Solved: IPSec VPN Tunnel Breaks When OSPF is Applied

Wizard4777 · ‎09-22-2021

I am trying to configure OSPF for my remote sites to connect back to HQ. IPSec VPN tunnels are up and everything works fine until i apply OSPF at the HQ and the remote branches.

The branches seem to come on for 2 minutes and off for 3 minutes and so forth.

When I do a

show ip ospf neighb

command, it shows my remote branches with state as FULL/-. I don't know what that means and how to fix that too.

Wizard4777 · ‎03-02-2023

removed ospf and used rip and it all works fine

Thank you for your responses

View solution in original post

Georg Pauwen · ‎09-22-2021

Hello,

post the running configs of the HQ and one of the branch routers...

Wizard4777 · ‎09-22-2021

Everything works fine without OSPF, just on static routes. I just wanna know why when I put OSPF into the interfaces, the links go on and off.

Georg Pauwen · ‎09-23-2021

Hello,

do you have the configs ? Make sure you use VTIs and not crypto maps...

pman · ‎09-23-2021

Do you have a Point-to-Point GRE over IPsec configuration?

If so maybe because of recursive routing error message.
If not, suggest that you follow @Georg Pauwen instructions and post running-config

Wizard4777 · ‎09-23-2021

it is a point to point gre tunnel with ipsec

Georg Pauwen · ‎09-23-2021

Hello,

with VTIs, the configs should look something like this:

interface GigabitEthernet0/1
description LAN
ip address 192.168.1.1 255.255.255.0
!
interface Tunnel1
description IPSec Tunnel to Site X
ip address 172.16.1.1 255.255.255.0
ip ospf network broadcast
ip ospf mtu-ignore
tunnel source GigabitEthernet0
tunnel mode ipsec ipv4
tunnel destination 100.100.100.2
tunnel protection ipsec profile IPSEC_PROFILE
!
router ospf 1
router-id 1.1.1.1
network 172.16.1.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0

pman · ‎09-23-2021

Hi,

1. check if the following log exist:

 % TUN-5-RECURDOWN

2. maybe a misconfiguration that causes the router to try to route to the tunnel destination address using the tunnel interface itself (recursive routing)

3. A temporary instability caused by route flapping elsewhere in the network

in this case:

try to add this route:

ip route x.x.x.x 255.255.255.255

serial 0

- where x.x.x.x is the tunnel destination address (under interface tunnel configuration)

- and serial 0 is the interface that point to x.x.x.x address

references in case of recursive routing error:

https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/22327-gre-flap.html

in case of GRE Tunnel over IPsec with OSPF i attached this link which explains how to properly design the solution:

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14381-gre-ipsec-ospf.html#t3

paul driver · ‎09-24-2021

Hello

Possible recursive routing, make sure the tunnel SIP/DIPs (source/destination ips) are not being advertised through the tunnels themselves, Also checked the ospf network types, on tunnel interfaces they should be point-to-point (p2p) however if hub/spoke design preferable set to possible broadcast/non broadcast types.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Wizard4777 · ‎03-02-2023

removed ospf and used rip and it all works fine

Thank you for your responses