[strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)
TomK
tomkcpr at mdevsys.com
Mon Oct 26 01:33:55 CET 2020
Hey Noel,
Thanks. That would certainly make it automatic with either BIRD or
Quagga.
I'll have a look at the pages again to see what it takes to create
these. Thinking this is still the right page for VTI and XFRM information?
https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
Cheers,
TK
On 10/25/2020 4:59 PM, Noel Kuntze wrote:
> Hi Tom,
>
> The routes in table 220 are only used to tell the kernel which source IP to use for sending packets to a remote network.
> They aren't part of XFRM and only tangentially pertain IPsec.
> Also, routes are only added if they are required, so those routes in table 220 are not necessarily complete.
>
> A better solution for your use case would be to use route based IPsec by using dedicated VTIs or XFRM interfaces and running OSPF/BGP/whatever over those virtual links.
>
> Kind regards
>
> Noel
>
> Am 25.10.20 um 19:05 schrieb TomK:
>> Hey All,
>>
>> I'm interested in finding out how to import routes from StrongSwan IPSec installed XFRM tables (220) into Quagga (OSPF, 254)?
>>
>> The XFRM policy based rules are saved in table 220 while Quagga (OSPF) saves the routes in table 254. I have an IPSec StrongSwan on-prem GW paired up with one of the Cloud providers. The connection is established fine however I can't ping the remote VLAN's from any other device on the on-prem network except from the on-prem GW itself.
>>
>> I would like to make OSPF aware of table 220 so it can import the rules. Or at least find another way to export the rules in table 220 and into table 254. Either import from or export to would work but I haven't been able to find articles on the web addressing this issue.
>>
>> Is this possible?
>>
>
--
Thx,
TK.
More information about the Users
mailing list