Yesterday I tried to add a remote site to our main backbone to be able to route all traffic of the remote site over our main backbone so our clients get public IP from our assigned pool.
We use OSPF on our backbone so I thought it would be nice to used over the VPN / tunnel.
What I have done:
Main site public IP: 1.1.1.1
Main site loopback: 10.0.0.2
Remote site public IP: 2.2.2.2
Remote site loopback: 10.0.0.15
Create GRE tunnel using the public IP’s
Secure the tunnel using IPSec.
Create a /30 network over the GRE interface
Main site 10.2.0.1/30
Remote site 10.2.0.2/30
Add the network on the OSPF interface on both routers.
Main site distributes:
default route if installed
connected routes
static routes
other ospf routes
Remote site distributes
connected routes
OSPF starts running, neighbour appear, the routes appears on the table but then the GRE interface goes down.
When this happens the DAC 10.2.0.0/30 route with 0 distance created by adding the IP on the GRE interface changes to DAo route with 255 distance so it goes down.
What I have tried:
filter the 10.2.0.0/30 on both OSPF instances
filter the 0.0.0.0/0 route on the remote site
add Sham Link using the loopback address
stop sending connected routes from the remote site.
Nothing worked so I guess I’m missing something but I don’t know what.
In situations like this you must always check if the default route installed by the routing protocol does not disturb
the path needed for the GRE tunnel to reach the other end. You may need to install a fixed route in the table
for the system to reach its neighbor on the internet (add route for public address of main site via ISP gateway),
or you could use policy routing (ip->route->rules) to setup a separate routing table for this traffic.
One problem solved!
New one appeared:
“Database Description packet has different master status flag”
Routes come up, after a few seconds this message appears on the log and the routes go down.
I’ve read that this can happen in a non unreliable link but I’m using ethernet and the VPN seems to work fine, I tried disabling the IPSec policy but I also get this error.
BGP for all internal routing or BGP for remote sites that needs to be routed to a main site?
We had hoped to use ospf for our internal network and then user BGP with our providers, I’m not familiarized with BGP (not that I’m an expert of OSPF jejeje).
I use BGP for routing our internal networks via GRE/IPsec and L2TP/IPsec tunnels, using the default private AS number.
(so not related to using BGP on the internet, I just have normal internet connections where everything is routed by the ISP)
I never tried OSPF as it appears to be so much more complicated to setup…
