Hi Brian, When I did something like that, I didn't even dig such deep to wed ipsec tunnel policies with routing. IMHO it might work, but could hit you in unexpected way. The option with vti looks more straightforward to me - those guys live sepearately and do not harm each other. I.e. ipsec does its job with securing the tunnel, and routing is done over the usual interface with no hidden pitfalls.
Regards, Alexander On Wed, Nov 20, 2024 at 6:48 AM Brian C. Hill via Bird-users < [email protected]> wrote: > Hello, > > I want to use bird to mutually propagate routes throughout several sites > connected with vpn gateways, probably with ospf. > > e.g. site A net(s) <-> site A vpn gateway <-> vpn 'concentrator' <-> > site B vpn gateway <-> hosts site B net(s), etc.. > > I couldn't find many posts about the best strategy to use, and the ones > did find are many years old, but it seems to boil down to these options: > > • use a script to migrate xfrm route table (220) to a bird-readable table > > • use static routes inside bird > > • use vti instead of xfrm > > My questions: > > 1) Is it sill the case that bird cannot read directly from the xfrm table? > (I tried this with a pipe config but nothing gets imported) > > 2) What is the strategy that most of you are using now? (as opposed to > many years ago) > > Thanks! > > Brian > > >
