On Tue, Nov 07, 2017 at 02:42:29PM +0000, Stuart Henderson wrote: > On 2017/11/07 15:31, Jeremie Courreges-Anglas wrote: > > On Tue, Nov 07 2017, Stuart Henderson <s...@spacehopper.org> wrote: > > > On 2017-11-07, Kim Zeitler <kim.zeit...@konzept-is.de> wrote: > > >> This is a cryptographically signed message in MIME format. > > >> > > >> --------------ms030007050806020307030407 > > >> Content-Type: text/plain; charset=utf-8; format=flowed > > >> Content-Language: en-GB > > >> Content-Transfer-Encoding: quoted-printable > > >> > > >> Hello > > >> > > >> I have a question concerning routes and ospf. > > >> We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20 > > >> routing. > > >> > > >> If the ipsec tunnel is down, no ospf route is set and the default > > >> route=20 > > >> used. > > >> > > >> Is it sensible and possible to add a null-route from the vpn-gateway > > >> to=20 > > >> the remote-networks so a 'Network not reachable' is sent immediately? > > > > > > Sensible - yes. > > > > > > Possible - not sure but I think you would probably need to monitor the > > > ipsec > > > status and add the route and/or gif interface only once the SA is up. > > > > I may be missing something, but maybe just add a -reject route with > > a low -priority for each of your ospf routes? When an ospf route > > disappears the -reject one would be preferred. > > > > (And if all your "vpn" routes are in a common prefix, you can just use > > a single -reject route for that prefix and let more-specifics win.) > > Unless I missed something, the gif interface and static routes don't know > anything about the SA status, either you would need to monitor and add on > the fly (in which case the original problem wouldn't have happened, I think?) > or they would be pre-created (in which case, OSPF will already announce them > before the SA is up). It's a different case than something like openvpn > or openconnect where the route only exists after the VPN is up. >
Or use gre(4) with keepalive enabled. Then the gre tunnel would go down once the SA is gone. -- :wq Claudio
