. Or 0.0.0.0 - one and the same, just a 32 bit value.

[@Vorona]

/routing ospf area
set [ find default=yes ] disabled=yes
add area-id=172.16.117.0 name=area1

area1 - is just local name (description) of area in config. Area, configured at MikroTik is 172.16.117.0, аt opnsense backbone (0.0.0.0). In BB area network 172.26.0.0/28. In area 172.16.117.0 network 172.16.117.0/24 and 100.100.100.40/30 (Gre tunnel's network)

[Patrick M. Hausen]

You need to set the area to 0.0.0.0 on the Mikrotik. Two OSPF neighbours must share the same area on the link. Areas can only change when you cross routers, i.e.

Code Select Expand

router 1 ------ router 2 ------ router 3
         area 0          area 1

Router 2 would be called an area border router while routers 1 and 3 are autonomous system border routers.

[@Vorona]

And there is!

One directly attached to opnsense network is in BB area. Directly attached network to Mikrotik and network between opnsense and Mikrotik in other area. I know, how works ospf and I am supporting big network on cisco an juniper hardware too, but this problem is new for me.

[Patrick M. Hausen]

One directly attached to opnsense network is in BB area. Directly attached network to Mikrotik and network between opnsense and Mikrotik in other area. I know, how works ospf and I am supporting big network on cisco an juniper hardware too, but this problem is new for me.

Sorry, that wasn't obvious to me from your posts. In that case I am running out of ideas as well ...

[@Vorona]

Sadly...  :(

Maybe this is something bug in frr ospfd? I found similar problem, but it was with bgp protocol on old version opnsense.

[mimugmail]

Do you have a change to use routed ipsec where you don't need a GRE tunnel?

[Patrick M. Hausen]

You cannot form an OSPF neighbour relation without a dedicated point-to-point link. That is one of the main reasons to use a tunnel interface.

But could you try to disable IPsec just for debugging purposes and try if OSPF works over GRE alone?

[mimugmail]

Isnt this the reason for a route based IPsec? A dedicated interface with p2p address

[Patrick M. Hausen]

Isnt this the reason for a route based IPsec? A dedicated interface with p2p address

Ah ... ok. Never used these. Traditional Kame IPsec doesn't have that feature. So you end up with GRE or IPIP.