Skip to main content

OSPF over IPsec tunnel (ASA ikev1)

Today I would like to set up a VPN tunnel between two ASAs with capability of sending OSPF packets over the IPsec tunnel. I know there are similar examples available on the Internet but I would like to check if there are any problems during the implementation.

         4.4.4.0/24        7.7.7.0/24        5.5.5.0/24

  /----\ .1     .10 -----  .1      .2 -----  .10      .2/----\
 |  R1  |----------| ASA1 |----------| ASA2 |----------|  R2  |
  \----/            -----             -----             \----/

                        |<-----VPN----->|

The basic configuration:

R1:
 
!
hostname r1
!
interface GigabitEthernet0/0
 ip address 4.4.4.1 255.255.255.0
 no sh
!
router ospf 200
 network 4.4.4.0 0.0.0.255 area 0
!

R2:
 
!
hostname r2
!
interface GigabitEthernet0/0
 ip address 5.5.5.2 255.255.255.0
 no sh
!         
router ospf 100
 log-adjacency-changes
 network 5.5.5.0 0.0.0.255 area 0
!

ASA1:
 
!
hostname asa1
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 7.7.7.1 255.255.255.0 
 no sh
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 4.4.4.10 255.255.255.0 
 no sh
!
router ospf 150
 network 4.4.4.0 255.255.255.0 area 0
 network 7.7.7.0 255.255.255.0 area 0
 log-adj-changes
!

ASA2:
 
!
hostname asa2
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 7.7.7.2 255.255.255.0 
 no sh
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 5.5.5.10 255.255.255.0 
 np sh
!
router ospf 250
 network 5.5.5.0 255.255.255.0 area 0
 network 7.7.7.0 255.255.255.0 area 0
 log-adj-changes
!

Let’s check if OSPF works fine:
 
r1#sh ip ospf neighbor        

Neighbor ID     Pri   State           Dead Time   Address         Interface
4.4.4.10          1   FULL/BDR        00:00:39    4.4.4.10        GigabitEthernet0/0
r1#

asa1# sh ospf neighbor 


Neighbor ID     Pri   State           Dead Time   Address         Interface
7.7.7.2           1   FULL/DR         0:00:30     7.7.7.2         outside
4.4.4.1           1   FULL/DR         0:00:31     4.4.4.1         inside
asa1# 

asa2# sh ospf neighbor 


Neighbor ID     Pri   State           Dead Time   Address         Interface
4.4.4.10          1   FULL/BDR        0:00:38     7.7.7.1         outside
5.5.5.2           1   FULL/DR         0:00:37     5.5.5.2         inside
asa2# 

r2#sh ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
7.7.7.2           1   FULL/BDR        00:00:36    5.5.5.10        GigabitEthernet0/0
r2#

As we see above all devices see their neighbors. Before I start VPN implementation I check if routing tables are correct.

R1:
 
r1#sh ip route 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      4.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        4.4.4.0/24 is directly connected, GigabitEthernet0/0
L        4.4.4.1/32 is directly connected, GigabitEthernet0/0
      5.0.0.0/24 is subnetted, 1 subnets
O        5.5.5.0 [110/21] via 4.4.4.10, 00:35:08, GigabitEthernet0/0
      7.0.0.0/24 is subnetted, 1 subnets
O        7.7.7.0 [110/11] via 4.4.4.10, 00:35:08, GigabitEthernet0/0
r1#

R2:
 
r2#sh ip route 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

      4.0.0.0/24 is subnetted, 1 subnets
O        4.4.4.0 [110/21] via 5.5.5.10, 00:35:07, GigabitEthernet0/0
      5.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        5.5.5.0/24 is directly connected, GigabitEthernet0/0
L        5.5.5.2/32 is directly connected, GigabitEthernet0/0
      7.0.0.0/24 is subnetted, 1 subnets
O        7.7.7.0 [110/11] via 5.5.5.10, 00:37:54, GigabitEthernet0/0
r2#

