bird and ipsec (strongswan) routes
Hello, I want to use bird to mutually propagate routes throughout several sites connected with vpn gateways, probably with ospf. e.g. site A net(s) <-> site A vpn gateway <-> vpn 'concentrator' <-> site B vpn gateway <-> hosts site B net(s), etc.. I couldn't find many posts about the best strategy to use, and the ones did find are many years old, but it seems to boil down to these options: • use a script to migrate xfrm route table (220) to a bird-readable table • use static routes inside bird • use vti instead of xfrm My questions: 1) Is it sill the case that bird cannot read directly from the xfrm table? (I tried this with a pipe config but nothing gets imported) 2) What is the strategy that most of you are using now? (as opposed to many years ago) Thanks! Brian
Hi Brian, When I did something like that, I didn't even dig such deep to wed ipsec tunnel policies with routing. IMHO it might work, but could hit you in unexpected way. The option with vti looks more straightforward to me - those guys live sepearately and do not harm each other. I.e. ipsec does its job with securing the tunnel, and routing is done over the usual interface with no hidden pitfalls. Regards, Alexander On Wed, Nov 20, 2024 at 6:48 AM Brian C. Hill via Bird-users < bird-users@network.cz> wrote:
Hello,
I want to use bird to mutually propagate routes throughout several sites connected with vpn gateways, probably with ospf.
e.g. site A net(s) <-> site A vpn gateway <-> vpn 'concentrator' <-> site B vpn gateway <-> hosts site B net(s), etc..
I couldn't find many posts about the best strategy to use, and the ones did find are many years old, but it seems to boil down to these options:
• use a script to migrate xfrm route table (220) to a bird-readable table
• use static routes inside bird
• use vti instead of xfrm
My questions:
1) Is it sill the case that bird cannot read directly from the xfrm table? (I tried this with a pipe config but nothing gets imported)
2) What is the strategy that most of you are using now? (as opposed to many years ago)
Thanks!
Brian
On Tue, 19 Nov 2024, Brian C. Hill via Bird-users wrote:
Hello,
I want to use bird to mutually propagate routes throughout several sites connected with vpn gateways, probably with ospf.
ipsecvti is what you want deb12 with strongswan/swanctl works well I have swan2swan swan2srx swan2watchguard (cust configured the WG side) all working well with bird1 and bgp on deb12. Working on jinja2 templates to automate it all better but manual config is pretty easy too for small builds. I use EBGP (with bfd) mostly but ospf should work well too.
e.g. site A net(s) <-> site A vpn gateway <-> vpn 'concentrator' <-> site B vpn gateway <-> hosts site B net(s), etc..
I couldn't find many posts about the best strategy to use, and the ones did find are many years old, but it seems to boil down to these options:
? use a script to migrate xfrm route table (220) to a bird-readable table
? use static routes inside bird
? use vti instead of xfrm
My questions:
1) Is it sill the case that bird cannot read directly from the xfrm table? (I tried this with a pipe config but nothing gets imported)
2) What is the strategy that most of you are using now? (as opposed to many years ago)
Thanks!
Brian
On 11/19/24 11:35 PM, Brian C. Hill via Bird-users wrote:
Hello,
Hi, Pre-script, this touches on multiple things that I'm interested in and / or actively working on, so I'm going to throw my hat into the ring. But I could be so far off the mark that it's not even remotely funny.
I want to use bird to mutually propagate routes throughout several sites connected with vpn gateways, probably with ospf.
Okay,
e.g. site A net(s) <-> site A vpn gateway <-> vpn 'concentrator' <-> site B vpn gateway <-> hosts site B net(s), etc..
ACK
I couldn't find many posts about the best strategy to use, and the ones did find are many years old, but it seems to boil down to these options:
• use a script to migrate xfrm route table (220) to a bird-readable table
The last time I worked with bird and multiple routing tables, I found that I could choose what routing table I wanted bird to look at / work with. Though admittedly I did eventually end up using an additional routing table for some reason other than bird's ability to see into it. I think it had to do with state and complications like too many cooks in the kitchen.
