Re: [strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)
On 10/26/2020 8:42 AM, TomK wrote: On 10/26/2020 2:10 AM, Michael Schwartzkopff wrote: On 26.10.20 05:47, TomK wrote: Hey All, I've configured the VTI's and routing is now fully working between the 9 VLAN's. XFRM, as far as I can tell, isn't as well documented. I might try this later on o see if OpenWRT supprots it. Thx, On 10/25/2020 9:48 PM, TomK wrote: Hey Noel, I have four VLAN's on the Azure side. I need all these VLAN's visible to my on-prem VLAN's, 5 on-prem VLAN's in total. The on-prem GW can see those Azure VLAN's. The mapping works well. However, the on-prem StrongSwan GW running on my Raspberry Pi 2 (OpenWRT) isn't redistributing the Azure VLAN's at the moment since they are sitting in table 220 where OSPF can't see them. From the Azure side, I can ping the on-prem GW just fine, including the ability to ssh to the on-prem OpenWRT GW from Azure. However, I can't ping any of the other on-prem VLAN's from the Azure side, of course. Not until OSPF sees the Azure VLAN's I'm thinking. This is mostly a POC so I have plenty of room to experiment. This is the goal. Cheers, TK On 10/25/2020 8:51 PM, Noel Kuntze wrote: Hello Tom, That is the right wiki page. What I forgot to mention though is that with interfaces, you can then talk your routing protocol over it. It does not give you information about the subnets though for which IPsec policies are installed. What is the goal of this in the end? Kind regards Noel Am 26.10.20 um 01:33 schrieb TomK: Hey Noel, Thanks. That would certainly make it automatic with either BIRD or Quagga. I'll have a look at the pages again to see what it takes to create these. Thinking this is still the right page for VTI and XFRM information? https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN Cheers, TK On 10/25/2020 4:59 PM, Noel Kuntze wrote: Hi Tom, The routes in table 220 are only used to tell the kernel which source IP to use for sending packets to a remote network. They aren't part of XFRM and only tangentially pertain IPsec. Also, routes are only added if they are required, so those routes in table 220 are not necessarily complete. A better solution for your use case would be to use route based IPsec by using dedicated VTIs or XFRM interfaces and running OSPF/BGP/whatever over those virtual links. Kind regards Noel Am 25.10.20 um 19:05 schrieb TomK: Hey All, I'm interested in finding out how to import routes from StrongSwan IPSec installed XFRM tables (220) into Quagga (OSPF, 254)? The XFRM policy based rules are saved in table 220 while Quagga (OSPF) saves the routes in table 254. I have an IPSec StrongSwan on-prem GW paired up with one of the Cloud providers. The connection is established fine however I can't ping the remote VLAN's from any other device on the on-prem network except from the on-prem GW itself. I would like to make OSPF aware of table 220 so it can import the rules. Or at least find another way to export the rules in table 220 and into table 254. Either import from or export to would work but I haven't been able to find articles on the web addressing this issue. Is this possible? Hi, I wrote two blog articles explaining how to achieve do route based VPN with dynamic routing. https://blog.sys4.de/routing-based-vpn-with-strongswan-de.html https://blog.sys4.de/routing-based-vpn-with-strongswan-ii-de.html Mit freundlichen Grüßen, I'll check it out. Thank you. I've tossed in a post as well: https://microdevsys.com/wp/microsoft-azure-to-cloudera-cdh-via-vpn-gateway/ Included all the issues and successes I encountered along the way. Hope that helps someone. -- Thx, TK.
