iked + gif + ospfd - use null-route to stop default route being used in case of no vpn

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

iked + gif + ospfd - use null-route to stop default route being used in case of no vpn

Kim Zeitler
Hello

I have a question concerning routes and ospf.
We are using iked(8) with a gif(4) interface and ospfd(8) to set up
routing.

If the ipsec tunnel is down, no ospf route is set and the default route
used.

Is it sensible and possible to add a null-route from the vpn-gateway to
the remote-networks so a 'Network not reachable' is sent immediately?

Cheers Kim


smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: iked + gif + ospfd - use null-route to stop default route being used in case of no vpn

Stuart Henderson
On 2017-11-07, Kim Zeitler <[hidden email]> wrote:

> This is a cryptographically signed message in MIME format.
>
> --------------ms030007050806020307030407
> Content-Type: text/plain; charset=utf-8; format=flowed
> Content-Language: en-GB
> Content-Transfer-Encoding: quoted-printable
>
> Hello
>
> I have a question concerning routes and ospf.
> We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20
> routing.
>
> If the ipsec tunnel is down, no ospf route is set and the default route=20
> used.
>
> Is it sensible and possible to add a null-route from the vpn-gateway to=20
> the remote-networks so a 'Network not reachable' is sent immediately?

Sensible - yes.

Possible - not sure but I think you would probably need to monitor the ipsec
status and add the route and/or gif interface only once the SA is up.


Reply | Threaded
Open this post in threaded view
|

Re: iked + gif + ospfd - use null-route to stop default route being used in case of no vpn

Jeremie Courreges-Anglas-2
On Tue, Nov 07 2017, Stuart Henderson <[hidden email]> wrote:

> On 2017-11-07, Kim Zeitler <[hidden email]> wrote:
>> This is a cryptographically signed message in MIME format.
>>
>> --------------ms030007050806020307030407
>> Content-Type: text/plain; charset=utf-8; format=flowed
>> Content-Language: en-GB
>> Content-Transfer-Encoding: quoted-printable
>>
>> Hello
>>
>> I have a question concerning routes and ospf.
>> We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20
>> routing.
>>
>> If the ipsec tunnel is down, no ospf route is set and the default route=20
>> used.
>>
>> Is it sensible and possible to add a null-route from the vpn-gateway to=20
>> the remote-networks so a 'Network not reachable' is sent immediately?
>
> Sensible - yes.
>
> Possible - not sure but I think you would probably need to monitor the ipsec
> status and add the route and/or gif interface only once the SA is up.

I may be missing something, but maybe just add a -reject route with
a low -priority for each of your ospf routes?  When an ospf route
disappears the -reject one would be preferred.

(And if all your "vpn" routes are in a common prefix, you can just use
a single -reject route for that prefix and let more-specifics win.)

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply | Threaded
Open this post in threaded view
|

Re: iked + gif + ospfd - use null-route to stop default route being used in case of no vpn

Stuart Henderson
On 2017/11/07 15:31, Jeremie Courreges-Anglas wrote:

> On Tue, Nov 07 2017, Stuart Henderson <[hidden email]> wrote:
> > On 2017-11-07, Kim Zeitler <[hidden email]> wrote:
> >> This is a cryptographically signed message in MIME format.
> >>
> >> --------------ms030007050806020307030407
> >> Content-Type: text/plain; charset=utf-8; format=flowed
> >> Content-Language: en-GB
> >> Content-Transfer-Encoding: quoted-printable
> >>
> >> Hello
> >>
> >> I have a question concerning routes and ospf.
> >> We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20
> >> routing.
> >>
> >> If the ipsec tunnel is down, no ospf route is set and the default route=20
> >> used.
> >>
> >> Is it sensible and possible to add a null-route from the vpn-gateway to=20
> >> the remote-networks so a 'Network not reachable' is sent immediately?
> >
> > Sensible - yes.
> >
> > Possible - not sure but I think you would probably need to monitor the ipsec
> > status and add the route and/or gif interface only once the SA is up.
>
> I may be missing something, but maybe just add a -reject route with
> a low -priority for each of your ospf routes?  When an ospf route
> disappears the -reject one would be preferred.
>
> (And if all your "vpn" routes are in a common prefix, you can just use
> a single -reject route for that prefix and let more-specifics win.)