ASA1:
 
asa1# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    4.4.4.0 255.255.255.0 is directly connected, inside
O    5.5.5.0 255.255.255.0 [110/20] via 7.7.7.2, 0:37:26, outside
C    7.7.7.0 255.255.255.0 is directly connected, outside
asa1# 

ASA2:
 
asa2# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

O    4.4.4.0 255.255.255.0 [110/20] via 7.7.7.1, 0:38:09, outside
C    5.5.5.0 255.255.255.0 is directly connected, inside
C    7.7.7.0 255.255.255.0 is directly connected, outside
asa2# 

Ok, I’m ready to start configuring the VPN:

1) definition of 1st phase:
 
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

crypto ikev1 enable outside

and 2nd:
 
 crypto ipsec ikev1 transform-set TS esp-aes-256 esp-sha-hmac 

Now I define what traffic between LAN1 and LAN2 should be encrypted:

ASA1:
 
access-list VPN extended permit ip 4.4.4.0 255.255.255.0 5.5.5.0 255.255.255.0 

and ASA2:
 
access-list VPN extended permit ip 5.5.5.0 255.255.255.0 4.4.4.0 255.255.255.0 

Now, I configure tunnel groups:

ASA1:
 
tunnel-group 7.7.7.2 type ipsec-l2l
tunnel-group 7.7.7.2 ipsec-attributes
 ikev1 pre-shared-key cisco123
!

and ASA1:
 
tunnel-group 7.7.7.1 type ipsec-l2l
tunnel-group 7.7.7.1 ipsec-attributes
 ikev1 pre-shared-key cisco123
!

and crypto map:

ASA1:
 
crypto map MAPA 10 match address VPN
crypto map MAPA 10 set peer 7.7.7.2 
crypto map MAPA 10 set ikev1 transform-set TS
crypto map MAPA interface outside

and ASA2:
 
crypto map MAPA 10 match address VPN
crypto map MAPA 10 set peer 7.7.7.1 
crypto map MAPA 10 set ikev1 transform-set TS
crypto map MAPA interface outside

Let’s test the tunnel:
 
r1#ping 5.5.5.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
r1#

asa1# sh crypto ikev1 sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 7.7.7.2
    Type    : L2L             Role    : initiator 
    Rekey   : no              State   : MM_ACTIVE 
asa1# sh crypto ips     
asa1# sh crypto ipsec sa
interface: outside
    Crypto map tag: MAPA, seq num: 10, local addr: 7.7.7.1

      access-list VPN extended permit ip 4.4.4.0 255.255.255.0 5.5.5.0 255.255.255.0 
      local ident (addr/mask/prot/port): (4.4.4.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (5.5.5.0/255.255.255.0/0/0)
      current_peer: 7.7.7.2

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 7.7.7.1/0, remote crypto endpt.: 7.7.7.2/0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 86047244
      current inbound spi : 8B36069C

    inbound esp sas:
      spi: 0x8B36069C (2335573660)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (3914999/28778)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0x86047244 (2248438340)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (3914999/28778)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

asa1# 

Ok, the tunnel is working fine but the OSPF traffic is not sent over the tunnel. Let’s add new ACE to
VPN ACL:

ASA1:
 
access-list VPN extended permit ospf interface outside host 7.7.7.2 

and ASA2:
 
access-list VPN extended permit ospf interface outside host 7.7.7.1

Now we have to change way how OSPF sends packets:
 
interface Ethernet0/0
  ospf network point-to-point non-broadcast
!

because we disabled broadcast for OSPF I have to specify where the neighbor is located:

ASA1:
 
router ospf 150
 neighbor 7.7.7.2 interface outside

ASA2:
 
router ospf 250
 neighbor 7.7.7.1 interface outside

Now I clear the OSPF process and then I check what is the OSPF status:
 
asa1# clear ospf process 

ASA1:
 
asa1# sh ospf neighbor 


Neighbor ID     Pri   State           Dead Time   Address         Interface
7.7.7.2           1   FULL/  -        0:00:37     7.7.7.2         outside
4.4.4.1           1   FULL/DR         0:00:37     4.4.4.1         inside
asa1# 

