Brook Milligan <brook%nmsu.edu@localhost> writes: > I have a handful of routers running NetBSD and need to get them to > share their routing tables via a (simple?) routing protocol. There's no such thing... But more seriously, I am pretty sure the difficulties you are having are not about the routing protocol but about the routing protocol not finding the routes, probably because IPsec and routing don't really play well. > I have been using routed for this purpose, which seems to work well > except for the routes that involve clients connecting via an openvpn > server. Are there really routes? Could you send example "netstat -nr" output showing such a route? Or is it that openvpn puts in an SPD and SA entry, and the packet starts to use the default route and then gets IPsec processing and then the ESP tunnel-mode packet gets reinjected and goes? Are you having the remote nodes advertise their addresses via RIP? This gets awkward because an ESP tunnel isn't a pseudointerface, which is what routing wants to see. > The openvpn server allows connections by individual machines > with dynamic IPs as well as with static IPs; it also allows a > connection to a router serving a small subnet. If I manually add > appropriate routes to the other routers and hosts on the network, all > works well (except that is a pain). Generally, the notion is that directly-connected subnets (hosts, for non-broadcast networks) should get routes added by the interface, and it's RIP's job to propagate these routes. So arguably you should change openvpn. > To get routed to handle that I > have added "subnet=" clauses to /etc/gateways on the openvpn server, > but those routes do not seem to be advertised. "seem" ==> Use tcpdump to read the RIP packets. Please explain more clearly what you're trying. Are these subnets that are actually attached to the openvpn server? Or subnets that aren't, but fall within a default route it has? Are you saying that other systems that are actually exchanging RIP packets and getting other routes are missing these? > What is the accepted practice for linking together a few routers? Is > routed sufficient or should I be using something more complex? If so, > what is the recommendation? If not, how can I get routed on the > openvpn server to advertise the routes to its clients? For only a few, RIP is more or less ok. Modern practice is to use OSPF, which you'd get in net/quagga. But I think you aren't having "RIP is ancient and not good enough" problems.
Attachment:
pgpDsVtq3A67Z.pgp
Description: PGP signature