Unless I missed something, the gif interface and static routes don't know
anything about the SA status, either you would need to monitor and add on
the fly (in which case the original problem wouldn't have happened, I think?)
or they would be pre-created (in which case, OSPF will already announce them
before the SA is up). It's a different case than something like openvpn
or openconnect where the route only exists after the VPN is up.

Reply | Threaded
Open this post in threaded view
|

Re: iked + gif + ospfd - use null-route to stop default route being used in case of no vpn

Kim Zeitler
In reply to this post by Jeremie Courreges-Anglas-2
On 11/07/17 15:31, Jeremie Courreges-Anglas wrote:
> On Tue, Nov 07 2017, Stuart Henderson <[hidden email]> wrote:

>>>
>>> I have a question concerning routes and ospf.
>>> We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20
>>> routing.
>>>
>>> If the ipsec tunnel is down, no ospf route is set and the default route=20
>>> used.
>>>
>>> Is it sensible and possible to add a null-route from the vpn-gateway to=20
>>> the remote-networks so a 'Network not reachable' is sent immediately?
>>
>> Sensible - yes.
>>
>> Possible - not sure but I think you would probably need to monitor the ipsec
>> status and add the route and/or gif interface only once the SA is up.
>
> I may be missing something, but maybe just add a -reject route with
> a low -priority for each of your ospf routes?  When an ospf route
> disappears the -reject one would be preferred.
>
> (And if all your "vpn" routes are in a common prefix, you can just use
> a single -reject route for that prefix and let more-specifics win.)
>
something like this was actually my plan. just wasn't so sure if one
actually does it like this or if there are other ways of doing it.

so basically a
route add -inet 172.16/12 -reject -priority 33
would suffice (33 as the ospf routes have a prio of 32)


smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: iked + gif + ospfd - use null-route to stop default route being used in case of no vpn

Jeremie Courreges-Anglas-2
On Tue, Nov 07 2017, Kim Zeitler <[hidden email]> wrote:

> On 11/07/17 15:31, Jeremie Courreges-Anglas wrote:
>> On Tue, Nov 07 2017, Stuart Henderson <[hidden email]> wrote:
>
>>>>
>>>> I have a question concerning routes and ospf.
>>>> We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20
>>>> routing.
>>>>
>>>> If the ipsec tunnel is down, no ospf route is set and the default route=20
>>>> used.
>>>>
>>>> Is it sensible and possible to add a null-route from the vpn-gateway to=20
>>>> the remote-networks so a 'Network not reachable' is sent immediately?
>>>
>>> Sensible - yes.
>>>
>>> Possible - not sure but I think you would probably need to monitor the ipsec
>>> status and add the route and/or gif interface only once the SA is up.
>>
>> I may be missing something, but maybe just add a -reject route with
>> a low -priority for each of your ospf routes?  When an ospf route
>> disappears the -reject one would be preferred.
>>
>> (And if all your "vpn" routes are in a common prefix, you can just use
>> a single -reject route for that prefix and let more-specifics win.)
>>
> something like this was actually my plan. just wasn't so sure if one
> actually does it like this or if there are other ways of doing it.
>
> so basically a
> route add -inet 172.16/12 -reject -priority 33
> would suffice (33 as the ospf routes have a prio of 32)

Yes, but I think that what Stuart points out is that your gif tunnel
might be used even if ipsec isn't protecting it...

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply | Threaded
Open this post in threaded view
|

Re: iked + gif + ospfd - use null-route to stop default route being used in case of no vpn

Kim Zeitler
On 11/07/17 16:13, Jeremie Courreges-Anglas wrote:

