On 26.10.20 05:47, TomK wrote: > Hey All, > > I've configured the VTI's and routing is now fully working between the > 9 VLAN's. > > XFRM, as far as I can tell, isn't as well documented. I might try > this later on o see if OpenWRT supprots it. > > Thx, > > On 10/25/2020 9:48 PM, TomK wrote: >> Hey Noel, >> >> I have four VLAN's on the Azure side. I need all these VLAN's >> visible to my on-prem VLAN's, 5 on-prem VLAN's in total. The on-prem >> GW can see those Azure VLAN's. The mapping works well. >> >> However, the on-prem StrongSwan GW running on my Raspberry Pi 2 >> (OpenWRT) isn't redistributing the Azure VLAN's at the moment since >> they are sitting in table 220 where OSPF can't see them. >> >> From the Azure side, I can ping the on-prem GW just fine, including >> the ability to ssh to the on-prem OpenWRT GW from Azure. However, I >> can't ping any of the other on-prem VLAN's from the Azure side, of >> course. Not until OSPF sees the Azure VLAN's I'm thinking. >> >> This is mostly a POC so I have plenty of room to experiment. This is >> the goal. >> >> Cheers, >> TK >> >> >> On 10/25/2020 8:51 PM, Noel Kuntze wrote: >>> Hello Tom, >>> >>> That is the right wiki page. >>> What I forgot to mention though is that with interfaces, you can >>> then talk your routing protocol over it. >>> It does not give you information about the subnets though for which >>> IPsec policies are installed. >>> >>> What is the goal of this in the end? >>> >>> Kind regards >>> >>> Noel >>> >>> Am 26.10.20 um 01:33 schrieb TomK: >>>> Hey Noel, >>>> >>>> Thanks. That would certainly make it automatic with either BIRD or >>>> Quagga. >>>> >>>> I'll have a look at the pages again to see what it takes to create >>>> these. Thinking this is still the right page for VTI and XFRM >>>> information? >>>> >>>> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN >>>> >>>> Cheers, >>>> TK >>>> >>>> On 10/25/2020 4:59 PM, Noel Kuntze wrote: >>>>> Hi Tom, >>>>> >>>>> The routes in table 220 are only used to tell the kernel which >>>>> source IP to use for sending packets to a remote network. >>>>> They aren't part of XFRM and only tangentially pertain IPsec. >>>>> Also, routes are only added if they are required, so those routes >>>>> in table 220 are not necessarily complete. >>>>> >>>>> A better solution for your use case would be to use route based >>>>> IPsec by using dedicated VTIs or XFRM interfaces and running >>>>> OSPF/BGP/whatever over those virtual links. >>>>> >>>>> Kind regards >>>>> >>>>> Noel >>>>> >>>>> Am 25.10.20 um 19:05 schrieb TomK: >>>>>> Hey All, >>>>>> >>>>>> I'm interested in finding out how to import routes from >>>>>> StrongSwan IPSec installed XFRM tables (220) into Quagga (OSPF, >>>>>> 254)? >>>>>> >>>>>> The XFRM policy based rules are saved in table 220 while Quagga >>>>>> (OSPF) saves the routes in table 254. I have an IPSec StrongSwan >>>>>> on-prem GW paired up with one of the Cloud providers. The >>>>>> connection is established fine however I can't ping the remote >>>>>> VLAN's from any other device on the on-prem network except from >>>>>> the on-prem GW itself. >>>>>> >>>>>> I would like to make OSPF aware of table 220 so it can import the >>>>>> rules. Or at least find another way to export the rules in table >>>>>> 220 and into table 254. Either import from or export to would >>>>>> work but I haven't been able to find articles on the web >>>>>> addressing this issue. >>>>>> >>>>>> Is this possible? >>>>>> >>>>> >>>> >>>> >>> >> >> > >
Hi, I wrote two blog articles explaining how to achieve do route based VPN with dynamic routing. https://blog.sys4.de/routing-based-vpn-with-strongswan-de.html https://blog.sys4.de/routing-based-vpn-with-strongswan-ii-de.html Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
signature.asc
Description: OpenPGP digital signature
