On 11/07/17 16:13, Jeremie Courreges-Anglas wrote:
On Tue, Nov 07 2017, Kim Zeitler <kim.zeit...@konzept-is.de> wrote:On 11/07/17 15:31, Jeremie Courreges-Anglas wrote:On Tue, Nov 07 2017, Stuart Henderson <s...@spacehopper.org> wrote:I have a question concerning routes and ospf. We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20 routing. If the ipsec tunnel is down, no ospf route is set and the default route=20 used. Is it sensible and possible to add a null-route from the vpn-gateway to=20 the remote-networks so a 'Network not reachable' is sent immediately?Sensible - yes. Possible - not sure but I think you would probably need to monitor the ipsec status and add the route and/or gif interface only once the SA is up.I may be missing something, but maybe just add a -reject route with a low -priority for each of your ospf routes? When an ospf route disappears the -reject one would be preferred. (And if all your "vpn" routes are in a common prefix, you can just use a single -reject route for that prefix and let more-specifics win.)something like this was actually my plan. just wasn't so sure if one actually does it like this or if there are other ways of doing it. so basically a route add -inet 172.16/12 -reject -priority 33 would suffice (33 as the ospf routes have a prio of 32)Yes, but I think that what Stuart points out is that your gif tunnel might be used even if ipsec isn't protecting it...
OK, maybe I am missing something now.I got two networks 192.168.1/24 and 192.168.2/24, each with a VPN GW 192.168.X.254 and a default GW at 192.168.X.1. Between the VPN GWs I have a gif tunnel using 192.168.X.254 -> <external IP otherside>, inside tunnel 10.23.23.1->10.23.23.2.
My iked is configured to use:
ikev2 "charlie" passive ipcomp esp \
proto encap \
from $OWN_IP to $CHARLIE \
peer $CHARLIE \
srcid $GW dstid $CHARLIE
To add the routing over this we use ospfd. As soon as the sa is loaded
ospf discovers its neighbour and loads the route via the gif interface.
Without the sa no traffic is passed.
@Stuart you say, I should only establish the gif "link" after I have an SA?My question was, when the ospfd has a problem or the connection between both end-points can't be established (like now, due to roadworks and some cable) can I add a -reject route with low prio to use instead of the default route on my VPN GW? Currently my VPN GW gets the traffic, has no route due to no ospf and sends it to the default gw, which returns it to the vpn gw and so forth. I would like it to reply with 'Netork unreachable' instead immediately. As far as I see my idea is similar to what Jeremie wrote.
Cheers Kim
smime.p7s
Description: S/MIME Cryptographic Signature
