On 09/07/13 21:26, Ondrej Zajicek wrote:
On Mon, Jul 08, 2013 at 06:36:58PM +1200, Michael Ludvig wrote:
Hi Daryl
Thanks for that. However my the problem isn't running OSPF over IPsec but instead how to get the IPsec routes from the kernel to bird. From there on to OSPF it's trivial. In the first place Bird needs to learn the routes somehow... Well, it is related - if you would use GRE (or IPIP) tunnels in IPsec transport mode instead of IPsec tunnel mode (and some routing protocol to announce remote subnets through tunnels), then you would have the prefixes of remote subnets in routing table instead of XFRM policy table and therefore you wouldn't even have this problem of how to get prefixes from XFRM.
Unfortunately that's not an option. The remote endpoints are our clients' and business partners' gear, are all sorts of HW gateways - Cisco, Juniper, Amazon AWS VPC, Who-Knows-What - and I have no control over them. We're stuck with plain IPsec.
BIRD currently does not support importing prefixes from XFRM. Your approach (generating static routes and reconfiguring) is OK, perhaps better idea would be to use another kernel table and create a simple script that would synchronise that kernel table with XFRM table. BIRD could learn such routes from that table. Such script could run very often (like one times per 10 seconds) so you could get more or less realtime sync.
That's a good idea, will do that. Thanks! Michael