I have a pair of firewall routers running OpenBSD (4.1 and 4.2 at
present - need to get them updated) and I recently added an IPsec tunnel
to their configurations, using ipsecctl and ipsec.conf complete with
sasyncd.
This works fine, and the host which is master of the carp interface I've
told isakmpd to use gets routes to and from the remote network in the
"Encap" section of route(8)'s output.
However, this does not seem to be advertised by ospfd. I've tried
"redistribute connected" and "redistribute static", as well as
explicitly specifying the prefix (which I didn't expect to do much), but
the route doesn't show in the output of "ospfctl show rib".
Is what I am trying to do possible? I know that IPsec isn't a routed
protocol and so it's not normally useful to announce routes to other
routers, plus the policy tends to restrict the type of traffic that is
allowed to pass through the tunnel.
Currently I've set a static route on the other gateway, and this is
what's being redistributed into OSPF.
I saw in the man page that you can redistribute based on rtlabel, but
couldn't see that the IPsec routes (which I suspect aren't normal
routes) can be assigned an rtlabel.
This wouldn't be an issue if I tied all my carp interfaces together so
that the same host was always master for all interfaces (or at least all
interfaces on VPN-related networks). There's no real reason I haven't
done that aside from thinking that it shouldn't be necessary, but maybe
now it is...
--
Russell Howe, IT Manager. <[EMAIL PROTECTED]>
BMT Marine & Offshore Surveys Ltd.
