OSPF Over IPSEC

Hello everyone
im on a proyect right now in which we will run OSPF over iPSEC
And i was wondering if anyone got any experience doing that....

Anyways here is my Scenario and what i though i should do ill try to make a summary buti can be more specific if its needed.

I got a STAR topology

A central Fortigate and like 30 remote sites

We doing OSPF on it we will start with a STAR topology and maybe we will move to a Partial mesh.

Anyways
I got some questions about the configuration of the OSPF

Everything will go in one Area, Area 0

What network type you recomend? i was thinking in Point to multipoint and putting all of my OSPF link in one subnet
I could also just leave it on nonbraodcast and put all my remote routers with priority 0 so the Central one be the DR.

What time for hello time and dead time should i put? i was thinking 30 secs for hello time and 120 for dead time

I ll configure passive interface in all my LAN interface of all my fortiagates
Ill configure Loopbacks for network stability(which i dont know well as we are not doing partial mech neitherfull mesh yet so no DR or BDR election) O_o but it would be good having it... because we planning on moving to that later.

If anyone used fortigates berfore there is a question for them
About the Bandwitch... well at least in cisco routers you could configure that... setting the bw to whatever your link was..
But in fortinet i just see a inbound BW and outbound BW option.... is this is the one im looking for it?
I mean i need to configure it becasue Because it use that for the best route calculation, plus i dont know if its like EIGRP that uses part of the % of the BW for its protocol thing... at least as far i remenber EIGRP uses part of the % of the BW for its own... and if its not well configured well... you can imaging...

Those are some of the considaration im taking...
Any other consideration is welcome...
Also any suggestion
Also if you got any question about what im planning to do ask me.

Im doing everything with Fortigates yeah no cisco... but these questions are more design questions...

Other thing that got me worried is all the BW that will be used for the IPSEC + OSPF traffic( i really have no idea how much BW ill need) yeah everything going trhough one connection of 2mbs O_o how much BW i would need for it?

Thank you

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

mikej412

In Ciscoland you'd usually configure a GRE Tunnel over IPSec with OSPF

Configuring a GRE Tunnel over IPSec with OSPF - Cisco Systems

But with 30 sites I'd consider a Dynamic Multipoint VPN
Configuring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall - Cisco Systems

Not sure how they do things over in Fortigateville -- but you might want to at least read the introduction from that first link

Normal IP Security (IPSec) configurations cannot transfer routing protocols, such as Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF), or non-IP traffic, such as Internetwork Packet Exchange (IPX) and AppleTalk. This document illustrates how to route between different networks that use a routing protocol and non-IP traffic with IPSec. This example uses generic routing encapsulation (GRE) in order to accomplish routing between the different networks.