Re: [strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)
On 10/26/2020 2:10 AM, Michael Schwartzkopff wrote: On 26.10.20 05:47, TomK wrote: Hey All, I've configured the VTI's and routing is now fully working between the 9 VLAN's. XFRM, as far as I can tell, isn't as well documented. I might try this later on o see if OpenWRT supprots it. Thx, On 10/25/2020 9:48 PM, TomK wrote: Hey Noel, I have four VLAN's on the Azure side. I need all these VLAN's visible to my on-prem VLAN's, 5 on-prem VLAN's in total. The on-prem GW can see those Azure VLAN's. The mapping works well. However, the on-prem StrongSwan GW running on my Raspberry Pi 2 (OpenWRT) isn't redistributing the Azure VLAN's at the moment since they are sitting in table 220 where OSPF can't see them. From the Azure side, I can ping the on-prem GW just fine, including the ability to ssh to the on-prem OpenWRT GW from Azure. However, I can't ping any of the other on-prem VLAN's from the Azure side, of course. Not until OSPF sees the Azure VLAN's I'm thinking. This is mostly a POC so I have plenty of room to experiment. This is the goal. Cheers, TK On 10/25/2020 8:51 PM, Noel Kuntze wrote: Hello Tom, That is the right wiki page. What I forgot to mention though is that with interfaces, you can then talk your routing protocol over it. It does not give you information about the subnets though for which IPsec policies are installed. What is the goal of this in the end? Kind regards Noel Am 26.10.20 um 01:33 schrieb TomK: Hey Noel, Thanks. That would certainly make it automatic with either BIRD or Quagga. I'll have a look at the pages again to see what it takes to create these. Thinking this is still the right page for VTI and XFRM information? https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN Cheers, TK On 10/25/2020 4:59 PM, Noel Kuntze wrote: Hi Tom, The routes in table 220 are only used to tell the kernel which source IP to use for sending packets to a remote network. They aren't part of XFRM and only tangentially pertain IPsec. Also, routes are only added if they are required, so those routes in table 220 are not necessarily complete. A better solution for your use case would be to use route based IPsec by using dedicated VTIs or XFRM interfaces and running OSPF/BGP/whatever over those virtual links. Kind regards Noel Am 25.10.20 um 19:05 schrieb TomK: Hey All, I'm interested in finding out how to import routes from StrongSwan IPSec installed XFRM tables (220) into Quagga (OSPF, 254)? The XFRM policy based rules are saved in table 220 while Quagga (OSPF) saves the routes in table 254. I have an IPSec StrongSwan on-prem GW paired up with one of the Cloud providers. The connection is established fine however I can't ping the remote VLAN's from any other device on the on-prem network except from the on-prem GW itself. I would like to make OSPF aware of table 220 so it can import the rules. Or at least find another way to export the rules in table 220 and into table 254. Either import from or export to would work but I haven't been able to find articles on the web addressing this issue. Is this possible? Hi, I wrote two blog articles explaining how to achieve do route based VPN with dynamic routing. https://blog.sys4.de/routing-based-vpn-with-strongswan-de.html https://blog.sys4.de/routing-based-vpn-with-strongswan-ii-de.html Mit freundlichen Grüßen, I'll check it out. Thank you. -- Thx, TK.
Re: [strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)
On 26.10.20 05:47, TomK wrote: > Hey All, > > I've configured the VTI's and routing is now fully working between the > 9 VLAN's. > > XFRM, as far as I can tell, isn't as well documented. I might try > this later on o see if OpenWRT supprots it. > > Thx, > > On 10/25/2020 9:48 PM, TomK wrote: >> Hey Noel, >> >> I have four VLAN's on the Azure side. I need all these VLAN's >> visible to my on-prem VLAN's, 5 on-prem VLAN's in total. The on-prem >> GW can see those Azure VLAN's. The mapping works well. >> >> However, the on-prem StrongSwan GW running on my Raspberry Pi 2 >> (OpenWRT) isn't redistributing the Azure VLAN's at the moment since >> they are sitting in table 220 where OSPF can't see them. >> >> From the Azure side, I can ping the on-prem GW just fine, including >> the ability to ssh to the on-prem OpenWRT GW from Azure. However, I >> can't ping any of the other on-prem VLAN's from the Azure side, of >> course. Not until OSPF sees the Azure VLAN's I'm thinking. >> >> This is mostly a POC so I have plenty of room to experiment. This is >> the goal. >> >> Cheers, >> TK >> >> >> On 10/25/2020 8:51 PM, Noel Kuntze wrote: >>> Hello Tom, >>> >>> That is the right wiki page. >>> What I forgot to mention though is that with interfaces, you can >>> then talk your routing protocol over it. >>> It does not give you information about the subnets though for which >>> IPsec policies are installed. >>> >>> What is the goal of this in the end? >>> >>> Kind regards >>> >>> Noel >>> >>> Am 26.10.20 um 01:33 schrieb TomK: Hey Noel, Thanks. That would certainly make it