beautypg.com

Tip: non-ospf traffic can also use the tunnel – Amer Networks E5Web GUI User Manual

Page 317

background image

2. Choose a random internal IP network

For each security gateway, we need to choose a random IP network using internal, private IPv4
addresses. For example, for security gateway A we could use the network 192.168.55.0/24.

This network is used just as a convenience with OSPF setup and will never be associated with a
real physical network.

3. Define an OSPF Interface for the tunnel

Define an cOS Core OSPF Interface object which has the IPsec tunnel for the Interface parameter.
Specify the Type parameter to be point-to-point and the Network parameter to be the network
chosen in the previous step, 192.168.55.0/24.

This OSPF Interface tells cOS Core that any OPSF related connections to addresses within the
network 192.168.55.0/24 should be routed into the IPsec tunnel.

4. Define an OSPF Neighbor

Next, we must explicitly tell OSPF how to find the neighbouring OSPF router. Do this by defining
a cOS Core OSPF Neighbor object. This consists of a pairing of the IPsec tunnel (which is treated
like an interface) and the IP address of the router at the other end of the tunnel.

For the IPv4 address of the router, we simply use any single IP address from the network
192.168.55.0/24. For example, 192.168.55.1.

When cOS Core sets up OSPF, it will look at this OSPF Neighbor object and will try to send OSPF
messages to the IPv4 address 192.168.55.1. The OSPF Interface object defined in the previous step
tells cOS Core that OSPF related traffic to this IP address should be routed into the IPsec tunnel.

5. Set the Local IP of the tunnel endpoint

To finish the setup for security gateway A there needs to be two changes made to the IPsec
tunnel setup on security gateway B. These are:

i.

In the IPsec tunnel properties, the Local Network for the tunnel needs to be set to all-nets.
This setting acts as a filter for what traffic is allowed into the tunnel and all-nets will allow all
traffic into the tunnel.

ii.

In the routing section of the IPsec properties, the Specify address manually option needs
to be enabled and the IPv4 address in this example of 192.168.55.1 needs to be entered (in
the CLI, OriginatorType is set to manual and the OriginatorIP is 192.168.55.1). This sets the
tunnel endpoint IP to be 192.168.55.1 so that all OSPF traffic will be sent to security gateway
A with this source IP.

The result of doing this is to "core route" OSPF traffic coming from security gateway A. In other
words the traffic is destined for cOS Core.

6. Repeat the steps for the other security gateway

What we have done so far is allow OSPF traffic to flow from A to B. The steps above need to be
repeated as a mirror image for security gateway B using the same IPsec tunnel but using a
different random internal IP network for OSPF setup.

Tip: Non-OSPF traffic can also use the tunnel

A VPN tunnel can carry both OSPF traffic as well as other types of traffic. There is no
requirement to dedicate a tunnel to OSPF traffic.

Chapter 4: Routing

317

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: