Exporting IPSec routes to OSPF
Eugene M. Zheganin
emz at norma.perm.ru
Mon Jul 8 08:50:09 CEST 2013
Hi.
On 08.07.2013 10:57, Michael Ludvig wrote:
> I've got a handful of Linux IPsec gateways, some running OpenSwan some
> with ipsec-tools. Each gateway handles a number of tunnels with dozens
> of remote subnets. Unfortunately these remote subnets don't show up in
> the Linux routing table, i.e. "ip route show" only comes up with the
> standard two records for the link subnet and for the default route.
> Obviously bird doesn't see the ipsec routes either.
>
> Now I've got a script that parses the output of "ip xfrm policy show"
> and exports them as static routes but that involves a manual rebuild
> every time the tunnels change and "birdc configure" to propagate the
> changes.
>
> Is there any way to automatically export these ipsec routes to OSPF?
>
Looks like you're using pure ipsec.
Common approach here is to use ipsec in transport mode (though tunnel
mode also will work) that carries gre or ipinip traffic, so any routing
daemon would work over gre or ipinip interfaces, including ospf. The
modern and fancy approach is to use routed ipsec, for example stX
interfaces on JunOS or 'tunnel mode ipsec ipvX' interfaces in Cisco IOS.
I've heard that recent Linux version has a patch implementing such
interfaces, but since I use FreeBSD and it doesn't have such an ability,
I still use gre interaces (encrypthed with ipsec).
Eugene.
More information about the Bird-users
mailing list