On Mon, Jul 08, 2013 at 06:36:58PM +1200, Michael Ludvig wrote:
Hi Daryl
Thanks for that. However my the problem isn't running OSPF over IPsec but instead how to get the IPsec routes from the kernel to bird. From there on to OSPF it's trivial. In the first place Bird needs to learn the routes somehow...
Well, it is related - if you would use GRE (or IPIP) tunnels in IPsec transport mode instead of IPsec tunnel mode (and some routing protocol to announce remote subnets through tunnels), then you would have the prefixes of remote subnets in routing table instead of XFRM policy table and therefore you wouldn't even have this problem of how to get prefixes from XFRM. But if you already have an infrastructure based on IPsec tunnel mode then it is probably unreasonable to change it just to be able to read these subnet prefixes. BIRD currently does not support importing prefixes from XFRM. Your approach (generating static routes and reconfiguring) is OK, perhaps better idea would be to use another kernel table and create a simple script that would synchronise that kernel table with XFRM table. BIRD could learn such routes from that table. Such script could run very often (like one times per 10 seconds) so you could get more or less realtime sync. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."