automatic with either BIRD or Quagga. I'll have a look at the pages again to see what it takes to create these. Thinking this is still the right page for VTI and XFRM information? https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN Cheers, TK On 10/25/2020 4:59 PM, Noel Kuntze wrote: > Hi Tom, > > The routes in table 220 are only used to tell the kernel which > source IP to use for sending packets to a remote network. > They aren't part of XFRM and only tangentially pertain IPsec. > Also, routes are only added if they are required, so those routes > in table 220 are not necessarily complete. > > A better solution for your use case would be to use route based > IPsec by using dedicated VTIs or XFRM interfaces and running > OSPF/BGP/whatever over those virtual links. > > Kind regards > > Noel > > Am 25.10.20 um 19:05 schrieb TomK: >> Hey All, >> >> I'm interested in finding out how to import routes from >> StrongSwan IPSec installed XFRM tables (220) into Quagga (OSPF, >> 254)? >> >> The XFRM policy based rules are saved in table 220 while Quagga >> (OSPF) saves the routes in table 254. I have an IPSec StrongSwan >> on-prem GW paired up with one of the Cloud providers. The >> connection is established fine however I can't ping the remote >> VLAN's from any other device on the on-prem network except from >> the on-prem GW itself. >> >> I would like to make OSPF aware of table 220 so it can import the >> rules. Or at least find another way to export the rules in table >> 220 and into table 254. Either import from or export to would >> work but I haven't been able to find articles on the web >> addressing this issue. >> >> Is this possible? >> > >>> >> >> > > Hi, I wrote two blog articles explaining how to achieve do route based VPN with dynamic routing. https://blog.sys4.de/routing-based-vpn-with-strongswan-de.html https://blog.sys4.de/routing-based-vpn-with-strongswan-ii-de.html Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein signature.asc Description: OpenPGP digital signature
Re: [strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)
Hello Tom, That is the right wiki page. What I forgot to mention though is that with interfaces, you can then talk your routing protocol over it. It does not give you information about the subnets though for which IPsec policies are installed. What is the goal of this in the end? Kind regards Noel Am 26.10.20 um 01:33 schrieb TomK: > Hey Noel, > > Thanks. That would certainly make it automatic with either BIRD or Quagga. > > I'll have a look at the pages again to see what it takes to create these. > Thinking this is still the right page for VTI and XFRM information? > > https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN > > Cheers, > TK > > On 10/25/2020 4:59 PM, Noel Kuntze wrote: >> Hi Tom, >> >> The routes in table 220 are only used to tell the kernel which source IP to >> use for sending packets to a remote network. >> They aren't part of XFRM and only tangentially pertain IPsec. >> Also, routes are only added if they are required, so those routes in table >> 220 are not necessarily complete. >> >> A better solution for your use case would be to use route based IPsec by >> using dedicated VTIs or XFRM interfaces and running OSPF/BGP/whatever over >> those virtual links. >> >> Kind regards >> >> Noel >> >> Am 25.10.20 um 19:05 schrieb TomK: >>> Hey All, >>> >>> I'm interested in finding out how to import routes from StrongSwan IPSec >>> installed XFRM tables (220) into Quagga (OSPF, 254)? >>> >>> The XFRM policy based rules are saved in table 220 while Quagga (OSPF) >>> saves the routes in table 254. I have an IPSec StrongSwan on-prem GW >>> paired up with one of the Cloud providers. The connection is established >>> fine however I can't ping the remote VLAN's from any other device on the >>> on-prem network except from the on-prem GW itself. >>> >>> I would like to make OSPF aware of table 220 so it can import the rules. >>> Or at least find another way to export the rules in table 220 and into >>> table 254. Either import from or export to would work but I haven't been >>> able to find articles on the web addressing this issue. >>> >>> Is this possible? >>> >> > > signature.asc Description: OpenPGP digital signature
Re: [strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)