• use static routes inside bird
:-/
• use vti instead of xfrm
You mention OSPF, so I'll ask, how are you going to establish an OSPF adjacency without an L2 tunnel between the VPN gateway(s) and the VPN concentrator? Won't OSPF alone sort of necessitate the VTI -or- another tunnel (GRE?) that is itself protected by IPsec?
My questions:
1) Is it sill the case that bird cannot read directly from the xfrm table? (I tried this with a pipe config but nothing gets imported)
I believe that bird can be made to work with whatever routing table ID you want. I thought that xfrm could also be made to work with whatever routing table ID you want. There seems like a lot of flexibility and capability here. Though the question may be more "should you" and less "can you".
2) What is the strategy that most of you are using now? (as opposed to many years ago)
I'm wanting to not use VTIs for a project that I'm working on, but I'm suspecting that I'm going to have my hand forced to VTIs for various reasons; e.g. iptables conditionally altering behavior based on an interface (VTI) state.
Thanks!
You're welcome. I'd be very curious to learn more about what you're doing to see if it will help me in what I'm doing. :-) -- Grant. . . . unix || die
Hi, I prefer to use XFRM interfaces on Linux. You get an dedicated interface for each site where you can use any static or dynamic (L3- based -- Did you consider to use eBGP between your sites?) routing setup. You can configure it like a VTI while not being a VTI ;-) When using StrongSwan you need to use swanctl instead of the classic ipsec.conf configuration. The XFRM interface is referenced from StrongSwan by a XFRM interface ID (ip link: if_id | swanctl: if_id_in + if_id_out). And once you have a dedicated XFRM interface you can move it into a VRF or a netns ;-) Regards, Thomas On Tue, 2024-11-19 at 21:35 -0800, Brian C. Hill via Bird-users wrote:
Hello, I want to use bird to mutually propagate routes throughout several sites connected with vpn gateways, probably with ospf. e.g. site A net(s) <-> site A vpn gateway <-> vpn 'concentrator' <-> site B vpn gateway <-> hosts site B net(s), etc.. I couldn't find many posts about the best strategy to use, and the ones did find are many years old, but it seems to boil down to these options:
• use a script to migrate xfrm route table (220) to a bird-readable table • use static routes inside bird • use vti instead of xfrm My questions: 1) Is it sill the case that bird cannot read directly from the xfrm table? (I tried this with a pipe config but nothing gets imported) 2) What is the strategy that most of you are using now? (as opposed to many years ago) Thanks! Brian
On Tue, Nov 19, 2024 at 09:35:53PM -0800, Brian C. Hill via Bird-users wrote:
Hello,
I want to use bird to mutually propagate routes throughout several sites connected with vpn gateways, probably with ospf.
e.g. site A net(s) <-> site A vpn gateway <-> vpn 'concentrator' <-> site B vpn gateway <-> hosts site B net(s), etc..
Hello Can you (or others) give me an idea how it should work in some brief outline how it ideally should work? I.e. what would you expect from BIRD w.r.t. IPsec? I know there are SA/SP tables (accessed by ip xfrm state/policy), xfrm routing table 220, all of these managed by Strongswan. What records from these tables are supposed to be read or even managed by BIRD?
My questions:
1) Is it sill the case that bird cannot read directly from the xfrm table? (I tried this with a pipe config but nothing gets imported)
I do not know why it should not. It seems like regular routing table. But it is possible that it contains routes with some strange attributes causing BIRD to ignore them (i noticed 'throw' action). Can you give me an output of 'ip route show table 220'? -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) "To err is human -- to blame it on a computer is even more so."
participants (6)
-
Alexander Zubkov -
Brian C. Hill -
C. Jon Larsen -
Grant Taylor -
Ondrej Zajicek -
Thomas Liske