On Sat, Mar 01, 2014 at 11:55:28AM +0000, Andy Lemin wrote: > Hi, it's not a good idea to distribute /32 routes around your routing > domain as it will make convergence times longer and adds unnecessary > load to the other routers. OSPF and other routing daemons like summary > routes. I'm guessing you've assigned a 'unique' /24 network for the > VPN clients which isn't used anywhere else in your organisation so the > best thing to do is to create a single static route on the OBSD box > for the whole /24 VPN range and distribute that using OSPF. That way > other routers will learn about the OBSD box which provides access to > the clients etc. leave the /32 routes on the OBSD box..
Well, from a theoretical ideal perspective, it would be better for only routes to valid vpn clients to exist on the network, so any packet to an IP not in use by an active client would get null routed at its source, rather than sent all the way to the openbsd box to get dropped. On the other hand, from a pragmatic implementation perspective, you're right, you don't really want 200 /32 routes floating around when they could be covered by a single /24. However, in this case, there probably won't be more than a handful of clients at any given time, so it's not really a choice between a single /24 and 254 /32's, but more like between a single /24 and half a dozen /32's, so I'm leaning towards theoretical ideal at this point ;). Besides, even if I do end up hacking it with a static /24, for self edification purposes I still want to understand why it's not working and what it would take to make it work :). Thanks...
