bird and ipsec (strongswan) routes
Alexander Zubkov
green at qrator.net
Wed Nov 20 09:14:53 CET 2024
Hi Brian,
When I did something like that, I didn't even dig such deep to wed ipsec
tunnel policies with routing. IMHO it might work, but could hit you in
unexpected way. The option with vti looks more straightforward to me -
those guys live sepearately and do not harm each other. I.e. ipsec does its
job with securing the tunnel, and routing is done over the usual interface
with no hidden pitfalls.
Regards,
Alexander
On Wed, Nov 20, 2024 at 6:48 AM Brian C. Hill via Bird-users <
bird-users at network.cz> wrote:
> Hello,
>
> I want to use bird to mutually propagate routes throughout several sites
> connected with vpn gateways, probably with ospf.
>
> e.g. site A net(s) <-> site A vpn gateway <-> vpn 'concentrator' <->
> site B vpn gateway <-> hosts site B net(s), etc..
>
> I couldn't find many posts about the best strategy to use, and the ones
> did find are many years old, but it seems to boil down to these options:
>
> • use a script to migrate xfrm route table (220) to a bird-readable table
>
> • use static routes inside bird
>
> • use vti instead of xfrm
>
> My questions:
>
> 1) Is it sill the case that bird cannot read directly from the xfrm table?
> (I tried this with a pipe config but nothing gets imported)
>
> 2) What is the strategy that most of you are using now? (as opposed to
> many years ago)
>
> Thanks!
>
> Brian
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20241120/1a0efc39/attachment.htm>
More information about the Bird-users
mailing list