bird and ipsec (strongswan) routes

Grant Taylor gtaylor at tnetconsulting.net
Wed Nov 20 17:25:49 CET 2024 

On 11/19/24 11:35 PM, Brian C. Hill via Bird-users wrote:
> Hello,

Hi,

Pre-script, this touches on multiple things that I'm interested in and / 
or actively working on, so I'm going to throw my hat into the ring.  But 
I could be so far off the mark that it's not even remotely funny.

> I want to use bird to mutually propagate routes throughout several sites 
> connected with vpn gateways, probably with ospf.

Okay,

>      e.g. site A net(s) <-> site A vpn gateway <-> vpn 'concentrator' 
> <-> site B vpn gateway <-> hosts site B net(s), etc..

ACK

> I couldn't find many posts about the best strategy to use, and the ones 
> did find are many years old, but it seems to boil down to these options:
> 
>     • use a script to migrate xfrm route table (220) to a bird-readable
>     table

The last time I worked with bird and multiple routing tables, I found 
that I could choose what routing table I wanted bird to look at / work with.

Though admittedly I did eventually end up using an additional routing 
table for some reason other than bird's ability to see into it.  I think 
it had to do with state and complications like too many cooks in the 
kitchen.

>     • use static routes inside bird

:-/

>     • use vti instead of xfrm

You mention OSPF, so I'll ask, how are you going to establish an OSPF 
adjacency without an L2 tunnel between the VPN gateway(s) and the VPN 
concentrator?  Won't OSPF alone sort of necessitate the VTI -or- another 
tunnel (GRE?) that is itself protected by IPsec?

> My questions:
> 
> 1) Is it sill the case that bird cannot read directly from the xfrm 
> table? (I tried this with a pipe config but nothing gets imported)

I believe that bird can be made to work with whatever routing table ID 
you want.

I thought that xfrm could also be made to work with whatever routing 
table ID you want.

There seems like a lot of flexibility and capability here.  Though the 
question may be more "should you" and less "can you".

> 2) What is the strategy that most of you are using now? (as opposed to 
> many years ago)

I'm wanting to not use VTIs for a project that I'm working on, but I'm 
suspecting that I'm going to have my hand forced to VTIs for various 
reasons; e.g. iptables conditionally altering behavior based on an 
interface (VTI) state.

> Thanks!

You're welcome.

I'd be very curious to learn more about what you're doing to see if it 
will help me in what I'm doing.  :-)



-- 
Grant. . . .
unix || die

More information about the Bird-users mailing list