How to create a Hub and Spoke Tunnel Interface VPN network with OSPF
03/26/2020
790
15133
DESCRIPTION:
This document explains how to create a Hub and Spoke VPN network architecture using Tunnel Interface and OSPF instead of policy-based Site to Site VPN tunnels.
Dynamic Route-based VPN using Tunnel Interface and OSPF offers a greater flexibility as there is little to do if the network architecture changes. Adding a new Spoke will also be greatly simplified as all the existing spokes will automatically get the new network architecture using OSPF.
RESOLUTION:
Creation of the Hub and Spoke VPN environment
A- Hub
Create VPN tunnel from the hub to both spokes under VPN | Settings.
We will first create the tunnel from the Hub to Spoke-1 with gateway IP address 1.1.211.2 in our example.
Under VPN | Settings, add a new policy.

Figure 1
Use a Police Type of Tunnel Interface instead of Site to Site, Enter the remote IP address, the shared secret and IKE Ids as per Figure 1

Figure 2
Proposal options can left as default as per Figure 2

Figure 3
In the Advanced Options (Figure 3), it is important to enable “Allow Advanced Routing” as it will allow use of RIP or OSPF
Make similar configuration for the second VPN tunnel to Spoke 2 as shown in Figure 4, 5 and 6.

Figure 4

Figure 5

Figure 6
B- Spoke 1
The Figure 7, 8 and 9 show the configuration made on Spoke 1

Figure 7

Figure 8

Figure 9
C- Spoke 2
Finally, figures 10, 11 and 12 show the configuration on Spoke 2

Figure 10

Figure 11

Figure 12
Once done, the tunnel should quickly be up and a Green LED will appear as show below (Figure 13) for the Hub

Figure 13
Creation of the OSPF networka- Hub
Under Network | Routing, ensure you have activated the Advanced Routing Mode (Figure 14) and then configure OSPF for both VPN Tunnel Interface (Figure 15)

Figure 14
- Set OSPF mode to “Enabled”.
- Set "OSPF Router ID" to the X0 IP address. This value will need to be different on every router of your OSPF network otherwise OSPF neighborship may not be established.
- Enable Redistribute Connected Networks.
- Enable Redistribute Remote VPN Networks.
- Set "IP Borrowed From" under “Global Unnumbered Configuration” as X1 IP.
- Set Remote IP Address as Spoke-1 X1 Interface IP address.
The Figure 15 show all this configuration

Figure 15
Make the same kind of configuration for the second Spoke VPN Tunnel Interface, as per Figure 16

Figure 16
The OSPF is now ready on the Hub but is still not synchronized, the red LED show that no neighbour have been detected as show on Figure 17

Figure 17
B- Spoke 1
Figure 18 show the configuration made on Spoke 1

Figure 18
C- Spoke 2
The configuration for Spoke 2 is shown in Figure 19

Figure 19
Once the entire OSPF configuration is finished, the OSPF neighborship will be established within few seconds and gren LED will appear on Network, Routing page as in Figure 20 for the Hub.

Figure 20
Figures 21, 22 and 23 Show the resultant routing table on respectively the Hub, Spoke 1 and Spoke 2

Figure 21

Figure 22

Figure 23
Creating Rules
Once neighborship is established and dynamic routes have been obtained, you need to create access rules in each site to allow traffic from one site to the other.
For example to allow traffic from the LAN zone to the remote sites, create the following access rules in the Hub and the Spokes.
Create the following access rules in the Hub:
- Zone: LAN to VPN
- Service: Any
- Source: LAN Subnets
- Destination: Spoke-1 Network.
- Zone: LAN to VPN
- Service: Any
- Source: LAN Subnets
- Destination: Spoke-2 Network.
To allow traffic from the remote sites to the LAN zone, create the following access rules:
- Zone: VPN to LAN
- Service: Any
- Source: Spoke-1 Network + Spoke-2 Network (Address Objects Group)
- Destination: LAN Subnets
To allow traffic from one Spoke to the other Spoke over the VPN, create the following access rules:
- Zone: VPN to VPN
- Service: Any
- Source: Spoke-1 Network
- Destination: Spoke-2 Network
- Zone: VPN to VPN
- Service: Any
- Source: Spoke-2 Network
- Destination: Spoke-1 Network
Likewise, in Spoke-1 create the following access rules
- Zone: LAN to VPN
- Service: Any
- Source: LAN Subnets
- Destination: Hub Network.
- Zone: LAN to VPN
- Service: Any
- Source: LAN Subnets
- Destination: Spoke-2 Network.
To allow traffic from the remote sites to the LAN zone, create the following access rules:
- Zone: VPN to LAN
- Service: Any
- Source: Spoke-2 Network + Hub Network (Address Objects Group)
- Destination: LAN Subnets
In Spoke-2 create the following access rules
- Zone: LAN to VPN
- Service: Any
- Source: LAN Subnets
- Destination: Hub Network.
- Zone: LAN to VPN
- Service: Any
- Source: LAN Subnets
- Destination: Spoke-1 Network.
To allow traffic from the remote sites to the LAN zone, create the following access rules:
- Zone: VPN to LAN
- Service: Any
- Source: Spoke-1 Network + Hub Network (Address Objects Group)
- Destination: LAN Subnets
Troubleshooting:
If the Tunnel Interface does not comes up:
Check the VPN Pre-shared Key, needs to be the same both sides of the tunnel
Check the IKE IDs, needs to be symmetrical (Local ID on site A is Remote ID on site B)
Check Proposal tab, needs to be the same on both side of the tunnel
If the OSPF neighborship cannot be established :
- Check the OSPF Router ID is different on every firewall
- Check the Unnumbered Global Configuration is correctly configured (Use the WAN or Public Interfaces)
See Also:
Implementing Hub and Spoke Site-to-Site VPN on SonicOS Enhanced