Exporting IPSec routes to OSPF
Michael Ludvig
mludvig at logix.net.nz
Wed Jul 10 00:54:39 CEST 2013
On 09/07/13 21:26, Ondrej Zajicek wrote:
> On Mon, Jul 08, 2013 at 06:36:58PM +1200, Michael Ludvig wrote:
>> Hi Daryl
>>
>> Thanks for that. However my the problem isn't running OSPF over IPsec
>> but instead how to get the IPsec routes from the kernel to bird. From
>> there on to OSPF it's trivial. In the first place Bird needs to learn
>> the routes somehow...
> Well, it is related - if you would use GRE (or IPIP) tunnels in IPsec
> transport mode instead of IPsec tunnel mode (and some routing protocol
> to announce remote subnets through tunnels), then you would have the
> prefixes of remote subnets in routing table instead of XFRM policy table
> and therefore you wouldn't even have this problem of how to get prefixes
> from XFRM.
Unfortunately that's not an option. The remote endpoints are our
clients' and business partners' gear, are all sorts of HW gateways -
Cisco, Juniper, Amazon AWS VPC, Who-Knows-What - and I have no control
over them. We're stuck with plain IPsec.
> BIRD currently does not support importing prefixes from XFRM. Your
> approach (generating static routes and reconfiguring) is OK, perhaps
> better idea would be to use another kernel table and create a simple
> script that would synchronise that kernel table with XFRM table. BIRD
> could learn such routes from that table. Such script could run very
> often (like one times per 10 seconds) so you could get more or less
> realtime sync.
That's a good idea, will do that. Thanks!
Michael
More information about the Bird-users
mailing list