Hi!
I'm trying to setup OSPF between a Juniper SRX 345 and a CCR2116 over IPSEC. I managed to have IPSEC and GRE working. Each device can ping each other over GRE interface and ipsec tunnel ends.
The issue I have is OSPF doesn't detect any neighbour.
/routing ospf instance
The SRX has st0.0 and nterface gr-0/0/0.1 as interfaces in the area and is already doing routing with other routers properly.
does ospf allowed by firewall?
pimmie
April 14, 2024, 8:55am
3
Have you tried setting the interface template for the gre interface to a network type of ptp-unnumbered instead of just ptp? Have no xp with Juniper, but that resolved it for me a couple of times. Even though the neighbour did have an IP address and each device could ping each other’s GRE-tunnel ip
Thank you for your help, I finally worked around it by using wireguard.
If you’re willing to give a second shot, here is my lab setup.
Mikrotik: external 10.0.0.2, loopback 10.255.255.1/32, tunnel 10.255.254.1/30
Mikrotik configuration (relevant bits)
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128
add dh-group=modp1536 enc-algorithm=aes-256,aes-128 name=tunnel_profile nat-traversal=no
/ip ipsec peer
add address=10.0.1.2/32 comment="IPSEC to cisco" local-address=10.0.0.2 name=cisco profile=tunnel_profile
/ip ipsec proposal
add enc-algorithms=aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=1h name=aesshag5
/ip ipsec identity
add peer=cisco secret=XXXXXXXX
/ip ipsec policy
add dst-address=10.255.255.2/32 peer=cisco proposal=aesshag5 src-address=10.255.255.1/32 tunnel=yes
/interface gre
add allow-fast-path=no comment="GRE to Cisco" local-address=10.255.255.1 mtu=1400 name=Tunnel0 remote-address=\
10.255.255.2
/routing id
add comment="Router ID" disabled=no id=10.255.255.1 name=main-int
/routing ospf instance
add disabled=no name=ospf1 router-id=main-int
/routing ospf area
add comment="Backbone Area" disabled=no instance=ospf1 name=backbone
/routing ospf interface-template
add area=backbone disabled=no interfaces=Tunnel0 type=ptp
add area=backbone disabled=no interfaces=bridge passive
Cisco configuration (relevant bits)
crypto keyring ipsec_keyring
pre-shared-key address 10.0.0.2 key XXXXXXX
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp profile for_vti
keyring ipsec_keyring
self-identity address
match identity address 10.0.0.2 255.255.255.255
local-address 10.0.1.2
!
crypto keyring ipsec_keyring
pre-shared-key address 10.0.0.2 key tunnel_profile
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp profile for_vti
keyring ipsec_keyring
self-identity address
match identity address 10.0.0.2 255.255.255.255
local-address 10.0.1.2
!
ip access-list extended ipsec_tun
permit ip host 10.255.255.2 host 10.255.255.1
!
interface Tunnel0
ip address 10.255.254.2 255.255.255.252
ip mtu 1400
ip ospf 1 area 0
tunnel source Loopback0
tunnel destination 10.255.255.1
!
router ospf 1
router-id 10.255.255.2
log-adjacency-changes
!
OSPF Status as seen from the Mikrotik
[jeff@router1] > /routing/ospf/neighbor/print
Flags: V - virtual; D - dynamic
0 D instance=ospf1 area=backbone address=10.255.254.2 router-id=10.255.255.2 state="Full" state-changes=6
adjacency=2d20h46m43s timeout=35s
OSPF Status as seen from the Cisco
routerB#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.255.255.1 0 FULL/ - 00:00:39 10.255.254.1 Tunnel0