Hey All, I've configured the VTI's and routing is now fully working between the 9 VLAN's. XFRM, as far as I can tell, isn't as well documented. I might try this later on o see if OpenWRT supprots it. Thx, On 10/25/2020 9:48 PM, TomK wrote: Hey Noel, I have four VLAN's on the Azure side. I need all these VLAN's visible to my on-prem VLAN's, 5 on-prem VLAN's in total. The on-prem GW can see those Azure VLAN's. The mapping works well. However, the on-prem StrongSwan GW running on my Raspberry Pi 2 (OpenWRT) isn't redistributing the Azure VLAN's at the moment since they are sitting in table 220 where OSPF can't see them. From the Azure side, I can ping the on-prem GW just fine, including the ability to ssh to the on-prem OpenWRT GW from Azure. However, I can't ping any of the other on-prem VLAN's from the Azure side, of course. Not until OSPF sees the Azure VLAN's I'm thinking. This is mostly a POC so I have plenty of room to experiment. This is the goal. Cheers, TK On 10/25/2020 8:51 PM, Noel Kuntze wrote: Hello Tom, That is the right wiki page. What I forgot to mention though is that with interfaces, you can then talk your routing protocol over it. It does not give you information about the subnets though for which IPsec policies are installed. What is the goal of this in the end? Kind regards Noel Am 26.10.20 um 01:33 schrieb TomK: Hey Noel, Thanks. That would certainly make it automatic with either BIRD or Quagga. I'll have a look at the pages again to see what it takes to create these. Thinking this is still the right page for VTI and XFRM information? https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN Cheers, TK On 10/25/2020 4:59 PM, Noel Kuntze wrote: Hi Tom, The routes in table 220 are only used to tell the kernel which source IP to use for sending packets to a remote network. They aren't part of XFRM and only tangentially pertain IPsec. Also, routes are only added if they are required, so those routes in table 220 are not necessarily complete. A better solution for your use case would be to use route based IPsec by using dedicated VTIs or XFRM interfaces and running OSPF/BGP/whatever over those virtual links. Kind regards Noel Am 25.10.20 um 19:05 schrieb TomK: Hey All, I'm interested in finding out how to import routes from StrongSwan IPSec installed XFRM tables (220) into Quagga (OSPF, 254)? The XFRM policy based rules are saved in table 220 while Quagga (OSPF) saves the routes in table 254. I have an IPSec StrongSwan on-prem GW paired up with one of the Cloud providers. The connection is established fine however I can't ping the remote VLAN's from any other device on the on-prem network except from the on-prem GW itself. I would like to make OSPF aware of table 220 so it can import the rules. Or at least find another way to export the rules in table 220 and into table 254. Either import from or export to would work but I haven't been able to find articles on the web addressing this issue. Is this possible? -- Thx, TK.
Re: [strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)
Hey Noel, I have four VLAN's on the Azure side. I need all these VLAN's visible to my on-prem VLAN's, 5 on-prem VLAN's in total. The on-prem GW can see those Azure VLAN's. The mapping works well. However, the on-prem StrongSwan GW running on my Raspberry Pi 2 (OpenWRT) isn't redistributing the Azure VLAN's at the moment since they are sitting in table 220 where OSPF can't see them. From the Azure side, I can ping the on-prem GW just fine, including the ability to ssh to the on-prem OpenWRT GW from Azure. However, I can't ping any of the other on-prem VLAN's from the Azure side, of course. Not until OSPF sees the Azure VLAN's I'm thinking. This is mostly a POC so I have plenty of room to experiment. This is the goal. Cheers, TK On 10/25/2020 8:51 PM, Noel Kuntze wrote: Hello Tom, That is the right wiki page. What I forgot to mention though is that with interfaces, you can then talk your routing protocol over it. It does not give you information about the subnets though for which IPsec policies are installed. What is the goal of this in the end? Kind regards Noel Am 26.10.20 um 01:33 schrieb TomK: Hey Noel, Thanks. That would certainly make it automatic with either BIRD or Quagga. I'll have a look at the pages again to see what it takes to create these. Thinking this is still the right page for VTI and XFRM information? https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN Cheers, TK On 10/25/2020 4:59 PM, Noel Kuntze wrote: Hi Tom, The routes in table 220 are only used to tell the kernel which source IP to use for sending packets to a remote network. They aren't part of XFRM and only tangentially pertain IPsec. Also, routes are only added if they are required, so those routes in table 220 are not necessarily complete. A better solution for your use case would be to use route based IPsec by using dedicated VTIs or XFRM interfaces and running OSPF/BGP/whatever over those virtual links. Kind regards Noel Am 25.10.20 um 19:05 schrieb TomK: Hey All, I'm interested in finding out how to import routes from StrongSwan IPSec installed XFRM tables (220) into Quagga (OSPF, 254)? The XFRM policy based rules are saved in table 220 while Quagga (OSPF) saves the routes in table 254. I have an IPSec StrongSwan on-prem GW paired up with one of the Cloud providers. The connection is established fine however I can't ping the remote VLAN's from any other device on the on-prem network except from the on-prem GW itself. I would like to make OSPF aware of table 220 so it can import the rules. Or at least find another way to export the rules in table 220 and into table 254. Either import from or export to would work but I haven't been able to find articles on the web addressing this issue. Is this possible? -- Thx, TK.
