The Graveyard - Products No Longer Supported > D-Link NetDefend Firewalls
DFL-1600 + Cisco + GRE + OSPF
(1/1)
corzza:
Hello all!
First of all - sorry for my English. It's not my native language.
I have some problem with dynamic routing between DFL-1600 and Cisco 1811 router`s. All devices was connected on GRE protocol (ipsec will second stage). It works. When i use static routes - it works. But when i try to use OSPF - i`ve a problem. OSPF works between Cisco routers. But didn`t wokr between Cisco and DFL-1600.
Can somebody help me?
I wiil be very gratefull for any help
Best regards, Sergey Dontsov
Cisco config
Router 1
interface Tunnel3000
ip address 10.3.0.1 255.255.255.0
ip ospf network broadcast
ip ospf cost 10000
ip ospf mtu-ignore
tunnel source FastEthernet0
tunnel destination 193.46.66.26
tunnel key 133
!
interface Tunnel3001
ip address 10.4.0.1 255.255.255.0
ip ospf network broadcast
ip ospf cost 10000
ip ospf mtu-ignore
tunnel source FastEthernet0
tunnel destination 193.46.66.27
tunnel key 134
!
interface FastEthernet0
ip address 193.46.66.25 255.255.255.0
duplex auto
speed auto
router ospf 1
router-id 10.3.0.1
log-adjacency-changes
passive-interface default
no passive-interface Tunnel3000
no passive-interface Tunnel3001
network 10.0.11.0 0.0.0.255 area 3
network 10.0.12.0 0.0.0.255 area 3
network 10.0.13.0 0.0.0.255 area 3
network 10.3.0.0 0.0.0.255 area 0
network 10.4.0.0 0.0.0.255 area 0
ROUTER_1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.4.0.2 0 FULL/DROTHER 00:00:31 10.4.0.2 Tunnel3001
ROUTER_1#
Router 2
[spoiler]interface Tunnel3001
ip address 10.4.0.2 255.255.255.0
ip ospf network broadcast
ip ospf cost 10000
ip ospf priority 0
ip ospf mtu-ignore
tunnel source FastEthernet0
tunnel destination 193.46.66.25
tunnel key 134
!
interface Tunnel3000
ip address 10.3.0.3 255.255.255.0
ip ospf network broadcast
ip ospf cost 10000
ip ospf mtu-ignore
tunnel source FastEthernet0
tunnel destination 193.46.66.26
tunnel key 133
!
interface FastEthernet0
ip address 193.46.66.27 255.255.255.0
duplex auto
speed auto
router ospf 1
router-id 10.4.0.2
log-adjacency-changes
passive-interface default
no passive-interface Tunnel3001
no passive-interface Tunnel3000
network 10.3.0.0 0.0.0.255 area 0
network 10.4.0.0 0.0.0.255 area 0
network 172.16.15.0 0.0.0.255 area 2
Neighbor ID Pri State Dead Time Address Interface
10.3.0.1 1 FULL/DR 00:00:36 10.4.0.1 Tunnel3001[/spoiler]
ROUTER_2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 5 subnets
O IA 10.0.11.0 [110/10001] via 10.4.0.1, 00:04:21, Tunnel3001
O IA 10.0.12.0 [110/10001] via 10.4.0.1, 00:04:21, Tunnel3001
O IA 10.0.13.0 [110/10001] via 10.4.0.1, 00:04:21, Tunnel3001
C 10.3.0.0 is directly connected, Tunnel3000
C 10.4.0.0 is directly connected, Tunnel3001
C 193.46.66.0/24 is directly connected, FastEthernet0
ROUTER_2#
Gattsu:
The hellos are probably not going through with this error code "unknown neighbor". Possibly you need to create a allow rule for GRE tunnel traffic. Or maybe because Multicast traffic is not going through. Use the packet capture tool on the DFL to fully analyze.
Here is a GRE tunnel configuration sample.
set Device Name=Site-A
set Interface Ethernet wan1 DHCPEnabled=No
set Address IP4Address InterfaceAddresses/wan1_ip Address=1.1.1.160
set Address IP4Address InterfaceAddresses/wan1net Address=1.1.1.0/24
set Address IP4Address InterfaceAddresses/lan_ip Address=192.168.0.1
set Address IP4Address InterfaceAddresses/lannet Address=192.168.0.0/24
set Interface Ethernet wan1 DefaultGateway=1.1.1.2
add Interface GRETunnel gre-if IP=10.0.0.1 Network=192.168.1.0/24 RemoteEndpoint=3.3.3.160
add Interface InterfaceGroup gre-lan Members=gre-if,lan
add IPRule Action=Allow SourceInterface=gre-lan SourceNetwork=all-nets DestinationInterface=gre-lan DestinationNetwork=all-nets Service=all_tcpudpicmp Index=1 LogEnabled=Yes Name=gre-lan-allow
set IPRule 2(ping_fw) SourceInterface=gre-lan SourceNetwork=all-nets LogEnabled=Yes
activate
commit
Navigation
[0] Message Index
Go to full version