IPSEC on Tunnel interface cannot Receive Hello packet from OSPF Peer - Page 2

rajashajeelahmed · ‎04-03-2023

We have IPSEC tunnels between different DC and its working fine with static routing, For Dynamic routing i have configured OSPF in between them one end is Huawei and other end ISR4400, On Huawei end i can receive and send Hello packets but at ISR end i can only see Hello packet sent on Tunnel interface no Hello received. We have different VRF at ISR end. With tunnel interface we can run ospf over it? and secondly if i can send hello over esp why i cannot receive it .

interface Tunnel1
vrf forwarding xyz
ip address x.x.x.x 255.255.255.252
ip tcp adjust-mss 1350
ip ospf network point-to-point
ip ospf 600 area 0
tunnel source
tunnel mode ipsec ipv4
tunnel destination
tunnel vrf xyz
tunnel protection ipsec profile abc

MHM Cisco World · ‎04-05-2023

show ip ospf traffic <<- share this here if you can

Show crypto ipsec peer x.x.x.x detail

Waiting your reply.

Thanks

Kanan Huseynli · ‎04-04-2023

Hi,

are you sure Huawei configuration? Does it really send OSPF hello over tunnel?

Normally, OSPF is multicast based and IPSec does not support multicast. But if tunnel is ipsec ipv4 on Cisco, then it is supported.

However, I don't quite sure how it is implemented in Huawei (the another side). There is need to verify that huawei side sends OSPF hello.

On Cisco side (ISR) you may enable debug ip ospf hello ; debug ip ospf adjacency to see whether in background hello is received or not and verify configuration (debug shows why receiving hello is ignored)

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

rajashajeelahmed · ‎04-04-2023

Yes Kanan I can see Huawei end can send the Hello packets and can receive it too its state is in init. At cisco end we can only see Hello packet being sent on Tunnel interface no received at Cisco end. For Hello errors i could'nt see any packet i can hello sent only.

Kanan Huseynli · ‎04-05-2023

Hi,

how do you check for incoming OSPF packets? Maybe still at some level mtu mismatch happens. Enable ignore-mtu on tunnel interface of ISR and check. Command is " ip ospf mtu-ignore" .

If does not help, enable debug ip ospf adj and let's check for result (do ssh to ISR and enable terminal monitor with logging debug, don't use console). debug ip ospf hello is also useful command.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

rajashajeelahmed · ‎04-05-2023

Done mtu ignore on tunnel interface
in logs i can only see hello packets being sent over the tunnel, No logs for adjacency.

Kanan Huseynli · ‎04-05-2023

Maybe huawei side does not support OSPF over IPSec. Check its config guide for this scenario. And you may try to configure static neighbor or some configuration to map 224.0.0.5 to unicast IP (of course, if huawei supports such configs).

Try to ping from both tunnel: ping 224.0.0.5 source tunnelX

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

rajashajeelahmed · ‎04-04-2023

OSPF 600: SEND Packet. Interface: Tunnel30
Huawei end

Paw_Paw · ‎04-05-2023

As I know, IPSEC tunnel can not transport Multicast and OSPF is using multicast. For that you can use a GRE Tunnel (change the ipsec mode to GRE). In that case you are using ipsec over GRE.

MHM Cisco World · ‎04-05-2023

friend he not using IPsec he use SVTI. the tunnel mode is ipsec ipv4.
this type of tunnel can forward multicast.

rajashajeelahmed · ‎04-10-2023

It turns out Huawei only support IPSEC over GRE, It can receive the multicast Hello packet over tunnel but cannot send it back over the tunnel.

Georg Pauwen · ‎04-10-2023

Hello,

I have not followed the entire thread, but can you share the full (sanitized) Cisco and Huawei configurations ?

rajashajeelahmed · ‎04-11-2023

https://networkfindings.blogspot.com/2023/04/ospf-over-ipsec-between-huawei-firewall.html

MHM Cisco World · ‎04-11-2023

first thanks a lot for update us
the issue we not looking at Huawei that you mention that it send/receive hello message
me and @Kanan Huseynli ask you to make double check,
also the mode you use in huawei
Using a Virtual Tunnel Interface to Establish an IPSec Tunnel - AR500, AR510, AR531, AR550, and AR2500 V200R008 CLI-based Configuration Guide - VPN - Huawei
A virtual tunnel interface is a Layer 3 logical interface where the encapsulation protocol is GRE, mGRE, and IPSec. The device can provide the IPSec service for the virtual tunnel interface. All the packets routed to the virtual tunnel interface are protected by IPSec. The virtual tunnel interface can simplify IPSec parameters.
the read colour mode you must select for VTI

I dont think huawei not support mode IPsec IPv4

rajashajeelahmed · ‎04-11-2023

Tunnel was up and running OSPF adjacency was down. Huawei TAC said it that use GRE over IPSEC as alone IPSEC is not supporting multicast traffic and as we can see no Hello were sent over tunnel from Huawei end.

Kanan Huseynli · ‎04-12-2023

Hi,

did you try with GRE over IPSec option on your side? Remove "tunnel mode ipsec ipv4" and it will be gre tunnel (which is default)

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.