OSPF w/Fortigate

General questions
, , , , , , , ,
1

I want to setup an ospf connection to a fortigate firewall.

This will be to use an IPSec tunnel on the FortiGate to another FortiGate.

I will also be running OSPF between the IPSec tunnel.

But in the meantime, I am wondering about the OSPF Config for VYOS’s side connected to both Fortigates to redistribute connected networks.


set interfaces ethernet eth0 address '10.10.91.2/24'
set interfaces ethernet eth1 address '10.10.92.1/24'
set interfaces ethernet eth2 address '10.10.93.1/24'
set policy route-map CONNECT rule 10 action 'permit'
set policy route-map CONNECT rule 10 action match interface 'eth1'
set policy route-map CONNECT rule 20 action 'permit'
set policy route-map CONNECT rule 20 action match interface 'eth2'
set protocols ospf area 11 network '10.10.91.0/24'
set protocols ospf area 11 network '10.10.92.0/24'
set protocols ospf area 11 network '10.10.93.0/24
set protocols ospf log-adjacency-changes
set protocols ospf parameters abr-type 'shortcut'
set protocols ospf parameters router-id '10.10.91.2'
set protocols ospf redistribute connected metric-type '2'
set protocols ospf redistribute connected route-map 'CONNECT'
2

What is the actual question?

3

Am I missing something?

I want to share my connected networks with the Fortigate but nothing is being learned on the Fortigate.

4

My OSPF Config on the fortigate is also set to shortcut but yea something isn’t working quite right.

config router ospf
    set abr-type shortcut
    set router-id 10.10.91.1
    set restart-mode graceful-restart
    config area
        edit 0.0.0.11
        next
    end
    config ospf-interface
        edit "port3"
            set interface "port3"
            set network-type point-to-point
        next
    end
    config network
        edit 3
            set prefix 10.10.91.0 255.255.255.0
            set area 0.0.0.11
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "static"
    end
    config redistribute "rip"
    end
    config redistribute "bgp"
    end
    config redistribute "isis"
    end
end
5 
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       V - BGP VPNv4
       * - candidate default

Routing table for VRF=0
C       10.10.10.1/32 is directly connected, p2p
S       10.10.10.2/32 [5/0] via p2p tunnel 10.10.50.2, [1/0]
C       10.10.50.0/24 is directly connected, port1
S       10.10.81.0/24 [10/0] via p2p tunnel 10.10.50.2, [1/0]
C       10.10.90.0/24 is directly connected, port2
C       10.10.91.0/24 is directly connected, port3
C       192.168.47.0/27 is directly connected, port4

Where as on vyos

vyos@vyos:~$ show ip route
Codes:	K - kernel route, C - connected, S - static, R - RIP,
		O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
		T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
		f - OpenFabric,
		> - selected route, * - FIB route, q - queued, r - rejected, b - backup
		t - trapped, o - offload failure
		
O	10.10.91.0/24 [110/1] is directly connected, eth0, weight 1, 3d23h25m
C>*	10.10.91.0/24 is directly connected, eth0, 5d00h14m
O	10.10.92.0/24 [110/1] is directly connected, eth1, weight 1, 3d22h56m
C>*	10.10.92.0/24 is directly connected, eth1, 5d22h56m
O	10.10.93.0/24 [110/1] is directly connected, eth2, weight 1, 3d22h56m
C>*	10.10.93.0/24 is directly connected, eth2, 5d22h56m

Like I said what am I missing in vyos i can switch ABR to cisco but in this instance, I’m just trying to share connected routes over ospf 11 with the FortiGate.

6

Just taking a step back here… obviously no adjacencies are being formed but just for basic t-shooting and as a second set of eyes. Are you seeing LSAs being flooded across the interfaces? Assuming no?

Not sure if this is feasible without crapping out the rest of your network but can you step everything back to a more simple setup (I know, not much else you can strike out… but for giggles)? Ditch any route-maps / filters, set your ABR type to cisco as you had mentioned earlier, etc.

If you [happen to] have another FG lying around it may be a good idea to throw it into a sandbox for goofing purposes.

7

The nice thing is this is a lab.

I am proving out ospf over ipsec tunnels and this isn’t working to begin with.

I’ll make these changes and pull the data. Thanks for responding. I also have a ticket with Fortigate but no one there has responded yet.

1 Like
8

So you should be able to do a tcpdump on the router and see those LSAs — I turned on ospf in my lab and just threw a subnet in for demo (nothing on other end):

tcpdump on vyos 
vyos@vyos# tcpdump -vni peth0 proto 89
tcpdump: listening on peth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:33:24.494553 IP (tos 0xc0, ttl 1, id 49002, offset 0, flags [none], proto OSPF (89), length 64)
    192.168.255.1 > 224.0.0.5: OSPFv2, Hello, length 44
        Router-ID 192.168.255.1, Area 0.0.0.11, Authentication Type: none (0)
        Options [External]
          Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 1
          Designated Router 192.168.255.1
14:33:34.494627 IP (tos 0xc0, ttl 1, id 49003, offset 0, flags [none], proto OSPF (89), length 64)
    192.168.255.1 > 224.0.0.5: OSPFv2, Hello, length 44
        Router-ID 192.168.255.1, Area 0.0.0.11, Authentication Type: none (0)
        Options [External]
          Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 1
          Designated Router 192.168.255.1
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel

It’s been a while since I worked with an FG, pump out some debug:

debug commands to run on FG 
* get router info ospf status
* diagnose sniffer packet any "proto 89" 4
--or--
* diagnose ip router ospf all enable
* diagnose debug enable

If you aren’t seeing Hellos from either side then something bigger is wrong. Oh another “just for giggles” check the default timer settings for the ospf instance. I’ve seen conflicting information and videos where values were different and the video maker didn’t say whether he changed them ahead of time.

9

image
image1675×927 195 KB

It’s odd because vyos isn’t sharing the routes learned from the FG in the DB to the route table

image
image1620×554 132 KB

I pulled the route map out, abr-type ‘cisco’

I don’t see an option to change these options on the vyos side

This is my config options on FG pulled from ‘get router ospf’

abr-type            : cisco
auto-cost-ref-bandwidth: 1000
distance-external   : 110
distance-inter-area : 110
distance-intra-area : 110
database-overflow   : disable
database-overflow-max-lsas: 10000
database-overflow-time-to-recover: 300
default-information-originate: disable
default-information-metric: 10
default-information-metric-type: 2
default-information-route-map:
default-metric      : 10
distance            : 110
rfc1583-compatible  : disable
router-id           : 10.10.91.1
spf-timers          : 5 10
bfd                 : disable
log-neighbour-changes: enable
distribute-list-in  :
distribute-route-map-in:
restart-mode        : none
10

What’s happening in a tcpdump? Is there an actual exchange or are both blue in the face shouting hello? :slight_smile:

11

I see requests from both vyos and the fortigate.

image
image1700×854 170 KB

12

And it looks like the timers match.

13

Is there a command to set network point to point

I’m going through everything in ospf on FG and its just odd that its not setting routes in the routing table on vyos

14

you have different type of network (broadcast on VyOS / point-to-point on Fortinet) , try to configure

 set protocols ospf interface ethX network point-to-point
15

link with the different type of network

https://docs.vyos.io/en/latest/configuration/protocols/ospf.html#cfgcmd-set-protocols-ospf-interface-interface-network-type

16

image

I’m leaning back towards basics again… it’s probably something stupid being overlooked. If you don’t mind draw out your topology please. Then draw circles or squares labeling the backbone area along with the stub nets and/or NSSA nets that are connected.

Remember you set abr-type back to cisco so a backbone would be required.

Is the FG (10.10.81.1 / 10.10.91.1 ) a part of the backbone area? Your tcpdump only showed snippets of comms involving area 11, was expecting to see the backbone in the mix.

17

another point is the area , it’s wrong on VyOS based on Forinet area , it should be something like this :

set protocols ospf area 0.0.0.11

check if you can change those parameters.

18

I was wondering about that, technically area 0.0.0.x == area x but wasn’t sure how pedantic either side was about things.

My lab config is area 11 but the tcpdump shows 0.0.0.11

image

image
image1103×302 13.4 KB

19

could be affected when use decinal notation in fortine. I think it should work as expected with these changes.

1 Like
20

Ok, that was it the network point-to-point was missing GRRR took way too long and dealing with Fortigate to figure out why the ospf routes were not redistributing over an IPSec tunnel added more to my problems.

I’ll post my full configs in the next response and point out what i was missing

2 Likes