On Tue, Nov 07, 2017 at 04:13:51PM +0100, Jeremie Courreges-Anglas wrote:
> On Tue, Nov 07 2017, Kim Zeitler <kim.zeit...@konzept-is.de> wrote:
> > On 11/07/17 15:31, Jeremie Courreges-Anglas wrote:
> >> On Tue, Nov 07 2017, Stuart Henderson <s...@spacehopper.org> wrote:
> >
> >>>>
> >>>> I have a question concerning routes and ospf.
> >>>> We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20
> >>>> routing.
> >>>>
> >>>> If the ipsec tunnel is down, no ospf route is set and the default
> >>>> route=20
> >>>> used.
> >>>>
> >>>> Is it sensible and possible to add a null-route from the vpn-gateway
> >>>> to=20
> >>>> the remote-networks so a 'Network not reachable' is sent immediately?
> >>>
> >>> Sensible - yes.
> >>>
> >>> Possible - not sure but I think you would probably need to monitor the
> >>> ipsec
> >>> status and add the route and/or gif interface only once the SA is up.
> >>
> >> I may be missing something, but maybe just add a -reject route with
> >> a low -priority for each of your ospf routes? When an ospf route
> >> disappears the -reject one would be preferred.
> >>
> >> (And if all your "vpn" routes are in a common prefix, you can just use
> >> a single -reject route for that prefix and let more-specifics win.)
> >>
> > something like this was actually my plan. just wasn't so sure if one
> > actually does it like this or if there are other ways of doing it.
> >
> > so basically a
> > route add -inet 172.16/12 -reject -priority 33
> > would suffice (33 as the ospf routes have a prio of 32)
>
> Yes, but I think that what Stuart points out is that your gif tunnel
> might be used even if ipsec isn't protecting it...
>
I use pf(4) to make sure that gif is not leaking outside of the enc
interface (more or less):
block out proto { ipencap ipv6 }
pass on enc0 keep state (if-bound)
Using if-bound is needed else the enc0 state would float to the egress
interface.
--
:wq Claudio
