Hey All,
I've configured the VTI's and routing is now fully working between the 9
VLAN's.
XFRM, as far as I can tell, isn't as well documented. I might try this
later on o see if OpenWRT supprots it.
Thx,
On 10/25/2020 9:48 PM, TomK wrote:
Hey Noel,
I have four VLAN's on the Azure side. I need all these VLAN's visible
to my on-prem VLAN's, 5 on-prem VLAN's in total. The on-prem GW can see
those Azure VLAN's. The mapping works well.
However, the on-prem StrongSwan GW running on my Raspberry Pi 2
(OpenWRT) isn't redistributing the Azure VLAN's at the moment since they
are sitting in table 220 where OSPF can't see them.
From the Azure side, I can ping the on-prem GW just fine, including the
ability to ssh to the on-prem OpenWRT GW from Azure. However, I can't
ping any of the other on-prem VLAN's from the Azure side, of course. Not
until OSPF sees the Azure VLAN's I'm thinking.
This is mostly a POC so I have plenty of room to experiment. This is the
goal.
Cheers,
TK
On 10/25/2020 8:51 PM, Noel Kuntze wrote:
Hello Tom,
That is the right wiki page.
What I forgot to mention though is that with interfaces, you can then
talk your routing protocol over it.
It does not give you information about the subnets though for which
IPsec policies are installed.
What is the goal of this in the end?
Kind regards
Noel
Am 26.10.20 um 01:33 schrieb TomK:
Hey Noel,
Thanks. That would certainly make it automatic with either BIRD or
Quagga.
I'll have a look at the pages again to see what it takes to create
these. Thinking this is still the right page for VTI and XFRM
information?
https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
Cheers,
TK
On 10/25/2020 4:59 PM, Noel Kuntze wrote:
Hi Tom,
The routes in table 220 are only used to tell the kernel which
source IP to use for sending packets to a remote network.
They aren't part of XFRM and only tangentially pertain IPsec.
Also, routes are only added if they are required, so those routes in
table 220 are not necessarily complete.
A better solution for your use case would be to use route based
IPsec by using dedicated VTIs or XFRM interfaces and running
OSPF/BGP/whatever over those virtual links.
Kind regards
Noel
Am 25.10.20 um 19:05 schrieb TomK:
Hey All,
I'm interested in finding out how to import routes from StrongSwan
IPSec installed XFRM tables (220) into Quagga (OSPF, 254)?
The XFRM policy based rules are saved in table 220 while Quagga
(OSPF) saves the routes in table 254. I have an IPSec StrongSwan
on-prem GW paired up with one of the Cloud providers. The
connection is established fine however I can't ping the remote
VLAN's from any other device on the on-prem network except from the
on-prem GW itself.
I would like to make OSPF aware of table 220 so it can import the
rules. Or at least find another way to export the rules in table
220 and into table 254. Either import from or export to would work
but I haven't been able to find articles on the web addressing this
issue.
Is this possible?
--
Thx,
TK.
