5.6.3. OSPF

Dynamic routing protocols are used to signal which networks are currently connected to each of the routers. Routers communicate using routing protocols. UserGate updates the kernel routing table in accordance with the information it receives from the neighboring routers. Dynamic routing does not change how the kernel performs routing at the IP layer. The kernel keeps looking up routes to hosts and networks as well as default routes in its routing table. The only thing that changes is how routes are managed in the routing table: instead of the manual method, they are added and removed dynamically. Routes are only added to the virtual router in which the OSPF protocol is configured.

OSPF (Open Shortest Path First) is a dynamic routing protocol based on the link-state monitoring technology and using Dijkstra's algorithm to find the shortest path.

The OSPF protocol disseminates information on the available routes among the routers that operate within a single autonomous system (AS). For more details on how the OSPF protocol works, see the relevant technical documentation.


When OSPF is used in an Active-Passive HA cluster, a node with the slave role automatically assigns a cost to all its interfaces and redistribution lists that is twice as high as that set on the node. This ensures that the master node has the priority in traffic routing.

To configure OSPF in UserGate, follow these steps:



Step 1. Select a virtual router.

If there are several virtual routers, select the desired one.

Step 2. Enable the OSPF router.

In the UserGate console, go to the Network --> Virtual routers section, select OSPF in the menu, and configure the OSPF router.

To configure an OSPF router, provide the following settings:




Enables or disables this OSPF router.

Router ID

The router's IP address. Must match one of the IP addresses assigned to the UserGate network interfaces that belong to this virtual router.


Distribute routes towards networks directly connected to UserGate (connected) or static routes added by the administrator for this virtual router (kernel) to other OSPF routers.


Set a metric for the distributed routes.

Default originate

Notify other routers that this router has a default route.

To configure OSPF interfaces, provide these settings:




Enables or disables this interface.


Select one of the existing interfaces on which OSPF will run. Only the interfaces belonging to this virtual router are available for selection.


The link cost for this interface. This value is reported in the LSA (link-state advertisement) to the neighboring routers which use it to compute the shortest path. Default value: 1.


An integer in the range from 0 to 255. The higher the value, the higher the probability that this router will become the network's designated router for sending out LSAs. A value of 0 excludes the router from being designated. Default value: 1.

Hello interval

The time interval in seconds between hello packets sent by the router. This should be the same for all routers in an autonomous system. The default value is 10 seconds.

Dead interval

The time interval in seconds after which the neighboring router is considered offline. The time is counted from the moment of receiving the last hello packet from the neighboring router. The default value is 40 seconds.

Retransmit interval

The time interval before LSA packet retransmission. The default value is 5 seconds.

Transmit delay

The approximate time it takes to deliver a link state update to the neighboring routers. The default value is 1 second.



Turns on mandatory authentication for each OSPF message received by the router. Authentication is normally used to prevent the injection of a fake route from illegitimate routers.

Authentication type

The options are:

  • Plain: send the key in plain text for router authentication. A value must be provided for the Key field.

  • Digest: use an MD5 hash of the key to authenticate OSPF packets. The values of Key and MD5 key ID must be provided. For authentication to work correctly, these parameters must be identical on all routers.

The Key value can only include Latin letters, numbers, and the underscore character. Maximum length: 16 characters.

To configure OSPF areas, provide these settings:




Enables or disables this area.


The area name.


The cost of an LSA announced in the stub area.

Area ID

The ID for the area. The ID can be specified in decimal format or IP address record format. However, zone IDs are not IP addresses and can match any assigned IP address.

Authentication type

The options are:

  • None: do not require OSPF packet authentication.

  • Plain: transmit the key as plain text to authenticate OSPF packets. The key specified in the interface settings is used.

  • Digest: use an MD5 hash of the key to authenticate OSPF packets. The key specified in the interface settings is used.

The interface-level authentication takes precedence over zone-level authentication.

Area type

Defines the type of the area. The following area types are supported:

  • Normal: a normal area created by default. This zone receives link updates, summary routes, and external routes.

  • Stub: a stub area. Does not receive information on routes external to the autonomous system but receives routes from other areas. If routers from a stub area need to send information outside of the autonomous system, they use the default route. An ASBR cannot reside in a stub area.

  • NSSA: Not-so-stubby. A NSSA area defines an additional type of LSA, LSA type 7. A boundary router (ASBR) can be located in the NSSA zone.

No summary

Prohibits injecting summarized routes into stub-type areas.


Select the OSPF interfaces on which this area will be available.

Virtual links

This is a special type of connection that makes it possible, for example, to interconnect a partitioned area or connect an area to the backbone area via another area. It is configured between two ABRs.

Routers can transmit OSPF packets encapsulated in IP packets over such links. This mechanism is used as a temporary solution or as a backup in case the primary connections fail.

You can specify the IDs of the routers available via this zone.