Hi I've got a handful of Linux IPsec gateways, some running OpenSwan some with ipsec-tools. Each gateway handles a number of tunnels with dozens of remote subnets. Unfortunately these remote subnets don't show up in the Linux routing table, i.e. "ip route show" only comes up with the standard two records for the link subnet and for the default route. Obviously bird doesn't see the ipsec routes either. Now I've got a script that parses the output of "ip xfrm policy show" and exports them as static routes but that involves a manual rebuild every time the tunnels change and "birdc configure" to propagate the changes. Is there any way to automatically export these ipsec routes to OSPF? Thanks! Michael
As far as I know, strongswan (which is closely related to openswan) installs all IPSec routes in table 220 rather than the main table (254). So you should be able to create a second kernel protocol instance that connects to kernel table 220 and does: import all; export none; (the default behavior of bird, so no need to specify explicitly) Or you can create a second routing table in bird, use the kernel protocol to connect the new (bird) table to kernel table 220, and then use the pipe protocol to sync routes between the main (bird) routing table and the second (bird) routing table. You may need an export filter for the existing kernel protocol instance and reject routes with "source = RTS_PIPE" in order not to copy everything from kernel table 220 to the main kernel table. Do an ip rule show You should see something along the lines of: 220: from all lookup 220 So then do ip route show table 220 You should see your IPSec routes in there. I don't know if ipsec-tools work the same way. - Simon On Jul 7, 2013, at 21:58, "Michael Ludvig" <mludvig@logix.net.nz> wrote:
Hi
I've got a handful of Linux IPsec gateways, some running OpenSwan some with ipsec-tools. Each gateway handles a number of tunnels with dozens of remote subnets. Unfortunately these remote subnets don't show up in the Linux routing table, i.e. "ip route show" only comes up with the standard two records for the link subnet and for the default route. Obviously bird doesn't see the ipsec routes either.
Now I've got a script that parses the output of "ip xfrm policy show" and exports them as static routes but that involves a manual rebuild every time the tunnels change and "birdc configure" to propagate the changes.
Is there any way to automatically export these ipsec routes to OSPF?
Thanks!
Michael
Confidentiality Notice: The information contained in this electronic e-mail and any accompanying attachment(s) is intended only for the use of the intended recipient and is confidential and/or privileged. If you and we have a confidentiality agreement or other non-disclosure obligations between us, this Notice shall be deemed to mark and identify the content of this email and any attachments as confidential and proprietary. If any reader of this communication is not the intended recipient, unauthorized use, disclosure or copying is strictly prohibited, and may be unlawful. If you have received this communication in error, please immediately notify the sender by return e-mail, and delete the original message and all copies from your system. Thank you. IRS Circular 230 Disclosure: To ensure compliance with requirements imposed by the IRS, please be advised that any U.S. federal tax advice contained in this communication (including any attachments) is not intended or written to be used or relied upon, and cannot be used or relied upon, for the purpose of (i) avoiding penalties under the Internal Revenue Code, or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. E-mail is susceptible to data corruption, interception, unauthorized amendment, tampering and viruses, and we only send and receive e-mails on the basis that we are not liable for any such corruption, interception, amendment, tampering or viruses or any consequences thereof.
On 08/07/13 17:44, Simon Dickhoven wrote:
ip route show table 220
Thanks Simon. Out of interest I listed all tables from 0 to 100000 but the ipsec routes are in neither of them. Any other ideas? Perhaps some kind of "protocol xfrm" for bird could exist, similar to "protocol device" if it's not possible in any other way? Thanks Michael
Hi Michael Have looked at something like OSPF over GRE over IPsec? You may need to play around with MTU/MSS so you don't run into fragmentation issues. I've never done this myself in BIRD but it's pretty common on other network kit. Daryl On 8 Jul 2013 05:57, "Michael Ludvig" <mludvig@logix.net.nz> wrote:
Hi
I've got a handful of Linux IPsec gateways, some running OpenSwan some with ipsec-tools. Each gateway handles a number of tunnels with dozens of remote subnets. Unfortunately these remote subnets don't show up in the Linux routing table, i.e. "ip route show" only comes up with the standard two records for the link subnet and for the default route. Obviously bird doesn't see the ipsec routes either.
Now I've got a script that parses the output of "ip xfrm policy show" and exports them as static routes but that involves a manual rebuild every time the tunnels change and "birdc configure" to propagate the changes.
Is there any way to automatically export these ipsec routes to OSPF?
Thanks!
Michael
Hi Daryl Thanks for that. However my the problem isn't running OSPF over IPsec but instead how to get the IPsec routes from the kernel to bird. From there on to OSPF it's trivial. In the first place Bird needs to learn the routes somehow... Cheers Michael On 08/07/13 18:19, Daryl Turner wrote:
Hi Michael
Have looked at something like OSPF over GRE over IPsec? You may need to play around with MTU/MSS so you don't run into fragmentation issues. I've never done this myself in BIRD but it's pretty common on other network kit.
Daryl
On 8 Jul 2013 05:57, "Michael Ludvig" <mludvig@logix.net.nz <mailto:mludvig@logix.net.nz>> wrote:
Hi
I've got a handful of Linux IPsec gateways, some running OpenSwan some with ipsec-tools. Each gateway handles a number of tunnels with dozens of remote subnets. Unfortunately these remote subnets don't show up in the Linux routing table, i.e. "ip route show" only comes up with the standard two records for the link subnet and for the default route. Obviously bird doesn't see the ipsec routes either.
Now I've got a script that parses the output of "ip xfrm policy show" and exports them as static routes but that involves a manual rebuild every time the tunnels change and "birdc configure" to propagate the changes.
Is there any way to automatically export these ipsec routes to OSPF?
Thanks!
Michael
On Mon, Jul 08, 2013 at 06:36:58PM +1200, Michael Ludvig wrote:
Hi Daryl
Thanks for that. However my the problem isn't running OSPF over IPsec but instead how to get the IPsec routes from the kernel to bird. From there on to OSPF it's trivial. In the first place Bird needs to learn the routes somehow...
Well, it is related - if you would use GRE (or IPIP) tunnels in IPsec transport mode instead of IPsec tunnel mode (and some routing protocol to announce remote subnets through tunnels), then you would have the prefixes of remote subnets in routing table instead of XFRM policy table and therefore you wouldn't even have this problem of how to get prefixes from XFRM. But if you already have an infrastructure based on IPsec tunnel mode then it is probably unreasonable to change it just to be able to read these subnet prefixes. BIRD currently does not support importing prefixes from XFRM. Your approach (generating static routes and reconfiguring) is OK, perhaps better idea would be to use another kernel table and create a simple script that would synchronise that kernel table with XFRM table. BIRD could learn such routes from that table. Such script could run very often (like one times per 10 seconds) so you could get more or less realtime sync. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On 09/07/13 21:26, Ondrej Zajicek wrote:
On Mon, Jul 08, 2013 at 06:36:58PM +1200, Michael Ludvig wrote:
Hi Daryl
Thanks for that. However my the problem isn't running OSPF over IPsec but instead how to get the IPsec routes from the kernel to bird. From there on to OSPF it's trivial. In the first place Bird needs to learn the routes somehow... Well, it is related - if you would use GRE (or IPIP) tunnels in IPsec transport mode instead of IPsec tunnel mode (and some routing protocol to announce remote subnets through tunnels), then you would have the prefixes of remote subnets in routing table instead of XFRM policy table and therefore you wouldn't even have this problem of how to get prefixes from XFRM.
Unfortunately that's not an option. The remote endpoints are our clients' and business partners' gear, are all sorts of HW gateways - Cisco, Juniper, Amazon AWS VPC, Who-Knows-What - and I have no control over them. We're stuck with plain IPsec.
BIRD currently does not support importing prefixes from XFRM. Your approach (generating static routes and reconfiguring) is OK, perhaps better idea would be to use another kernel table and create a simple script that would synchronise that kernel table with XFRM table. BIRD could learn such routes from that table. Such script could run very often (like one times per 10 seconds) so you could get more or less realtime sync.
That's a good idea, will do that. Thanks! Michael
Hi. On 08.07.2013 10:57, Michael Ludvig wrote:
I've got a handful of Linux IPsec gateways, some running OpenSwan some with ipsec-tools. Each gateway handles a number of tunnels with dozens of remote subnets. Unfortunately these remote subnets don't show up in the Linux routing table, i.e. "ip route show" only comes up with the standard two records for the link subnet and for the default route. Obviously bird doesn't see the ipsec routes either.
Now I've got a script that parses the output of "ip xfrm policy show" and exports them as static routes but that involves a manual rebuild every time the tunnels change and "birdc configure" to propagate the changes.
Is there any way to automatically export these ipsec routes to OSPF?
Looks like you're using pure ipsec. Common approach here is to use ipsec in transport mode (though tunnel mode also will work) that carries gre or ipinip traffic, so any routing daemon would work over gre or ipinip interfaces, including ospf. The modern and fancy approach is to use routed ipsec, for example stX interfaces on JunOS or 'tunnel mode ipsec ipvX' interfaces in Cisco IOS. I've heard that recent Linux version has a patch implementing such interfaces, but since I use FreeBSD and it doesn't have such an ability, I still use gre interaces (encrypthed with ipsec). Eugene.
Hi Michael, On 7/8/2013 6:57 AM, Michael Ludvig wrote:
I've got a handful of Linux IPsec gateways, some running OpenSwan some with ipsec-tools. Each gateway handles a number of tunnels with dozens of remote subnets. Unfortunately these remote subnets don't show up in the Linux routing table, i.e. "ip route show" only comes up with the standard two records for the link subnet and for the default route. Obviously bird doesn't see the ipsec routes either.
Now I've got a script that parses the output of "ip xfrm policy show" and exports them as static routes but that involves a manual rebuild every time the tunnels change and "birdc configure" to propagate the changes.
Is there any way to automatically export these ipsec routes to OSPF?
The way I do it is by using Openswan and the KLIPS stack (the IPsec stack that was present in 2.4.x kernels, and available as an out-of-tree build-able kernel module on later (2.6.x and 3.x.y) versions). With the KLIPS stack you do get routes for your VPNs in your routing table. Those routes can then be picked up by bird. The only "trick" I had to use is telling Openswan to use "proto static" when adding routes to the routing table. Regards, Ruben Laban
participants (6)
-
Daryl Turner -
Eugene M. Zheganin -
Michael Ludvig -
Ondrej Zajicek -
Ruben Laban -
Simon Dickhoven