On 11/08/17 08:37, Claudio Jeker wrote:
On Tue, Nov 07, 2017 at 04:13:51PM +0100, Jeremie Courreges-Anglas wrote:On Tue, Nov 07 2017, Kim Zeitler <kim.zeit...@konzept-is.de> wrote:On 11/07/17 15:31, Jeremie Courreges-Anglas wrote:On Tue, Nov 07 2017, Stuart Henderson <s...@spacehopper.org> wrote:I have a question concerning routes and ospf. We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20 routing. If the ipsec tunnel is down, no ospf route is set and the default route=20 used. Is it sensible and possible to add a null-route from the vpn-gateway to=20 the remote-networks so a 'Network not reachable' is sent immediately?Sensible - yes. Possible - not sure but I think you would probably need to monitor the ipsec status and add the route and/or gif interface only once the SA is up.I may be missing something, but maybe just add a -reject route with a low -priority for each of your ospf routes? When an ospf route disappears the -reject one would be preferred. (And if all your "vpn" routes are in a common prefix, you can just use a single -reject route for that prefix and let more-specifics win.)something like this was actually my plan. just wasn't so sure if one actually does it like this or if there are other ways of doing it. so basically a route add -inet 172.16/12 -reject -priority 33 would suffice (33 as the ospf routes have a prio of 32)Yes, but I think that what Stuart points out is that your gif tunnel might be used even if ipsec isn't protecting it...I use pf(4) to make sure that gif is not leaking outside of the enc interface (more or less): block out proto { ipencap ipv6 } pass on enc0 keep state (if-bound) Using if-bound is needed else the enc0 state would float to the egress interface.
I want to thank all for there time and answers.not sure how I will implement this yet, but Stuart's and Claudio's clearly made me think a bit further.
Cheers, Kim
smime.p7s
Description: S/MIME Cryptographic Signature