> On Tue, Nov 07 2017, Kim Zeitler <[hidden email]> wrote:
>> On 11/07/17 15:31, Jeremie Courreges-Anglas wrote:
>>> On Tue, Nov 07 2017, Stuart Henderson <[hidden email]> wrote:
>>
>>>>>
>>>>> I have a question concerning routes and ospf.
>>>>> We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20
>>>>> routing.
>>>>>
>>>>> If the ipsec tunnel is down, no ospf route is set and the default route=20
>>>>> used.
>>>>>
>>>>> Is it sensible and possible to add a null-route from the vpn-gateway to=20
>>>>> the remote-networks so a 'Network not reachable' is sent immediately?
>>>>
>>>> Sensible - yes.
>>>>
>>>> Possible - not sure but I think you would probably need to monitor the ipsec
>>>> status and add the route and/or gif interface only once the SA is up.
>>>
>>> I may be missing something, but maybe just add a -reject route with
>>> a low -priority for each of your ospf routes?  When an ospf route
>>> disappears the -reject one would be preferred.
>>>
>>> (And if all your "vpn" routes are in a common prefix, you can just use
>>> a single -reject route for that prefix and let more-specifics win.)
>>>
>> something like this was actually my plan. just wasn't so sure if one
>> actually does it like this or if there are other ways of doing it.
>>
>> so basically a
>> route add -inet 172.16/12 -reject -priority 33
>> would suffice (33 as the ospf routes have a prio of 32)
>
> Yes, but I think that what Stuart points out is that your gif tunnel
> might be used even if ipsec isn't protecting it...
>
OK, maybe I am missing something now.

I got two networks 192.168.1/24 and 192.168.2/24, each with a VPN GW
192.168.X.254 and a default GW at 192.168.X.1.
Between the VPN GWs I have a gif tunnel using 192.168.X.254 -> <external
IP otherside>, inside tunnel 10.23.23.1->10.23.23.2.

My iked is configured to use:

ikev2 "charlie" passive ipcomp esp \
         proto encap \
         from $OWN_IP to $CHARLIE \
         peer $CHARLIE \
         srcid $GW dstid $CHARLIE

To add the routing over this we use ospfd. As soon as the sa is loaded
ospf discovers its neighbour and loads the route via the gif interface.
Without the sa no traffic is passed.

@Stuart you say, I should only establish the gif "link" after I have an SA?

My question was, when the ospfd has a problem or the connection between
both end-points can't be established (like now, due to roadworks and
some cable) can I add a -reject route with low prio to use instead of
the default route on my VPN GW?
Currently my VPN GW gets the traffic, has no route due to no ospf and
sends it to the default gw, which returns it to the vpn gw and so forth.
I would like it to reply with 'Netork unreachable' instead immediately.
As far as I see my idea is similar to what Jeremie wrote.

Cheers
Kim


smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: iked + gif + ospfd - use null-route to stop default route being used in case of no vpn

Claudio Jeker
In reply to this post by Stuart Henderson
On Tue, Nov 07, 2017 at 02:42:29PM +0000, Stuart Henderson wrote:

> On 2017/11/07 15:31, Jeremie Courreges-Anglas wrote:
> > On Tue, Nov 07 2017, Stuart Henderson <[hidden email]> wrote:
> > > On 2017-11-07, Kim Zeitler <[hidden email]> wrote:
> > >> This is a cryptographically signed message in MIME format.
> > >>
> > >> --------------ms030007050806020307030407
> > >> Content-Type: text/plain; charset=utf-8; format=flowed
> > >> Content-Language: en-GB
> > >> Content-Transfer-Encoding: quoted-printable
> > >>
> > >> Hello
> > >>
> > >> I have a question concerning routes and ospf.
> > >> We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20
> > >> routing.
> > >>
> > >> If the ipsec tunnel is down, no ospf route is set and the default route=20
> > >> used.
> > >>
> > >> Is it sensible and possible to add a null-route from the vpn-gateway to=20
> > >> the remote-networks so a 'Network not reachable' is sent immediately?
> > >
> > > Sensible - yes.
> > >
> > > Possible - not sure but I think you would probably need to monitor the ipsec
> > > status and add the route and/or gif interface only once the SA is up.
> >
> > I may be missing something, but maybe just add a -reject route with
> > a low -priority for each of your ospf routes?  When an ospf route
> > disappears the -reject one would be preferred.
> >
> > (And if all your "vpn" routes are in a common prefix, you can just use
> > a single -reject route for that prefix and let more-specifics win.)
>
> Unless I missed something, the gif interface and static routes don't know
> anything about the SA status, either you would need to monitor and add on
> the fly (in which case the original problem wouldn't have happened, I think?)
> or they would be pre-created (in which case, OSPF will already announce them
> before the SA is up). It's a different case than something like openvpn
> or openconnect where the route only exists after the VPN is up.
>

Or use gre(4) with keepalive enabled. Then the gre tunnel would go down
once the SA is gone.

