How to create a mesh VPN network using Tunnel Interfaces and OSPF

Description

It is quite easy to implement a Hub and Spoke VPN network using both Tunnel Interface and OSPF but the transition to a mesh network can be troublesome if you want to redistribute the SonicWall’s firewalled subnets.

Resolution

If you simply use the option “Redistribute Connected Network” in your OSPF configuration, it will perfectly work in hub and spoke environment but will prevent transition to a mesh environment as a tunnel interface is considered a connected interface by the SonicWall, hence the “spoke to spoke” VPN tunnel will fail to be created as both spokes will try to contact each other via the already existing VPN tunnel to the Hub.

Enable spoke 1

Figure 1

 

 

Enabling spoke 2

Figure 2

In figure 1, you can see that a route exist to the second spoke (#6). In Figure 2, it should the equivalent on Spoke 2 (route #6).

The solution in to create a fully mesh environment is to use the OSPF “Passive” mode on the connected interface of all the mesh network’s nodes.

When OSPF passive mode is enabled on an interface, neither OSPF packets are sent nor any received on this interface. It only results in that interface’s network being advertised by OSPF to other OSPF peers as LSA 1 (Router) instead of LSA5 (External) when using “Redistribute Connected Networks”.

To Activate the Passive mode on your SonicWall’s internal networks, simply go to Network, Routing.

Then configure an internal network

Activate OSPF

 

 

Then simply choose the mode “Passive”

Related Articles

  • Using 31-Bit Prefixes on IPv4 Address Error: Index of the interface: Invalid IP Address
    Read More
  • How to block a website using CFS 4.0 CLI commands
    Read More
  • How to Configure Wire / Tap mode in SonicOS
    Read More

Categories

Firewalls
NSa Series
VPN
not finding your answers?
Ask the Community
was this article helpful?
YesNo