3

Copied from NetworkEngineering since they said it is off-topic there.

Network Diagram: Network Diagram

We have two OpenVPN servers that are currently accessible with static routes from the two core routers and I am trying to set them up with OSPF using Quagga (FRR is not available on RedHat 7) so I can remove the static routes. We have a robust BGP and OSPF setup currently, but things seem to break when I start ospfd. Each server hosts several OpenVPN instances (for high-availability). Some of these instances use a bridged network instead of a routed network and turning on OSPF also seems to break these systems. VPN clients on the bridged interface are connected transparently to the core of the network (used for Site-to-Site VPN), while users are put in the subnet assigned to the server they connect to.

I have tried so many different options, but this is my current config:

[root@openvpn00 ~]# vtysh

Hello, this is Quagga (version 0.99.22.4).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

openvpn00.example.edu# show run
Building configuration...

Current configuration:
!
hostname openvpn00.example.edu
log stdout
log syslog
!
password zebra
!
interface br3254
 ipv6 nd suppress-ra
!
interface eth0
 ip address x.x.127.201/27
 ipv6 nd suppress-ra
!
interface tap0
 ipv6 nd suppress-ra
!
interface tun0
 ipv6 nd suppress-ra
!
interface tun1
 ipv6 nd suppress-ra
!
router ospf
 redistribute connected
 passive-interface default
 no passive-interface eth0
 network 10.73.250.0/24 area 0.0.0.7
 network 10.73.252.0/25 area 0.0.0.7
 network x.x.127.192/27 area 0.0.0.7
!
ip forwarding
!
line vty
!
end
openvpn00.example.edu# exit

[root@s2svpnb ~]# vtysh

Hello, this is Quagga (version 0.99.22.4).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

openvpn01.example.edu# show run
Building configuration...

Current configuration:
!
hostname openvpn01.example.edu
log stdout
log syslog
!
password zebra
!
interface br3254
 ipv6 nd suppress-ra
!
interface eth0
 ip address x.x.127.202/27
 ipv6 nd suppress-ra
!
interface tap0
 ipv6 nd suppress-ra
!
interface tun0
 ipv6 nd suppress-ra
!
interface tun1
 ipv6 nd suppress-ra
!
router ospf
 redistribute connected
 passive-interface default
 no passive-interface eth0
 network 10.73.251.0/24 area 0.0.0.7
 network 10.73.252.128/25 area 0.0.0.7
 network x.x.127.192/27 area 0.0.0.7
!
ip forwarding
!
line vty
!
end
openvpn01.example.edu# exit

If I use anything besides network x.x.127.192/27, Quagga doesn't broadcast on that interface.

Switch Configuration:

router00:

router ospf
 area 6
 area 0
 area 7
 default-information-originate
 redistribute bgp route-map BGP-OSPF
 redistribute connected
 redistribute static
 log all
!
interface ve 427
 ip address x.x.127.222 255.255.255.224
 ip ospf area 7
 ip vrrp-extended vrid 29
  backup priority 200
  advertise backup
  ip-address x.x.127.193
  enable
!

router01:

router ospf
 area 6
 area 0
 area 7
 default-information-originate
 redistribute bgp route-map BGP-OSPF
 redistribute connected
 redistribute static
 log all
!
interface ve 427
 ip address x.x.127.221 255.255.255.224
 ip ospf area 7
 ip vrrp-extended vrid 29
  backup priority 100
  advertise backup
  ip-address x.x.127.193
  enable
!

Do I need to use separate VLANs and point-to-point subnets (maybe /31s) for this or is there a way to keep everything on the same VLAN? Any better ways to handle this?

yakatz
  • 1,213
  • 3
  • 12
  • 33
  • There is really only one issue here - that OSPF breaks the network when you turn it on. The diagram is mostly not relevant and not nice to look at. Let's focus on the main issue - routing tables. Can you show me the routing tables on your openvpn servers in normal operation and then again when you turn on ospf please. Also what breaks and how are you detecting the breakage? – Owensteam Jan 02 '20 at 10:56

0 Answers0