bird and ipsec (strongswan) routes
C. Jon Larsen
jlarsen at richweb.com
Wed Nov 20 17:24:40 CET 2024
On Tue, 19 Nov 2024, Brian C. Hill via Bird-users wrote:
> Hello,
>
> I want to use bird to mutually propagate routes throughout several sites connected with vpn gateways, probably
> with ospf.
ipsecvti is what you want
deb12 with strongswan/swanctl works well
I have swan2swan swan2srx swan2watchguard (cust configured the WG
side) all working well with bird1 and bgp on deb12.
Working on jinja2 templates to automate it all better but manual
config is pretty easy too for small builds.
I use EBGP (with bfd) mostly but ospf should work well too.
> e.g. site A net(s) <-> site A vpn gateway <-> vpn 'concentrator' <-> site B vpn gateway <-> hosts site B
> net(s), etc..
>
> I couldn't find many posts about the best strategy to use, and the ones did find are many years old, but it
> seems to boil down to these options:
>
> ? use a script to migrate xfrm route table (220) to a bird-readable table
>
> ? use static routes inside bird
>
> ? use vti instead of xfrm
>
> My questions:
>
> 1) Is it sill the case that bird cannot read directly from the xfrm table? (I tried this with a pipe config but
> nothing gets imported)
>
> 2) What is the strategy that most of you are using now? (as opposed to many years ago)
>
> Thanks!
>
> Brian
>
>
>
>
More information about the Bird-users
mailing list