Re: [networking-discuss] ospf via ipsec tunnels

Wed, 21 Apr 2010 03:19:45 -0700 

Hi, folks!

As threatened yesterday, I added a second Juniper with second tunnel tot
he scenario so that we now have a triangle with 2 Junipers (cennected
directly) and Opensolaris.

OSPF seems to work fine - both Junipers receive their default route from
Opensolaris and sent everything thru their tunnel (except of course the
ipsec-relevant stuff, for wich they have a static route to their
respective DSL-Router).

Cutting one Junipers Internet-Connection leads to rerouting it's traffic
thru the second Juniper.
I tried that and it worked (I might have to tune the dead-interval, but
that's a different story).

Re-establishing the link leads again to full neighborhood between Quagga
and that previously cut off Juniper.
Show ip ospf route actually shows the route thru the correct
tunnelinterface.

However, that route never makes it to opensolaris routingtable:

kunde003-wan# show ip ospf route
============ OSPF network routing table ============
N    103.0.0.0/24          [11] area: 0.0.0.0
                           via 192.168.100.5, ip.tun1
N    120.0.0.0/24          [11] area: 0.0.0.0
                           via 192.168.100.1, ip.tun0
:

r...@kunde003-wan:~# netstat -nr

Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use
Interface
-------------------- -------------------- ----- ----- ----------
---------
default              213.172.123.137      UG        1       1588
82.100.231.232       82.100.231.233       U         1          1
dmz103001
103.0.0.0            192.168.100.5        UG        1          0
192.168.5.0          192.168.100.1        UG        1          0
192.168.5.0          192.168.100.5        UG        1          0
192.168.100.1        192.168.100.2        UH        1          1 ip.tun0
192.168.100.2        192.168.100.1        UGH       1          0
192.168.100.5        192.168.100.6        UH        1          0 ip.tun1
192.168.100.6        192.168.100.5        UGH       1          0
213.172.123.136      213.172.123.138      U         1          2 wan3001
127.0.0.1            127.0.0.1            UH        2         16 lo0

As you can see the route to 120.0.0.0/24 is missing here and of course
traffic to that site isn't routed thru the tunnel anymore by
Opensolaris. Instead it's using the default route and sending the
traffic out on the WAN-Interface in clear text:
r...@kunde003-wan:~# snoop -rd wan3001
Using device wan3001 (promiscuous mode)
82.100.231.234 -> 120.0.0.32   ICMP Echo request (ID: 30495 Sequence
number: 916)
82.100.231.234 -> 120.0.0.32   ICMP Echo request (ID: 17180 Sequence
number: 9657)
82.100.231.234 -> 120.0.0.32   ICMP Echo request (ID: 30495 Sequence
number: 917)
:

Did I hit a bug? Or do I need additional configuration?

Cheers,
Kai

_______________________________________________
networking-discuss mailing list
[email protected]

Reply via email to