On 11/07/17 15:31, Jeremie Courreges-Anglas wrote:
On Tue, Nov 07 2017, Stuart Henderson <s...@spacehopper.org> wrote:
something like this was actually my plan. just wasn't so sure if one actually does it like this or if there are other ways of doing it.I have a question concerning routes and ospf. We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20 routing. If the ipsec tunnel is down, no ospf route is set and the default route=20 used. Is it sensible and possible to add a null-route from the vpn-gateway to=20 the remote-networks so a 'Network not reachable' is sent immediately?Sensible - yes. Possible - not sure but I think you would probably need to monitor the ipsec status and add the route and/or gif interface only once the SA is up.I may be missing something, but maybe just add a -reject route with a low -priority for each of your ospf routes? When an ospf route disappears the -reject one would be preferred. (And if all your "vpn" routes are in a common prefix, you can just use a single -reject route for that prefix and let more-specifics win.)
so basically a route add -inet 172.16/12 -reject -priority 33 would suffice (33 as the ospf routes have a prio of 32)
smime.p7s
Description: S/MIME Cryptographic Signature
