[j-nsp] RES: Trying to get OSPF to work across IPsec for Redundancy

OBrien, Will ObrienH at missouri.edu
Fri Apr 29 01:14:46 EDT 2011 

Actually...
OSPF will work across an ipsec tunnel. Unfortunately, last time I checked, it wouldn't work across a tunnel that's terminated within a routing instance on a srx. The issue was confirmed by JTAC.
We haven't tried it on 10.4 yet, but it's a known issue with older code.

OSPF just won't built a relationship across the tunnel.
On the other hand, it works great across ipsec tunnels between netscreens.

If I remember, I'll try to dig up the kb article/bug report that covers it.




On Apr 28, 2011, at 10:58 PM, Keegan Holley wrote:

> sorry I meant IPSEC doesn't carry multicast.  OSPF technically doesn't
> "carry" anything.
> 
> On Thu, Apr 28, 2011 at 11:28 PM, Keegan Holley
> <keegan.holley at sungard.com>wrote:
> 
>> I don't think OSPF carries multicast.  I know cisco routers have a neighbor
>> statement that will force it to unicast hello's I've never tried it on a
>> juniper. I think if you do GRE over IPSEC (not to be confused with IPSEC
>> over GRE) the multicast will work as well.  It depends on your endpoints
>> though, I don't think firewalls will do GRE.
>> 
>> 
>> On Thu, Apr 28, 2011 at 3:59 PM, Leonardo Gama Souza <
>> leonardo.souza at nec.com.br> wrote:
>> 
>>>> Hello All:
>>>> 
>>>> I'm trying to get OSPF up over IPsec.  We have two IPsec tunnels, a
>>>> primary and a secondary that our spoke router can use.  We want to
>>> have
>>>> the spoke router run OSPF across both and then in case of a failure of
>>>> the primary hub router (where the primary IPsec tunnel terminates)
>>> OSPF
>>>> will direct traffic over the backup tunnel to the backup hub.
>>>> 
>>>> So far I have seen OSPF on the spoke router come up just a couple of
>>>> times but only to one or the other peer.  It never has come up to both
>>>> peers.  Here are my configurations for OSPF and the services
>>> interfaces
>>>> below.  Also BGP is up on all routers and all routers are reachable
>>> via
>>>> BGP.
>>>> 
>>>> If anyeone can guide me in the right direction to get OSPF working
>>> over
>>>> IPsec that would be most apprectiated!
>>> 
>>> As far as I know IPSec solely is not able to carry Multicast traffic.
>>> Are you using GRE over IPSec? If not, you may want to try unicast
>>> hellos.
>>> 
>>> 
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>> 
>> 
>> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list