OSPF not sending Hello

michmoor · Mar 5, 2022, 11:38 PM

Greetings,
I have an OPNsense to PFsense IPsec tunnel running in VTI Routed mode.
I have configured OSPF accordingly on the OPNsense side but the PFsense side seems to be at fault.
Following the configuration guidelines in the documentation provided by netgate I should be seeing the adjs come up but they don't.
The reason I believe it to be the fault on the Pfsense side is because of the following:

Packet capture on the OPnsense side, specifically on the IPsec Interface shows OSPF hellos being sent out the ipsec interface.
On the pfsense, checking the phase 2 side of the tunnel, I see packet counts increasing every few seconds. There are no outgoing packets. Traffic is being sent across the tunnel that much is true.

Oddly, when I do a packet capture on the pfsense side on the ipsec interface nothing is shown. No hellos or even received packets from the remote side over the tunnel. FRR configuration is correct with the VTI interface added under ospf and not passive.

frr defaults traditional
hostname GA-FW1
password xxxxxxxxx
log syslog
service integrated-vtysh-config
!
interface ipsec1
description "ospfd: VTI-790CCV"
ip ospf network broadcast
ip ospf cost 10
ip ospf mtu-ignore
interface igb1
description "ospfd: LanNet"
ip ospf mtu-ignore
ip ospf area 0.0.0.0
interface igb3
description "ospfd: DMZ"
ip ospf mtu-ignore
ip ospf area 0.0.0.0
!
router bgp 65001
bgp log-neighbor-changes
no bgp network import-check
!
router ospf
ospf router-id 10.6.106.1
log-adjacency-changes detail
passive-interface igb1
passive-interface igb3
area 0.0.0.0 shortcut default

michmoor · Mar 5, 2022, 11:33 PM

@michmoor update. I decided to reboot the pfsense. Start clean. I shouldn't have to do this on a production machine but here we are.
Running another packet capture under the interface "IPsec" I do in fact see ospf hellos being received from the remote side which confirms the OPNsense is operating correctly and I can now focus on the pfsense being the issue (this is a first).

18:31:28.198705 (authentic,confidential): SPI 0xcedeff1d: IP 10.6.106.2 > 224.0.0.5: OSPFv2, Hello, length 44
18:31:38.199122 (authentic,confidential): SPI 0xcdb0b415: IP 10.6.106.2 > 224.0.0.5: OSPFv2, Hello, length 44

michmoor · Mar 5, 2022, 11:47 PM

@michmoor just tried with BGP and this too is failing to establish. There might just be a missing configuration on the pfsense I'm not seeing but this should all work. This isn't a multicast or unicast problem.