Exporting IPSec routes to OSPF

Ruben Laban r.laban+lists at ism.nl
Wed Jul 10 09:39:01 CEST 2013


Hi Michael,

On 7/8/2013 6:57 AM, Michael Ludvig wrote:
> I've got a handful of Linux IPsec gateways, some running OpenSwan some
> with ipsec-tools. Each gateway handles a number of tunnels with dozens
> of remote subnets. Unfortunately these remote subnets don't show up in
> the Linux routing table, i.e. "ip route show" only comes up with the
> standard two records for the link subnet and for the default route.
> Obviously bird doesn't see the ipsec routes either.
>
> Now I've got a script that parses the output of "ip xfrm policy show"
> and exports them as static routes but that involves a manual rebuild
> every time the tunnels change and "birdc configure" to propagate the
> changes.
>
> Is there any way to automatically export these ipsec routes to OSPF?

The way I do it is by using Openswan and the KLIPS stack (the IPsec 
stack that was present in 2.4.x kernels, and available as an out-of-tree 
build-able kernel module on later (2.6.x and 3.x.y) versions). With the 
KLIPS stack you do get routes for your VPNs in your routing table. Those 
routes can then be picked up by bird. The only "trick" I had to use is 
telling Openswan to use "proto static" when adding routes to the routing 
table.

Regards,
Ruben Laban




More information about the Bird-users mailing list