Configuring IPv4 OSPFv2 Virtual Links in Gaia Portal

Important - In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

Description

The virtual link is effectively a tunnel across an adjacent non-backbone area, whose endpoint must be any of the adjacent area's border routers that has an interface in the backbone area.

You must configure a virtual link for any area that does not connect directly to the backbone area.

You configure the virtual link on both the ABR for the discontiguous area and another ABR that does connect to the backbone.

The virtual link acts like a point-to-point link.

The routing protocol traffic that flows along the virtual link uses intra-area routing only.

If the router is an Area Border Router with no interfaces in the backbone area, a Virtual Link must be configured to connect it to the backbone.

This link is effectively a tunnel across an adjacent Transit Area.

The other endpoint of the Virtual Link must be an OSPF router which has an interface connected to the backbone, and which also has an interface connected to the Transit Area.

Procedure

1. From the left navigation tree, click Advanced Routing > OSPF.

2. In the Areas section, configure an OSPFv2 area to use as a Transit Area for this virtual link.

   Description

   A Transit Area is the area shared between the two endpoint routers of the Virtual Link.

   LSAs are sent to/from the backbone via this Transit Area.

3. In the Interfaces section, assign the applicable Transit Area to the applicable interface.

4. In the Virtual Links section, click Add.

5. In the Remote Router ID field, enter the Router ID of the other endpoint for this Virtual Link (for example:192.168.3.4).

6. In the Transit Area field, select the applicable area.

7. In the Hello Interval field, enter the time.

   Description

   Configures the delay time between Hello packets on this interface.

   The OSPF Hello Protocol is responsible for establishing and maintaining adjacencies (i.e. connections) between neighboring OSPF routers.

   For broadcast networks, the Hello is also used to dynamically discover neighbors.

   Important - For a given link, this value must be the same for all OSPF routers.

   Range: 1-65535 seconds

   Default: 10 seconds for broadcast networks, 30 seconds for point-to-point networks

8. In the Router Dead Interval field, enter the time.

   Description

   Configures the time after receipt of the last Hello packet, at which a neighbor is declared dead.

   Typically this is four times the Hello interval.

   Important - For a given link, this value must be the same for all OSPF routers.

   Range: 1-65535 seconds

   Default: 40 seconds for broadcast networks, 120 seconds for point-to-point networks

9. In the Retransmit Interval field, enter the time.

   Description

   Configures the time between LSA retransmissions for this interface.

   This value is also used when retransmitting database description and link state request packets.

   This value should be much higher than the expected round-trip delay between any two routers on the network.

   Being conservative helps avoid unnecessary retransmissions.

   Important - For a given link, this value must be the same for all OSPF routers.

   Range: 1-65535 seconds

   Default: 5 seconds

10. In the Authentication section, configure the Authentication Mode.

    Description

    Authentication guarantees that routing information is accepted only from trusted routers.

    A message digest or message authentication code is included in outgoing OSPF packets, so that receivers can authenticate these packets.

    Important - Both OSPF sides must agree on these settings for the OSPF authentication to work, and to form OSPF adjacencies.

    Instructions

    1. In the Authentication Mode field, select the applicable mode:

       Mode	Description
       None	Does not authenticate OSPF packets. This is the default option.
       Simple	Authenticates OSPF packets with a simple password. The simple password must contain from 1 to 8 alphanumeric ASCII characters.
       Cryptographic	Authenticates OSPF packets with MD5 or HMAC. This OSPFv2 HMAC-SHA authentication (RFC 5709) is backward-compatible with the OSPFv2 MD5 authentication. For cryptographic authentication, at least one key needs to be configured, with Key ID, Algorithm, and Secret. If you configure multiple keys: When transmitting OSPF packets, Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. uses the key with the highest Key ID. Gaia includes a message digest or message authentication code in the outgoing OSPF packets to enable receivers to authenticate them. When receiving OSPF packets, Gaia accepts all the configured keys. The available algorithms are listed in the decreasing order of their cryptographic strength: hmac-sha-512 - Provides a cryptographic SHA-512 hash based on the configured secret. hmac-sha-384 - Provides a cryptographic SHA-384 hash based on the configured secret. hmac-sha-256 - Provides a cryptographic SHA-256 hash based on the configured secret. We recommend this algorithm for best interoperability. hmac-sha-1 - Provides a cryptographic SHA-1 hash based on the configured secret. md5 - Provides a cryptographic MD5 hash based on the configured key. A shared secret (password) for cryptographic authentication: For HMAC algorithms - Alphanumeric string from 1 to 80 characters. May not contain spaces or '\' characters. For MD5 algorithm - Alphanumeric string from 1 to 16 characters. May not contain spaces or '\' characters.

    2. Click Save.

11. Click Save.