On 2017/11/07 15:31, Jeremie Courreges-Anglas wrote: > On Tue, Nov 07 2017, Stuart Henderson <s...@spacehopper.org> wrote: > > On 2017-11-07, Kim Zeitler <kim.zeit...@konzept-is.de> wrote: > >> This is a cryptographically signed message in MIME format. > >> > >> --------------ms030007050806020307030407 > >> Content-Type: text/plain; charset=utf-8; format=flowed > >> Content-Language: en-GB > >> Content-Transfer-Encoding: quoted-printable > >> > >> Hello > >> > >> I have a question concerning routes and ospf. > >> We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20 > >> routing. > >> > >> If the ipsec tunnel is down, no ospf route is set and the default route=20 > >> used. > >> > >> Is it sensible and possible to add a null-route from the vpn-gateway to=20 > >> the remote-networks so a 'Network not reachable' is sent immediately? > > > > Sensible - yes. > > > > Possible - not sure but I think you would probably need to monitor the ipsec > > status and add the route and/or gif interface only once the SA is up. > > I may be missing something, but maybe just add a -reject route with > a low -priority for each of your ospf routes? When an ospf route > disappears the -reject one would be preferred. > > (And if all your "vpn" routes are in a common prefix, you can just use > a single -reject route for that prefix and let more-specifics win.)
Unless I missed something, the gif interface and static routes don't know anything about the SA status, either you would need to monitor and add on the fly (in which case the original problem wouldn't have happened, I think?) or they would be pre-created (in which case, OSPF will already announce them before the SA is up). It's a different case than something like openvpn or openconnect where the route only exists after the VPN is up.
