Hi, I prefer to use XFRM interfaces on Linux. You get an dedicated interface for each site where you can use any static or dynamic (L3- based -- Did you consider to use eBGP between your sites?) routing setup. You can configure it like a VTI while not being a VTI ;-) When using StrongSwan you need to use swanctl instead of the classic ipsec.conf configuration. The XFRM interface is referenced from StrongSwan by a XFRM interface ID (ip link: if_id | swanctl: if_id_in + if_id_out). And once you have a dedicated XFRM interface you can move it into a VRF or a netns ;-) Regards, Thomas On Tue, 2024-11-19 at 21:35 -0800, Brian C. Hill via Bird-users wrote:
Hello, I want to use bird to mutually propagate routes throughout several sites connected with vpn gateways, probably with ospf. e.g. site A net(s) <-> site A vpn gateway <-> vpn 'concentrator' <-> site B vpn gateway <-> hosts site B net(s), etc.. I couldn't find many posts about the best strategy to use, and the ones did find are many years old, but it seems to boil down to these options:
• use a script to migrate xfrm route table (220) to a bird-readable table • use static routes inside bird • use vti instead of xfrm My questions: 1) Is it sill the case that bird cannot read directly from the xfrm table? (I tried this with a pipe config but nothing gets imported) 2) What is the strategy that most of you are using now? (as opposed to many years ago) Thanks! Brian