More IPSEC routes for OSPF
Iain Buchanan
iainbuc at gmail.com
Sun Nov 10 16:35:44 CET 2013
Hi,
I've a question about getting OpenSWAN and Bird routing working together.
Hopefully someone here can point me in the right direction!
There was an email from Michael Ludvig on the 8th July 2013 about exporting
IPSEC routes for OSPF usage. The conclusion seemed to be that Bird can’t
read the routes set up by OpenSWAN, and the only solution is to have a
script running that exports the routes for Bird’s use into a separate table.
I’m in pretty much the same position. I’ve tried Ondrej Zajicek’s
suggestion of using transport mode IPSEC links, but this doesn’t seem to
create visible routes (I’m using the netkey stack, which may be the issue).
At the moment I’ve got GRE tunnels working on top of the IPSEC links, and
if I enable debugging mode I can see instances of Bird communicating with
one another over them (but not sending any of the OpenSWAN link
information).
I’d like to try and create routes that Bird can read, but I’m not certain
how to extract the routing information nicely. (Part of the problem may be
that the IPSEC links go through VPNs.) If I do an “ip xfrm policy” the
output only refers to the gateways (i.e. where the NAT takes place), not
the machines that I want to gain access to.
I think what I need is a route saying “for remote_network/mask use the
default route on this machine”. This could be written to a dedicated
routing table which bird would read and send on. I’m guessing packets
would then turn up and be processed by the xfrm rules and head on through
the tunnel. It looks like the way to do this is to have a little service
running that will regularly:
(1) parse output from “ip route” to determine the default route
(2) parse output from “ip address” to determine the set of local IP
addresses
(3) parse output from “ipsec auto status” looking for any of the “network
diagram” lines that show the connectivity where one end or the other goes
through a local IP address
(4) update the routing table with calls to "ip route"
(5) somehow prod Bird so that it reads the table
I hope I’ve horribly over-complicated things and there’s an easier way to
do this… does this sound like the way to go?
Iain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20131110/2d47a9ff/attachment.html>
More information about the Bird-users
mailing list