Exporting IPSec routes to OSPF
Ondrej Zajicek
santiago at crfreenet.org
Tue Jul 9 11:26:27 CEST 2013
On Mon, Jul 08, 2013 at 06:36:58PM +1200, Michael Ludvig wrote:
> Hi Daryl
>
> Thanks for that. However my the problem isn't running OSPF over IPsec
> but instead how to get the IPsec routes from the kernel to bird. From
> there on to OSPF it's trivial. In the first place Bird needs to learn
> the routes somehow...
Well, it is related - if you would use GRE (or IPIP) tunnels in IPsec
transport mode instead of IPsec tunnel mode (and some routing protocol
to announce remote subnets through tunnels), then you would have the
prefixes of remote subnets in routing table instead of XFRM policy table
and therefore you wouldn't even have this problem of how to get prefixes
from XFRM.
But if you already have an infrastructure based on IPsec tunnel mode
then it is probably unreasonable to change it just to be able to read
these subnet prefixes.
BIRD currently does not support importing prefixes from XFRM. Your
approach (generating static routes and reconfiguring) is OK, perhaps
better idea would be to use another kernel table and create a simple
script that would synchronise that kernel table with XFRM table. BIRD
could learn such routes from that table. Such script could run very
often (like one times per 10 seconds) so you could get more or less
realtime sync.
--
Elen sila lumenn' omentielvo
Ondrej 'SanTiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20130709/e12b2836/attachment-0001.asc>
More information about the Bird-users
mailing list