How to inject "classic" IPSec VPN routes into OSPF

JMHJMH
edited April 10 in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

Apologies if this is already a well know thing, but I failed to find info about it when I was researching it.

I was looking how a firebox could inject "classic" IPSec routes into OSPF, so that the rest of our network could use the routes, rather than having to declare them as static routes on internal routers behind the firebox. This is easy for BOVPN virtual interfaces, but appears not to be a supported option for "classic" VPNs, as the remote end of the VPN isn't seen as a connected network for inclusion in the OSPF calculations.

The Status Report section of System Manager shows the network at the far end of the VPN in the "Run-time IPSec Routes" section, with the "Out Interface" being the physical interface of the external connection.

Static routes on the firebox can be injected into the OSPF table using the "redistribute static" command in the OSPF configuration.

On the firebox, I configured a static route to the far end of the VPN via the default gateway of the external interface. This did not affect the routing down the VPN within the firebox, and the traffic for the remote end of the VPN continued being sent down the IPSec tunnel.

The result is a static route to the VPN destination that can be injected into OSPF which doesn't affect how the Firebox handles the VPN traffic. (I used a route map to control which static routes get redistributed, but this isn't necessary if all your static routes should be injected into OSPF.)

The internal routers now see the "classic" VPN destinations in the OSPF tables and there is no longer the need to configure the static routes within the internal network. The route seen in OSPF isn't via the external default gateway, but via the firebox itself. (The routes you see on the routers connected to the firebox will show via the firebox, and for the routers behind the routers connected to the firebox, you will see the route via the connected router, etc.)

How useful this is depends on your network, but for ours, this ability to have the routes in the OSPF tables has been extremely helpful.

Hopefully this info will be useful for someone else.

James

Sign In to comment.