[quagga-users 8987] Re: ospf not redistributing vpnc (tun0) routes

Brian J. Murrell brian at interlinx.bc.ca
Sun Oct 14 21:48:21 IST 2007


On Fri, 2007-10-12 at 17:43 +0100, Paul Jakma wrote:
> 
> Well, if you add 'redistribute kernel' and don't filter you /will/ start 
> getting crap into OSPF.

I certainly can't argue with that.

> Uh, how?
> 
> - The other side can inject whatever they want if they're speaking OSPF
>    to you.
> 
> - If they're not speaking OSPF to you, it surely needs manual config
>    /somewhere/ to get routes on the machine..

Ahh.  Indeed, I went back and looked at my config a little closer.  I
was mis-understanding the point of required synchronization.  My local
VPN configuration lists the subnets that should be routed over the VPN.
So I have two places locally where I would need to keep routes
synchronized... in my local VPN configuration as well as the route
filter for OSPF.

I suppose with enough effort I could have the VPN configuration script
also generate the route filters and give ospfd a kick to reread it's
configuration.  That just seems a bit hackish though.

> If the answer was 'redistribute kernel' your original issue was not 
> solved satisfactorily though ;) (even if you don't realise it yet ;) ).

Indeed.  Which is why I am asking.

> As Andrew says, you should be getting 'Connected' routes - ie routes for 
> attached subnets/hosts.

I do, for the connected hosts/subnets, which is only one address since
this tun0 VPN connection is a P-t-P link.  The routes to the remote
subnet get added by the VPN configuration script through "ip route add"
statements.

> The fact you're not means that either zebra is 
> broken or this 'vpnc' thing is doing something unusual (or wrong) wrt 
> configuring addresses on interfaces (almost certainly the latter).

"This vpnc thing" is a Cisco VPN client.  Paul, you should in fact be
able to use/test it yourself if you like to connect to SWAN with.  I
don't think anything is broken, vpnc or zebra given that the connected
route is for the P-t-P address that I get from the VPN.

> The following information may be of use:
> 
> - For any attached subnets/hosts on/to which OSPF is enabled, OSPF will
>    automatically advertise these IP 'links' in the router-LSA (as a
>    'stub' link, at a minimum)

I'm guessing this is moot given that it's a P-t-P interface?

>    'passive' interfaces in OSPF are advertised this way. And you can
>    enable passive by default.

I'd have to disable distributing kernel routes to verify but I believe
the P-t-P interface address was being distributed to the rest of the
network via OSPF.  It was just the subsequently added subnets that were
not.

> - All interfaces should have 'C' routes, which should correspond to
>    addresses (subnets or peer hosts) that zebra recognises as attached.

They do.

>    'redistribute connected' therefore is the cleanest way to get routes
>    for attached subnets/hosts injected into OSPF, as AS-External routes.

But this doesn't work for my situation I'm guessing, where the interface
has a single address on a P-t-P link and routes are added with "ip route
add" to route to the remote subnets.

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.quagga.net/pipermail/quagga-users/attachments/20071014/a84b2104/attachment.bin


More information about the Quagga-users mailing list