Exporting IPSec routes to OSPF

Simon Dickhoven Simon.Dickhoven at tachyon.com
Mon Jul 8 07:44:41 CEST 2013

As far as I know, strongswan (which is closely related to openswan) installs all IPSec routes in table 220 rather than the main table (254).

So you should be able to create a second kernel protocol instance that connects to kernel table 220 and does:

import all;
export none;

(the default behavior of bird, so no need to specify explicitly)

Or you can create a second routing table in bird, use the kernel protocol to connect the new (bird) table to kernel table 220, and then use the pipe protocol to sync routes between the main (bird) routing table and the second (bird) routing table.

You may need an export filter for the existing kernel protocol instance and reject routes with "source = RTS_PIPE" in order not to copy everything from kernel table 220 to the main kernel table.

Do an

ip rule show

You should see something along the lines of:

220: from all lookup 220

So then do

ip route show table 220

You should see your IPSec routes in there.

I don't know if ipsec-tools work the same way.

- Simon

On Jul 7, 2013, at 21:58, "Michael Ludvig" <mludvig at logix.net.nz> wrote:

> Hi
> I've got a handful of Linux IPsec gateways, some running OpenSwan some
> with ipsec-tools. Each gateway handles a number of tunnels with dozens
> of remote subnets. Unfortunately these remote subnets don't show up in
> the Linux routing table, i.e. "ip route show" only comes up with the
> standard two records for the link subnet and for the default route.
> Obviously bird doesn't see the ipsec routes either.
> Now I've got a script that parses the output of "ip xfrm policy show"
> and exports them as static routes but that involves a manual rebuild
> every time the tunnels change and "birdc configure" to propagate the
> changes.
> Is there any way to automatically export these ipsec routes to OSPF?
> Thanks!
> Michael

Confidentiality Notice:  The information contained in this electronic e-mail and any accompanying attachment(s) is intended only for the use of the intended recipient and is confidential and/or privileged. If you and we have a confidentiality agreement or other non-disclosure obligations between us, this Notice shall be deemed to mark and identify the content of this email and any attachments as confidential and proprietary.   If any reader of this communication is not the intended recipient, unauthorized use, disclosure or copying is strictly prohibited, and may be unlawful.  If you have received this communication in error, please immediately notify the sender by return e-mail, and delete the original message and all copies from your system.  Thank you.

IRS Circular 230 Disclosure: To ensure compliance with requirements imposed by the IRS, please be advised that any U.S. federal tax advice contained in this communication (including any attachments) is not intended or written to be used or relied upon, and cannot be used or relied upon, for the purpose of (i) avoiding penalties under the Internal Revenue Code, or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.

E-mail is susceptible to data corruption, interception, unauthorized amendment, tampering and viruses, and we only send and receive e-mails on the basis that we are not liable for any such corruption, interception, amendment, tampering or viruses or any consequences thereof.

More information about the Bird-users mailing list