Re: bird and ipsec (strongswan) routes

Wed, 20 Nov 2024 08:40:28 -0800 

On 11/19/24 11:35 PM, Brian C. Hill via Bird-users wrote:

Hello,


Hi,


Pre-script, this touches on multiple things that I'm interested in and / 
or actively working on, so I'm going to throw my hat into the ring.  But 
I could be so far off the mark that it's not even remotely funny.



I want to use bird to mutually propagate routes throughout several sites 
connected with vpn gateways, probably with ospf.


Okay,


     e.g. site A net(s) <-> site A vpn gateway <-> vpn 'concentrator' 
<-> site B vpn gateway <-> hosts site B net(s), etc..


ACK


I couldn't find many posts about the best strategy to use, and the ones 
did find are many years old, but it seems to boil down to these options:


    • use a script to migrate xfrm route table (220) to a bird-readable
    table



The last time I worked with bird and multiple routing tables, I found 
that I could choose what routing table I wanted bird to look at / work with.



Though admittedly I did eventually end up using an additional routing 
table for some reason other than bird's ability to see into it.  I think 
it had to do with state and complications like too many cooks in the 
kitchen.



    • use static routes inside bird


:-/


    • use vti instead of xfrm



You mention OSPF, so I'll ask, how are you going to establish an OSPF 
adjacency without an L2 tunnel between the VPN gateway(s) and the VPN 
concentrator?  Won't OSPF alone sort of necessitate the VTI -or- another 
tunnel (GRE?) that is itself protected by IPsec?



My questions:


1) Is it sill the case that bird cannot read directly from the xfrm 
table? (I tried this with a pipe config but nothing gets imported)



I believe that bird can be made to work with whatever routing table ID 
you want.



I thought that xfrm could also be made to work with whatever routing 
table ID you want.



There seems like a lot of flexibility and capability here.  Though the 
question may be more "should you" and less "can you".



2) What is the strategy that most of you are using now? (as opposed to 
many years ago)



I'm wanting to not use VTIs for a project that I'm working on, but I'm 
suspecting that I'm going to have my hand forced to VTIs for various 
reasons; e.g. iptables conditionally altering behavior based on an 
interface (VTI) state.



Thanks!


You're welcome.


I'd be very curious to learn more about what you're doing to see if it 
will help me in what I'm doing.  :-)




--
Grant. . . .
unix || die






















					Reply via email to