As we see ASA1 has a relationship with ASA2 but let’s confirm the packets are sent over the tunnel:
 
asa1# sh crypto ipsec sa
interface: outside
    Crypto map tag: MAPA, seq num: 10, local addr: 7.7.7.1

      access-list VPN extended permit ospf interface outside host 7.7.7.2 
      local ident (addr/mask/prot/port): (7.7.7.1/255.255.255.255/89/0)
      remote ident (addr/mask/prot/port): (7.7.7.2/255.255.255.255/89/0)
      current_peer: 7.7.7.2

      #pkts encaps: 80, #pkts encrypt: 80, #pkts digest: 80
      #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 80, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 7.7.7.1/0, remote crypto endpt.: 7.7.7.2/0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: E6E0B851
      current inbound spi : 0C02D13A

    inbound esp sas:
      spi: 0x0C02D13A (201511226)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (3914994/28103)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xE6E0B851 (3873486929)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (3914994/28103)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

asa1# 

Let’s test once again ping from R1 to R2:
 
r1#ping 5.5.5.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
r1#

asa1# sh crypto ipsec sa
interface: outside
    Crypto map tag: MAPA, seq num: 10, local addr: 7.7.7.1

      access-list VPN extended permit ip 4.4.4.0 255.255.255.0 5.5.5.0 255.255.255.0 
      local ident (addr/mask/prot/port): (4.4.4.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (5.5.5.0/255.255.255.0/0/0)
      current_peer: 7.7.7.2

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 7.7.7.1/0, remote crypto endpt.: 7.7.7.2/0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 77D43B99
      current inbound spi : 8B7F07B0

    inbound esp sas:
      spi: 0x8B7F07B0 (2340358064)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (3914999/28752)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0x77D43B99 (2010397593)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (3914999/28752)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

    Crypto map tag: MAPA, seq num: 10, local addr: 7.7.7.1

      access-list VPN extended permit ospf interface outside host 7.7.7.2 
      local ident (addr/mask/prot/port): (7.7.7.1/255.255.255.255/89/0)
      remote ident (addr/mask/prot/port): (7.7.7.2/255.255.255.255/89/0)
      current_peer: 7.7.7.2

      #pkts encaps: 90, #pkts encrypt: 91, #pkts digest: 91
      #pkts decaps: 90, #pkts decrypt: 90, #pkts verify: 90
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 91, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 7.7.7.1/0, remote crypto endpt.: 7.7.7.2/0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: E6E0B851
      current inbound spi : 0C02D13A

    inbound esp sas:
      spi: 0x0C02D13A (201511226)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (3914993/28005)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xE6E0B851 (3873486929)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (3914993/28003)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

asa1# 

We see two SAs: the first for IP traffic and second for OSPF (one per each access-list entry).

Comments

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an ...

FortiGate and GRE tunnel

Recently I worked on one project where a client requested to re-route web traffic to the GRE tunnel to perform traffic inspection. I would like to share with you what is required if you configure it on FortiGate. We need a new GRE interface and policy base routing (PBR) to change the route for specific source IPs. Of course you need firewall policies to permit the traffic. Let's start with GRE interface. Unfortunately you can't configure it using the GUI, only CLI is the option: config system gre-tunnel edit "gre1" set interface "port1" set local-gw 55.55.55.55 set remote-gw 44.44.44.44 next end When the end peer is Cisco router, you need to set the IP for the GRE interface: config system interface edit gre1 set ip 192.168.10.10 255.255.255.255 set remote-ip192.168.10.20 end In next step we need to fix routing. We need the alternate path via GRE but to keep the route in the active routing table you need to set the same AD (adminis...

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze ...