Community discussions

MikroTik App
 
lz1dsb
Member Candidate
Member Candidate
Topic Author
Posts: 226
Joined: Wed Aug 07, 2013 11:48 am

OSPF over IPIP tunnel with IPsec

Sat Apr 17, 2021 9:08 pm

Here's the situation:
1. I'm using IPIP tunnels between my routers which are encrypted with IPsec.
2. I'm doing this with the IPsec password option on the IPIP tunnel configuration and the default IPsec policies.
3. This works fine, and it has been working for years.
4. Recently I've changed the hardware for my router with hEX S, moved my old config and... the tunnels are up, traffic passes through them, but the OSPF neighbor relationship over the tunnels does not form.
5. All routers which terminate the IPIP tunnels are RouterOS based and have the same software version. It's just that hEX S device, that just does not want to form OSPF adjacency with its peers.

So, I digged further. I did a packet capture on one of the IPIP tunnel interfaces:
1. What I observe is that the local router (hEX S) is sending an OSPF Hello packet - fair enough...
2. The remote router is sending an OSPF Hello packet, and that's the tricky part - it lists the local router (the hEX S device) in it's Active Neighobor field. Hence, it recognizes it as a neighbor.
3. The local router continues to send OSPF Hello packets but never lists anything in its Active Neighbor field.

How to resolve that?
/routing ospf instance
set [ find default=yes ] redistribute-bgp=as-type-1 router-id=10.1.1.82
/routing ospf interface
add disabled=yes
add interface=bridge-local passive=yes
add cost=9 interface=ovpn-router72-in network-type=point-to-point
add interface=ovpn-rtsf83-in network-type=point-to-point
add cost=20 interface=Tunnel-rtsf79 network-type=point-to-point
add cost=100 interface=Tunnel-rtkj25 network-type=point-to-point
add cost=7 interface=Tunnel-rtdp73 network-type=point-to-point
add interface=Tunnel-rtsf83 network-type=point-to-point
add cost=110 interface=Tunnel-rtkj22 network-type=point-to-point
add interface=loopback0 passive=yes
/routing ospf network
add area=backbone network=192.168.82.0/24
add area=backbone comment="OVPN Network" network=192.168.100.0/24
add area=backbone comment="Transit network to rtsf79.sotirov-bg.net" network=10.82.79.0/30
add area=backbone comment="Transit network to rtkj25.sotirov-bg.net" network=10.82.25.0/30
add area=backbone comment="Transit network to rtkj22.sotirov-bg.net" network=10.82.22.0/30
add area=backbone comment="OSPF Router-id" network=10.1.1.82/32
add area=backbone comment="Transit network to rtdp73.sotirov-bg.net" network=10.82.73.0/30
add area=backbone comment="Transit Network to rtsf83.sotirov-bg.net" network=10.82.83.0/30
You do not have the required permissions to view the files attached to this post.
 
lz1dsb
Member Candidate
Member Candidate
Topic Author
Posts: 226
Joined: Wed Aug 07, 2013 11:48 am

Re: OSPF over IPIP tunnel with IPsec

Sat Apr 17, 2021 10:16 pm

I was able to actually trace down the issue.
It's the IP Firewall.
In the new configuration I've used the default IP Firewall settings with Interface lists. So I've used a LAN list which includes only the local LAN bridge interface. And at the end of the ruleset on the I've put to deny everything which is different from the LAN interface list - which does not include the Tunnel interfaces, which were not part of the interface list.

So thread closed.
 
Bluewave
just joined
Posts: 3
Joined: Fri Apr 08, 2022 9:31 am

Re: OSPF over IPIP tunnel with IPsec

Fri Apr 08, 2022 9:33 am

Hi,

Can you pm me your configuration? We try to achieve the same objectives of running ospf in ipip over ipsec but we were stuck.

Who is online

Users browsing this forum: No registered users and 4 guests