Re: [strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)
Hi Tom, The routes in table 220 are only used to tell the kernel which source IP to use for sending packets to a remote network. They aren't part of XFRM and only tangentially pertain IPsec. Also, routes are only added if they are required, so those routes in table 220 are not necessarily complete. A better solution for your use case would be to use route based IPsec by using dedicated VTIs or XFRM interfaces and running OSPF/BGP/whatever over those virtual links. Kind regards Noel Am 25.10.20 um 19:05 schrieb TomK: > Hey All, > > I'm interested in finding out how to import routes from StrongSwan IPSec > installed XFRM tables (220) into Quagga (OSPF, 254)? > > The XFRM policy based rules are saved in table 220 while Quagga (OSPF) saves > the routes in table 254. I have an IPSec StrongSwan on-prem GW paired up > with one of the Cloud providers. The connection is established fine however > I can't ping the remote VLAN's from any other device on the on-prem network > except from the on-prem GW itself. > > I would like to make OSPF aware of table 220 so it can import the rules. Or > at least find another way to export the rules in table 220 and into table > 254. Either import from or export to would work but I haven't been able to > find articles on the web addressing this issue. > > Is this possible? > signature.asc Description: OpenPGP digital signature
Re: [strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)
Hey Noel, Thanks. That would certainly make it automatic with either BIRD or Quagga. I'll have a look at the pages again to see what it takes to create these. Thinking this is still the right page for VTI and XFRM information? https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN Cheers, TK On 10/25/2020 4:59 PM, Noel Kuntze wrote: Hi Tom, The routes in table 220 are only used to tell the kernel which source IP to use for sending packets to a remote network. They aren't part of XFRM and only tangentially pertain IPsec. Also, routes are only added if they are required, so those routes in table 220 are not necessarily complete. A better solution for your use case would be to use route based IPsec by using dedicated VTIs or XFRM interfaces and running OSPF/BGP/whatever over those virtual links. Kind regards Noel Am 25.10.20 um 19:05 schrieb TomK: Hey All, I'm interested in finding out how to import routes from StrongSwan IPSec installed XFRM tables (220) into Quagga (OSPF, 254)? The XFRM policy based rules are saved in table 220 while Quagga (OSPF) saves the routes in table 254. I have an IPSec StrongSwan on-prem GW paired up with one of the Cloud providers. The connection is established fine however I can't ping the remote VLAN's from any other device on the on-prem network except from the on-prem GW itself. I would like to make OSPF aware of table 220 so it can import the rules. Or at least find another way to export the rules in table 220 and into table 254. Either import from or export to would work but I haven't been able to find articles on the web addressing this issue. Is this possible? -- Thx, TK.
Re: [strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)
That's certainly an option I've reviewed. Whatever the option, would like to keep customization to nothing, if possible. Cheers, TK On 10/25/2020 3:03 PM, Volodymyr Litovka wrote: Hi, if it's option, you can consider Bird, which can import from specified table - https://bird.network.cz/?get_doc=20=bird-6.html#ss6.6 : |kernel table /number/| Select which kernel table should this particular instance of the Kernel protocol work with. Available only on systems supporting multiple routing tables. On 25.10.2020 20:05, TomK wrote: Hey All, I'm interested in finding out how to import routes from StrongSwan IPSec installed XFRM tables (220) into Quagga (OSPF, 254)? The XFRM policy based rules are saved in table 220 while Quagga (OSPF) saves the routes in table 254. I have an IPSec StrongSwan on-prem GW paired up with one of the Cloud providers. The connection is established fine however I can't ping the remote VLAN's from any other device on the on-prem network except from the on-prem GW itself. I would like to make OSPF aware of table 220 so it can import the rules. Or at least find another way to export the rules in table 220 and into table 254. Either import from or export to would work but I haven't been able to find articles on the web addressing this issue. Is this possible? -- Volodymyr Litovka "Vision without Execution is Hallucination." -- Thomas Edison -- Thx, TK.
Re: [strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)
Hi, if it's option, you can consider Bird, which can import from specified table - https://bird.network.cz/?get_doc=20=bird-6.html#ss6.6 : |kernel table /number/| Select which kernel table should this particular instance of the Kernel protocol work with. Available only on systems supporting multiple routing tables. On 25.10.2020 20:05, TomK wrote: Hey All, I'm interested in finding out how to import routes from StrongSwan IPSec installed XFRM tables (220) into Quagga (OSPF, 254)? The XFRM policy based rules are saved in table 220 while Quagga (OSPF) saves the routes in table 254. I have an IPSec StrongSwan on-prem GW paired up with one of the Cloud providers. The connection is established fine however I can't ping the remote VLAN's from any other device on the on-prem network except from the on-prem GW itself. I would like to make OSPF aware of table 220 so it can import the rules. Or at least find another way to export the rules in table 220 and into table 254. Either import from or export to would work but I haven't been able to find articles on the web addressing this issue. Is this possible? -- Volodymyr Litovka "Vision without Execution is Hallucination." -- Thomas Edison