--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: iked + gif + ospfd - use null-route to stop default route being used in case of no vpn

Claudio Jeker
In reply to this post by Jeremie Courreges-Anglas-2
On Tue, Nov 07, 2017 at 04:13:51PM +0100, Jeremie Courreges-Anglas wrote:

> On Tue, Nov 07 2017, Kim Zeitler <[hidden email]> wrote:
> > On 11/07/17 15:31, Jeremie Courreges-Anglas wrote:
> >> On Tue, Nov 07 2017, Stuart Henderson <[hidden email]> wrote:
> >
> >>>>
> >>>> I have a question concerning routes and ospf.
> >>>> We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20
> >>>> routing.
> >>>>
> >>>> If the ipsec tunnel is down, no ospf route is set and the default route=20
> >>>> used.
> >>>>
> >>>> Is it sensible and possible to add a null-route from the vpn-gateway to=20
> >>>> the remote-networks so a 'Network not reachable' is sent immediately?
> >>>
> >>> Sensible - yes.
> >>>
> >>> Possible - not sure but I think you would probably need to monitor the ipsec
> >>> status and add the route and/or gif interface only once the SA is up.
> >>
> >> I may be missing something, but maybe just add a -reject route with
> >> a low -priority for each of your ospf routes?  When an ospf route
> >> disappears the -reject one would be preferred.
> >>
> >> (And if all your "vpn" routes are in a common prefix, you can just use
> >> a single -reject route for that prefix and let more-specifics win.)
> >>
> > something like this was actually my plan. just wasn't so sure if one
> > actually does it like this or if there are other ways of doing it.
> >
> > so basically a
> > route add -inet 172.16/12 -reject -priority 33
> > would suffice (33 as the ospf routes have a prio of 32)
>
> Yes, but I think that what Stuart points out is that your gif tunnel
> might be used even if ipsec isn't protecting it...
>

I use pf(4) to make sure that gif is not leaking outside of the enc
interface (more or less):
block out proto { ipencap ipv6 }
pass on enc0 keep state (if-bound)

Using if-bound is needed else the enc0 state would float to the egress
interface.
--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: iked + gif + ospfd - use null-route to stop default route being used in case of no vpn

Kim Zeitler
On 11/08/17 08:37, Claudio Jeker wrote:

> On Tue, Nov 07, 2017 at 04:13:51PM +0100, Jeremie Courreges-Anglas wrote:
>> On Tue, Nov 07 2017, Kim Zeitler <[hidden email]> wrote:
>>> On 11/07/17 15:31, Jeremie Courreges-Anglas wrote:
>>>> On Tue, Nov 07 2017, Stuart Henderson <[hidden email]> wrote:
>>>
>>>>>>
>>>>>> I have a question concerning routes and ospf.
>>>>>> We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20
>>>>>> routing.
>>>>>>
>>>>>> If the ipsec tunnel is down, no ospf route is set and the default route=20
>>>>>> used.
>>>>>>
>>>>>> Is it sensible and possible to add a null-route from the vpn-gateway to=20
>>>>>> the remote-networks so a 'Network not reachable' is sent immediately?
>>>>>
>>>>> Sensible - yes.
>>>>>
>>>>> Possible - not sure but I think you would probably need to monitor the ipsec
>>>>> status and add the route and/or gif interface only once the SA is up.
>>>>
>>>> I may be missing something, but maybe just add a -reject route with
>>>> a low -priority for each of your ospf routes?  When an ospf route
>>>> disappears the -reject one would be preferred.
>>>>
>>>> (And if all your "vpn" routes are in a common prefix, you can just use
>>>> a single -reject route for that prefix and let more-specifics win.)
>>>>
>>> something like this was actually my plan. just wasn't so sure if one
>>> actually does it like this or if there are other ways of doing it.
>>>
>>> so basically a
>>> route add -inet 172.16/12 -reject -priority 33
>>> would suffice (33 as the ospf routes have a prio of 32)
>>
>> Yes, but I think that what Stuart points out is that your gif tunnel
>> might be used even if ipsec isn't protecting it...
>>
>
> I use pf(4) to make sure that gif is not leaking outside of the enc
> interface (more or less):
> block out proto { ipencap ipv6 }
> pass on enc0 keep state (if-bound)
>
> Using if-bound is needed else the enc0 state would float to the egress
> interface.
>
I want to thank all for there time and answers.

not sure how I will implement this yet, but Stuart's and Claudio's
clearly made me think a bit further.

Cheers,
Kim


smime.p7s (6K) Download Attachment