On 09/07/13 21:26, Ondrej Zajicek wrote: > On Mon, Jul 08, 2013 at 06:36:58PM +1200, Michael Ludvig wrote: >> Hi Daryl >> >> Thanks for that. However my the problem isn't running OSPF over IPsec >> but instead how to get the IPsec routes from the kernel to bird. From >> there on to OSPF it's trivial. In the first place Bird needs to learn >> the routes somehow... > Well, it is related - if you would use GRE (or IPIP) tunnels in IPsec > transport mode instead of IPsec tunnel mode (and some routing protocol > to announce remote subnets through tunnels), then you would have the > prefixes of remote subnets in routing table instead of XFRM policy table > and therefore you wouldn't even have this problem of how to get prefixes > from XFRM.
Unfortunately that's not an option. The remote endpoints are our clients' and business partners' gear, are all sorts of HW gateways - Cisco, Juniper, Amazon AWS VPC, Who-Knows-What - and I have no control over them. We're stuck with plain IPsec. > BIRD currently does not support importing prefixes from XFRM. Your > approach (generating static routes and reconfiguring) is OK, perhaps > better idea would be to use another kernel table and create a simple > script that would synchronise that kernel table with XFRM table. BIRD > could learn such routes from that table. Such script could run very > often (like one times per 10 seconds) so you could get more or less > realtime sync. That's a good idea, will do that. Thanks! Michael
