Actually... OSPF will work across an ipsec tunnel. Unfortunately, last time I checked, it wouldn't work across a tunnel that's terminated within a routing instance on a srx. The issue was confirmed by JTAC. We haven't tried it on 10.4 yet, but it's a known issue with older code.
OSPF just won't built a relationship across the tunnel. On the other hand, it works great across ipsec tunnels between netscreens. If I remember, I'll try to dig up the kb article/bug report that covers it. On Apr 28, 2011, at 10:58 PM, Keegan Holley wrote: > sorry I meant IPSEC doesn't carry multicast. OSPF technically doesn't > "carry" anything. > > On Thu, Apr 28, 2011 at 11:28 PM, Keegan Holley > <keegan.hol...@sungard.com>wrote: > >> I don't think OSPF carries multicast. I know cisco routers have a neighbor >> statement that will force it to unicast hello's I've never tried it on a >> juniper. I think if you do GRE over IPSEC (not to be confused with IPSEC >> over GRE) the multicast will work as well. It depends on your endpoints >> though, I don't think firewalls will do GRE. >> >> >> On Thu, Apr 28, 2011 at 3:59 PM, Leonardo Gama Souza < >> leonardo.so...@nec.com.br> wrote: >> >>>> Hello All: >>>> >>>> I'm trying to get OSPF up over IPsec. We have two IPsec tunnels, a >>>> primary and a secondary that our spoke router can use. We want to >>> have >>>> the spoke router run OSPF across both and then in case of a failure of >>>> the primary hub router (where the primary IPsec tunnel terminates) >>> OSPF >>>> will direct traffic over the backup tunnel to the backup hub. >>>> >>>> So far I have seen OSPF on the spoke router come up just a couple of >>>> times but only to one or the other peer. It never has come up to both >>>> peers. Here are my configurations for OSPF and the services >>> interfaces >>>> below. Also BGP is up on all routers and all routers are reachable >>> via >>>> BGP. >>>> >>>> If anyeone can guide me in the right direction to get OSPF working >>> over >>>> IPsec that would be most apprectiated! >>> >>> As far as I know IPSec solely is not able to carry Multicast traffic. >>> Are you using GRE over IPSec? If not, you may want to try unicast >>> hellos. >>> >>> >>> _______________________________________________ >>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>> >> >> > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp