Sunday, March 17, 2013

ScreenOS: Configuring OSPF to Work with Tunnel Interfaces

ns5gt-> get vr trust-vr protocol ospf config
VR: trust-vr RouterId: 10.0.0.1
----------------------------------
set protocol ospf
set enable
set area 0.0.0.10
set area 0.0.0.10 range 172.16.1.0 255.255.255.0 advertise
exit
set interface trust protocol ospf area 0.0.0.10
set interface trust protocol ospf enable
set interface trust protocol ospf cost 1
set interface tunnel.1 protocol ospf area 0.0.0.0
set interface tunnel.1 protocol ospf enable
set interface tunnel.1 protocol ospf cost 1


ssg5-serial-wlan-> get vr trust-vr protocol ospf config
VR: trust-vr RouterId: 10.0.0.2
----------------------------------
set protocol ospf
set enable
set area 0.0.0.20
set area 0.0.0.20 range 10.1.1.0 255.255.255.0 advertise
set area 0.0.0.20 range 10.2.2.0 255.255.255.0 advertise
exit
set interface bgroup0 protocol ospf area 0.0.0.20
set interface bgroup0 protocol ospf enable
set interface bgroup0 protocol ospf cost 1
set interface bgroup1 protocol ospf area 0.0.0.20
set interface bgroup1 protocol ospf enable
set interface bgroup1 protocol ospf cost 1
set interface tunnel.1 protocol ospf area 0.0.0.0
set interface tunnel.1 protocol ospf enable
set interface tunnel.1 protocol ospf cost 1
Posted by at No comments:

ScreenOS Route-Based VPN Configuration

Configuration process:
1. Create a tunnel interface (Prefer on untrust zone).
2. Create an IKE gateway (Phase 1)
3. Create an AutoKey IKE (Phase 2)
4. Configure routing (Tunnel interface as the gateway)
5. Create a policy (If tunnel interface and source address are not on the same zone)

Troubleshooting:
FW-> ping <destination interface IP> from <source interface>
FW-> get route ip <destination interface IP>
FW-> get ike cookie
FW-> get sa active
Posted by at No comments:
Subscribe to: Posts (Atom)