How to create a Hub and Spoke Tunnel Interface VPN network with OSPF

03/26/2020 788 15007

DESCRIPTION:

This document explains how to create a Hub and Spoke VPN network architecture using Tunnel Interface and OSPF instead of  policy-based Site to Site VPN tunnels.

Dynamic Route-based VPN using Tunnel Interface and OSPF offers a greater flexibility as there is little to do if the network architecture changes. Adding a new Spoke will also be greatly simplified as all the existing spokes will automatically get the new network architecture using OSPF.

RESOLUTION:

Create VPN tunnel from the hub to both spokes under VPN | Settings.

We will first create the tunnel from the Hub to Spoke-1 with gateway IP address 1.1.211.2 in our example.

 Figure 1

Use a Police Type of Tunnel Interface instead of Site to Site, Enter the remote IP address, the shared secret and IKE Ids as per Figure 1

In the Advanced Options (Figure 3), it is important to enable “Allow Advanced Routing” as it will allow use of RIP or OSPF

Make similar configuration for the second VPN tunnel to Spoke 2 as shown in Figure 4, 5 and 6.

Figure 4

Figure 5

Figure 6

B- Spoke 1

 Figure 7

Figure 8

Figure 9

C- Spoke 2

Finally, figures 10, 11 and 12 show the configuration on Spoke 2

Figure 10

Figure 11

Figure 12

Once done, the tunnel should quickly be up and a Green LED will appear as show below (Figure 13) for the Hub

 Figure 13

Under Network | Routing, ensure you have activated the Advanced Routing Mode (Figure 14) and then configure OSPF for both VPN Tunnel Interface (Figure 15)

Figure 14

• Set OSPF mode to “Enabled”.
• Set "OSPF Router ID" to the X0 IP address. This value will need to be different on every router of your OSPF network otherwise OSPF neighborship may not be established.
• Enable Redistribute Connected Networks.
• Enable Redistribute Remote VPN Networks.
• Set "IP Borrowed From"  under “Global Unnumbered Configuration” as X1 IP.
• Set Remote IP Address as Spoke-1 X1 Interface IP address.

The Figure 15 show all this configuration

Figure 15

Make the same kind of configuration for the second Spoke VPN Tunnel Interface, as per Figure 16

Figure 16

The OSPF is now ready on the Hub but is still not synchronized, the red LED show that no neighbour have been detected as show on Figure 17

Figure 17

B- Spoke 1

Figure 18

C- Spoke 2

The configuration for Spoke 2 is shown in Figure 19

Figure 19

Once the entire OSPF configuration is finished, the OSPF neighborship will be established within few seconds and gren LED will appear on Network, Routing page as in Figure 20 for the Hub.

Figure 20

Figures 21, 22 and 23 Show the resultant routing table on respectively the Hub, Spoke 1 and Spoke 2

Figure 21

Figure 22

Figure 23

Creating Rules

Once neighborship is established and dynamic routes have been obtained, you need to create access rules in each site to allow traffic from one site to the other.

For example to allow traffic from the LAN zone to the remote sites, create the following access rules in the Hub and the Spokes.

Create the following access rules in the Hub:

• Zone: LAN to VPN
• Service: Any
• Source: LAN Subnets
• Destination: Spoke-1 Network.

• Zone: LAN to VPN
• Service: Any
• Source: LAN Subnets
• Destination: Spoke-2 Network.

To allow traffic from the remote sites to the LAN zone, create the following access rules:

• Zone: VPN to LAN
• Service: Any
• Source: Spoke-1 Network + Spoke-2 Network (Address Objects Group)
• Destination: LAN Subnets

To allow traffic from one Spoke to the other Spoke over the VPN, create the following access rules:

• Zone: VPN to VPN
• Service: Any
• Source: Spoke-1 Network
• Destination: Spoke-2 Network

• Zone: VPN to VPN
• Service: Any
• Source: Spoke-2 Network
• Destination: Spoke-1 Network

Likewise, in Spoke-1 create the following access rules

• Zone: LAN to VPN
• Service: Any
• Source: LAN Subnets
• Destination: Hub Network.

• Zone: LAN to VPN
• Service: Any
• Source: LAN Subnets
• Destination: Spoke-2 Network.

To allow traffic from the remote sites to the LAN zone, create the following access rules:

• Zone: VPN to LAN
• Service: Any
• Source: Spoke-2 Network + Hub Network (Address Objects Group)
• Destination: LAN Subnets

In Spoke-2 create the following access rules

• Zone: LAN to VPN
• Service: Any
• Source: LAN Subnets
• Destination: Hub Network.

• Zone: LAN to VPN
• Service: Any
• Source: LAN Subnets
• Destination: Spoke-1 Network.

To allow traffic from the remote sites to the LAN zone, create the following access rules:

• Zone: VPN to LAN
• Service: Any
• Source: Spoke-1 Network + Hub Network (Address Objects Group)
• Destination: LAN Subnets

Troubleshooting:

If the Tunnel Interface does not comes up:

Check the VPN Pre-shared Key, needs to be the same both sides of the tunnel

Check the IKE IDs, needs to be symmetrical (Local ID on site A is Remote ID on site B)

Check Proposal tab, needs to be the same on both side of the tunnel

If the OSPF neighborship cannot be established :

- Check the OSPF Router ID is different on every firewall

- Check the Unnumbered Global Configuration is correctly configured (Use the WAN or Public Interfaces)

See Also:

Implementing Hub and Spoke Site-to-Site VPN on SonicOS Enhanced