OpenVPN + quagga OSPF Need some help
-
Hello,
I have tried to follow the PfSense book "OpenVPN Site-to-Site with Multi-WAN and OSPF". Through packet capture I can see the "Hello" coming in, it looks like this
Packet capture interface set to "main"
Main VPN
14:35:29.551867 IP 192.168.88.2 > 224.0.0.5: OSPFv2, Hello, length 48
14:35:34.446163 IP 192.168.88.1 > 224.0.0.5: OSPFv2, Hello, length 48Packet capture interface set to "At&t"
At&t VPN
14:36:54.374149 IP 192.168.44.1 > 224.0.0.5: OSPFv2, Hello, length 48
14:37:00.399990 IP 192.168.44.2 > 224.0.0.5: OSPFv2, Hello, length 48My question is why can I not get a neighborhood to establish? When I go to Services / Quagga OSPF / Status there is nothing in Quagga OSPF General, Quagga OSPF Neighbors, Quagga OSPF Database, Quagga OSPF Router Database, Quagga OSPF Routes, Quagga Zebra Routes, Quagga OSPF Interfaces, Quagga OSPF CPU Usage, and Quagga OSPF CPU Usage.
Quagga ospfd.conf for Office A is
This file was created by the pfSense package manager. Do not edit!
password 1234
interface ovpns1
ip ospf cost 10
ip ospf hello-interval 10
ip ospf retransmit-interval 6
ip ospf dead-interval 40
interface ovpns3
ip ospf cost 20
ip ospf hello-interval 11
ip ospf retransmit-interval 7
ip ospf dead-interval 41
interface igb0router ospf
ospf router-id 192.168.1.1
passive-interface igb0
network 192.168.88.0/30 area 0.0.0.0
network 192.168.44.0/30 area 0.0.0.0
network 192.168.1.0/24 area 0.0.0.0Quagga zebra.conf
This file was created by the pfSense package manager. Do not edit!
password 1234
ip prefix-list ACCEPTFILTER deny 192.168.88.0/30
ip prefix-list ACCEPTFILTER deny 192.168.44.0/30
ip prefix-list ACCEPTFILTER deny 192.168.1.0/24
ip prefix-list ACCEPTFILTER permit any
route-map ACCEPTFILTER permit 10
match ip address prefix-list ACCEPTFILTER
ip protocol ospf route-map ACCEPTFILTERQuagga ospfd.conf for Office B is
This file was created by the pfSense package manager. Do not edit!
password 1234
interface ovpnc1
ip ospf cost 10
ip ospf hello-interval 10
ip ospf retransmit-interval 6
ip ospf dead-interval 40
interface ovpnc3
ip ospf cost 20
ip ospf hello-interval 11
ip ospf retransmit-interval 7
ip ospf dead-interval 41
interface igb0router ospf
ospf router-id 192.168.10.1
passive-interface igb0
network 192.168.88.0/30 area 0.0.0.0
network 192.168.44.0/30 area 0.0.0.0
network 192.168.10.0/24 area 0.0.0.0Quagga zebra.conf
This file was created by the pfSense package manager. Do not edit!
password 1234
ip prefix-list ACCEPTFILTER deny 192.168.88.0/30
ip prefix-list ACCEPTFILTER deny 192.168.44.0/30
ip prefix-list ACCEPTFILTER deny 192.168.10.0/24
ip prefix-list ACCEPTFILTER permit any
route-map ACCEPTFILTER permit 10
match ip address prefix-list ACCEPTFILTER
ip protocol ospf route-map ACCEPTFILTERCan anyone see what I could be doing wrong?
-
What do you mean by " there is nothing in Quagga OSPF General "? If there is literally nothing - when your Q/Z is not running at all.
If there is "something" (eg diagnostic info) but OSPF cant establish link…
1st: enable both logging options (will be in system logs - routing)
2nd: don't mangle with hello/retransmit/dead, leave them at defaults. If you REALLY want to play with them - do this AFTER you will get OSPF working
3rd: remove ACCEPT filters, you don't need them, at least now.
