Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
463
Views
2
Helpful
7
Replies

ospf over ipsec

mahende17feb@gmail.com
Level 1
Level 1

‎05-07-2025 08:21 AM

Hello All,

I am trying to understand how ospf works over ipsec tunnel as OSPF used multicast to discover neighbourship and ipsec does not support OSPF.

some vendors now directly support OSPF Over ipsec with NBMA network and i am trying to understand how tunnel interface IP carried over ipsec tunnel.

1. On tunnel interface we will configure private ip and this will not be configured with phase 2 interesting traffic.

2. How ipsec will handel this tunnel interface IP rechability over wan links to form ospf neighborship.

 

Labels:
0 Helpful
7 Replies 7

MHM Cisco World
VIP
VIP

‎05-07-2025 08:44 AM

Gre over ipsec OR ipsec over gre is different than DMVPN (NBMA).

Can you more elaborate 

MHM

0 Helpful

mahende17feb@gmail.com
Level 1
Level 1

‎05-07-2025 09:00 AM

Iam just trying to understand how ipsec will handel ospf communication over point=to-point links.

As fortigate or any other firewalls does not required gre over ipsec for ospf to run.

then how traffic will be handelled for ospf neighborship.

0 Helpful

M02@rt37
VIP
VIP
In response to mahende17feb@gmail.com

‎05-07-2025 09:21 AM - edited ‎05-07-2025 09:26 AM

Hello mahende17feb@gmail.com 

When a firewall supports route-based VPN, it creates a virtual interface that acts like a normal point-to-point interface.

This enables OSPF to run natively over IPsec.

We have a P2P comunication, meaning  OSPF treat the VTI as a point-to-point interface and it uses unicast hellos to the neighbor's IP. So, no multicast is needed — OSPF can work over unicast in that point-to-point mode you see on Firewall like FortiGate.

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/632796/ospf-with-ipsec-vpn-for-network-redundancy

 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

MHM Cisco World
VIP
VIP
In response to mahende17feb@gmail.com

‎05-07-2025 10:13 AM

First ospf always use multicast unless you use neighbor under ospf 

Second 

Pure ipsec support only unicast 

Gre over ipsec support unicast and multicast 

New ipsec (vti) support unicast and multicast 

Other vendor sure use vti and hence ospf multicast can work over tunnel.

Vti different than pure ipsec in such in pure ipsec we need to config acl in crypto map in vti no need the traffic is routed via tunnel (from here come name route based vpn) 

MHM

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to mahende17feb@gmail.com

‎05-07-2025 10:31 AM

As fortigate or any other firewalls does not required gre over ipsec for ospf to run.

Nor do Cisco devices, for example, that support VTI.

0 Helpful

mahende17feb@gmail.com
Level 1
Level 1

‎05-07-2025 10:04 AM

M02@rt37 Thanks for sharing the link.

I have gone through the link and it works fine.

so basically we do not need to configure phase 2 interesting traffic ofr ospf over ipsec?

interesting traffic will be taken based of routing?

0 Helpful

M02@rt37
VIP
VIP
In response to mahende17feb@gmail.com

‎05-07-2025 10:54 AM

mahende17feb@gmail.com 

You do not need to explicitly define OSPF or any protocol-specific traffic in the phase 2 selectors. This is because, in route-based VPN, the firewal create a VTI and handle encryption based on the routing table, not on manually defined selectors for each type of traffic. Any packet that is routed out via the tunnel interface is automatically encrypted by IPsec...

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful
Customers Also Viewed These Support Documents