Configuring IPv4 OSPFv2 Interfaces in Gaia Portal

Important - In a ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

  1. From the left navigation tree, click Advanced Routing > OSPF.

  2. In the Interfaces section, click Add.

  3. In the Interface field, select the applicable interface.

  4. In the Area field, select the area to assign to this interface.

    Note - An entry for the Backbone area appears even if it is disabled.

  5. In the Hello Interval field, enter the time.

    Configures the delay time between Hello packets on this interface.

    The OSPF Hello Protocol is responsible for establishing and maintaining adjacencies (i.e. connections) between neighboring OSPF routers.

    For broadcast networks, the Hello is also used to dynamically discover neighbors.

    Important - For a given link, this value must be the same for all OSPF routers.

    Range: 1-65535 seconds

    Default: 10 seconds for broadcast networks, 30 seconds for point-to-point networks

  6. In the Router Dead Interval field, enter the time.

    Configures the time after receipt of the last Hello packet, at which a neighbor is declared dead.

    Typically this is four times the Hello interval.

    Important - For a given link, this value must be the same for all OSPF routers.

    Range: 1-65535 seconds

    Default: 40 seconds for broadcast networks, 120 seconds for point-to-point networks

  7. In the Retransmit Interval field, enter the time.

    Configures the time between LSA retransmissions for this interface.

    This value is also used when retransmitting database description and link state request packets.

    This value should be much higher than the expected round-trip delay between any two routers on the network.

    Being conservative helps avoid unnecessary retransmissions.

    Important - For a given link, this value must be the same for all OSPF routers.

    Range: 1-65535 seconds

    Default: 5 seconds

  8. In the Link Cost field, enter the cost of using the given interface for a route.

    The higher the cost, the less preferred the interface.

    This is overridden by routing policy - Route Redistribution Rules and Route Maps.

    Range: 1-65535

    Default: 1

  9. In the Election Priority field, enter the priority used in the Designated Router (DR) election on the link.

    When two routers attempt to become the DR, the one with the higher priority is elected.

    However, if there is already an elected DR, then it continues as the DR regardless of priority.

    This prevents frequent changes in the DR state.

    The priority is only applicable to shared-media like Ethernet.

    A DR is not elected on point-to-point interfaces.

    A router with priority 0 is not eligible to become the DR.

    Range: 0-255

    Default: 1

  10. The Passive option controls the passive mode for this interface.

    When passive mode is enabled, the OSPF interface does not send Hello packets.

    This means that the link does not form any adjacencies.

    Passive mode enables the network associated with the interface to be included in the intra-area route calculation rather than redistributing the network into OSPF and having it as an Autonomous System External (ASE) route.

    In passive mode, all interface configuration information, with the exception of the associated area and the cost, is ignored.

    Range: Selected, or Cleared

    Default: Cleared (The interface sends Hello packets)

  11. The Use Virtual Address option controls the VRRP mode for this interface.

    Important:

    • Configure this option on VRRP Cluster Members when the given interface is configured as a VRRP interface.

    • Do not configure this option on ClusterXL Cluster Members.

    When this option is enabled, OSPF uses the VRRP Virtual IP Address associated with the VRRP interface instead of the physical IP address.

    In addition, OSPF only runs when this router is the VRRP Master for the given interface.

    Range: Selected, or Cleared

    Default: Cleared

  12. The Subtract Authlen option controls whether to subtract the size of the authentication information from the advertised interface MTU.

    Configure this option when peering over a Virtual Link with GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. R76 or lower, or IPSO 4.x or lower (see Configuring IPv4 OSPFv2 Virtual Links in Gaia Clish).

    These older routing daemons automatically subtract the size of the authentication information from the advertised interface MTU, which leads to an MTU mismatch with newer versions.

    Range: Selected, or Cleared

    Default: Cleared

  13. The IP Reachability Detection option controls BFD (Bidirectional Forwarding Detection) for each neighbor, from which it hears on this interface.

    Directs OSPF to start BFD (Bidirectional Forwarding Detection) for each neighbor, from which it hears on this interface.

    The BFD session is started only after OSPF transitions to 'Full' state with the neighbor.

    Once the BFD session is up, OSPF responds to changes in BFD state.

    If a neighbor does not have BFD configured or it does not respond to BFD control packets, it does not impact OSPF operation. OSPF can operate with both BFD and non-BFD neighbors on the same interface.

    Before you enable this option, see IP Reachability Detection.

    Range: Selected, or Cleared

    Default: Selected

  14. In the Authentication section, configure the Authentication Mode.

    Authentication guarantees that routing information is accepted only from trusted routers.

    A message digest or message authentication code is included in outgoing OSPF packets, so that receivers can authenticate these packets.

    Important - Both OSPF sides must agree on these settings for the OSPF authentication to work, and to form OSPF adjacencies.

    1. In the Authentication Mode field, select the applicable mode:

      Mode

      Description

      None

      Does not authenticate OSPF packets. This is the default option.

      Simple

      Authenticates OSPF packets with a simple password.

      The simple password must contain from 1 to 8 alphanumeric ASCII characters.

      Cryptographic

      Authenticates OSPF packets with MD5 or HMAC.

      This OSPFv2 HMAC-SHA authentication (RFC 5709) is backward-compatible with the OSPFv2 MD5 authentication.

      For cryptographic authentication, at least one key needs to be configured, with Key ID, Algorithm, and Secret.

      If you configure multiple keys:

      • When transmitting OSPF packets, Gaia uses the key with the highest Key ID. Gaia includes a message digest or message authentication code in the outgoing OSPF packets to enable receivers to authenticate them.

      • When receiving OSPF packets, Gaia accepts all the configured keys.

      The available algorithms are listed in the decreasing order of their cryptographic strength:

      • hmac-sha-512 - Provides a cryptographic SHA-512 hash based on the configured secret.

      • hmac-sha-384 - Provides a cryptographic SHA-384 hash based on the configured secret.

      • hmac-sha-256 - Provides a cryptographic SHA-256 hash based on the configured secret. We recommend this algorithm for best interoperability.

      • hmac-sha-1 - Provides a cryptographic SHA-1 hash based on the configured secret.

      • md5 - Provides a cryptographic MD5 hash based on the configured key.

      A shared secret (password) for cryptographic authentication:

      • For HMAC algorithms - Alphanumeric string from 1 to 80 characters. May not contain spaces or '\' characters.

      • For MD5 algorithm - Alphanumeric string from 1 to 16 characters. May not contain spaces or '\' characters.

    2. Click Save.

  15. Click Save.