4th: start with 1 openvpn interface, after you will make it run - add second. This will be much simpler for you to configure and diagnose. Maybe you just mismatching your VPN links and attempting to configure mismatching hello/dead intervals, which is a NO-NO. -
OR you messed up something while tinkering and zebra with opsf now running with other password, or they just are dead.
If you can - rebuild ospf configuration from scratch, with package remove/reinstall. -
Config looks fine for me.
-
Well, it found a neighbor, so it works.
BUT if you still unable to get diag info - you better rebuild it, to be able to see what's going on.
You got same problem on second router? -
I have ospfd/zebra running on pfs from ~2.1.3 to 2.3.1, all show diag without problems.
Jun 21 16:22:00 ospfd 1267 nsm_change_state(192.168.1.1, Loading -> Full): scheduling new router-LSA origination
Jun 21 16:22:01 ospfd 1267 SPF Processing Time(usecs): External Routes: 6
Jun 21 16:22:14 ospfd 1267 nsm_change_state(192.168.1.1, Full -> Init): scheduling new router-LSA origination
Jun 21 16:22:14 ospfd 1267 SPF: Scheduled in 0 msec
Jun 21 16:22:15 ospfd 1267 SPF Processing Time(usecs): External Routes: 10
Jun 21 16:22:23 ospfd 1267 Packet[DD]: Neighbor 192.168.1.1: Initial DBD from Slave, ignoring.
Jun 21 16:22:23 ospfd 1267 Packet[DD]: Neighbor 192.168.1.1 Negotiation done (Master).
Jun 21 16:22:23 ospfd 1267 nsm_change_state(192.168.1.1, Exchange -> Full): scheduling new router-LSA originationYep, it works. If you defined local/remote networks in OpenVPN configuration - you can remove them now and have routes pushed from ospfd.
But still - without status info available you are swimming blindfolded. You can still get this info from shell but wouldn't call that comfortable.
-
Oddly, all my settings where still remembered
They are stored in config.xml of pfSense.
Do you see status info after rebuild? If yes, in "Quagga OSPF Neighbors" you should see Router ID of other router.
And most important for you is "Quagga Zebra Routes", there should be routes (prepended by O>) to your LAN on other router.
OpenVPN links are directly connected, so their networks would show up anyway. -
…
Rebuild both pfSenses from scratch?
Or learn how to get info from shell. -
Not quite.
Tunnel network is necessary for tunnel to function, so you should not remove it.
But remote and local networks could be removed (and better be, because they will override OSPF routing).
Key point to understand - after both of your OSPF routers paired - they should have information WHICH networks to announce.
In your case you provided this info through config:
interface igb0
network 192.168.1.0/24 area 0.0.0.0 -
- Show your Zebra routes and system routing table
- Check firewall rules on OpenVPN tab - better have ANY to ANY until you got it working.
- If you have 2 openvpn connections between 2 routers - you will have troubles. Adjust cost for tunnels, so then they are both live - one would be preffered.
-
Please, draw a network scheme (with interface names and ip/subnets).
-
Well, it is clear now.
You write:The other night I was able to disconnect the main WAN (Charter) in the main office and was able to ping over to the remote office.
However, I was not able to ping from the remote office back to the main office.But if you look at routing table at branch, you will see
K>* 192.168.1.0/24 via 192.168.88.1, ovpnc1
So remote office still thinks what it should send packets to main office through OpenVPN tunnel which terminates at Charter.
Also, K> says what this route did not came from OSPF (though O 192.168.1.0/24 [110/20] via 192.168.88.1, ovpnc1, 14:29:15 tells OSPF thinks same).If you haven't statically assign route in 192.168.88.0 tunnel, than you can try to enable "Don't pull routes" on VPN configuration.
I have exactly same situation sometimes, but I didn't found the perfect solution, nor cause. Default configuration for OpenVPN contains ping-restart directive, which should reset OpenVPN tunnel in case of lost connection (and drop assigned routes in process), but this doesn't happen.
Can you create a thread in VPN board, citing your last two posts and this one? Maybe someone could help both us…
-
Can anyone suggest where I get help with this problem? I really need this to get fixed. Different forum?