OSPF over dynamic IPsec VPN (Expert)

Did this article provide the information you were looking for?

Knowledge Center - Browse All
Every comment submitted here is read by a human but we do not reply to specific technical questions. Please type your message and try again. The 6 smaller sites are doing VPN with static routes pointing to the host. It is good for passing routing protocols across different sites but it doesn't provide security. By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service , privacy policy and cookie policy , and that your continued use of the website is subject to these policies. Yes No Comment Submit.

Related Documentation


These packets are completely unencrypted while passing through the internet, which is unsecure. In order to provide security for the traffic, an IPsec VPN tunnel will be configured as an added layer of security.

In the scenario, OSPF is used as the routing protocol. If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible. Every comment submitted here is read by a human but we do not reply to specific technical questions. For technical support post a question to the community. The following sections are covered: Configure the GRE tunnel Login to the console as an administrator and select 4.

Enter the following commands to both firewalls respectively. Configure the IPsec policy as shown below. The configuration provided here is just an example. The IPsec policy can be configured according to your organization's requirements. Click Save to save the IPsec connection. Click Save to save the IPsec policy. The button will turn green. The 6 smaller sites are doing VPN with static routes pointing to the host.

Keep in mind VPN's are over public internet space. You will want to make sure you use a password when creating neighbors. Also keep in mind that VPN's have a timeout value when no traffic is passed across the tunnel. Hello's should suffice but make sure your VPN tunnels have a timeout value that corresponds with your design.

Just needs to be designed correctly from the beginning. Passwords are still a good idea, but not the end of the world. So you are merely running your protocols over a tunnel. Keep in mind that IPSec does not support multicast traffic. Can you elaborate on unicast version of OSPF? When running unicast you would need to manually configure the neighbors with the neighbor statement.

Just like we would in BGP.

2. Configuring OSPF in FortiGate 1