On Tue, Nov 07 2017, Stuart Henderson <s...@spacehopper.org> wrote: > On 2017-11-07, Kim Zeitler <kim.zeit...@konzept-is.de> wrote: >> This is a cryptographically signed message in MIME format. >> >> --------------ms030007050806020307030407 >> Content-Type: text/plain; charset=utf-8; format=flowed >> Content-Language: en-GB >> Content-Transfer-Encoding: quoted-printable >> >> Hello >> >> I have a question concerning routes and ospf. >> We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20 >> routing. >> >> If the ipsec tunnel is down, no ospf route is set and the default route=20 >> used. >> >> Is it sensible and possible to add a null-route from the vpn-gateway to=20 >> the remote-networks so a 'Network not reachable' is sent immediately? > > Sensible - yes. > > Possible - not sure but I think you would probably need to monitor the ipsec > status and add the route and/or gif interface only once the SA is up.
I may be missing something, but maybe just add a -reject route with a low -priority for each of your ospf routes? When an ospf route disappears the -reject one would be preferred. (And if all your "vpn" routes are in a common prefix, you can just use a single -reject route for that prefix and let more-specifics win.) -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
