bird and ipsec (strongswan) routes
Thomas Liske
liske at ibh.de
Thu Nov 21 13:57:23 CET 2024
Hi,
I prefer to use XFRM interfaces on Linux. You get an dedicated
interface for each site where you can use any static or dynamic (L3-
based -- Did you consider to use eBGP between your sites?) routing
setup. You can configure it like a VTI while not being a VTI ;-)
When using StrongSwan you need to use swanctl instead of the classic
ipsec.conf configuration. The XFRM interface is referenced from
StrongSwan by a XFRM interface ID (ip link: if_id | swanctl: if_id_in +
if_id_out).
And once you have a dedicated XFRM interface you can move it into a VRF
or a netns ;-)
Regards,
Thomas
On Tue, 2024-11-19 at 21:35 -0800, Brian C. Hill via Bird-users wrote:
> Hello,
>
> I want to use bird to mutually propagate routes throughout several
> sites connected with vpn gateways, probably with ospf.
>
> e.g. site A net(s) <-> site A vpn gateway <-> vpn 'concentrator'
> <-> site B vpn gateway <-> hosts site B net(s), etc..
>
> I couldn't find many posts about the best strategy to use, and the
> ones did find are many years old, but it seems to boil down to these
> options:
>
>
> > • use a script to migrate xfrm route table (220) to a bird-readable
> > table
> >
> > • use static routes inside bird
> >
> > • use vti instead of xfrm
> >
> My questions:
>
> 1) Is it sill the case that bird cannot read directly from the xfrm
> table? (I tried this with a pipe config but nothing gets imported)
>
> 2) What is the strategy that most of you are using now? (as opposed
> to many years ago)
>
> Thanks!
>
> Brian
>
>
>
More information about the Bird-users
mailing list