[strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)
TomK
tomkcpr at mdevsys.com
Mon Oct 26 05:47:27 CET 2020
Hey All,
I've configured the VTI's and routing is now fully working between the 9
VLAN's.
XFRM, as far as I can tell, isn't as well documented. I might try this
later on o see if OpenWRT supprots it.
Thx,
On 10/25/2020 9:48 PM, TomK wrote:
> Hey Noel,
>
> I have four VLAN's on the Azure side. I need all these VLAN's visible
> to my on-prem VLAN's, 5 on-prem VLAN's in total. The on-prem GW can see
> those Azure VLAN's. The mapping works well.
>
> However, the on-prem StrongSwan GW running on my Raspberry Pi 2
> (OpenWRT) isn't redistributing the Azure VLAN's at the moment since they
> are sitting in table 220 where OSPF can't see them.
>
> From the Azure side, I can ping the on-prem GW just fine, including the
> ability to ssh to the on-prem OpenWRT GW from Azure. However, I can't
> ping any of the other on-prem VLAN's from the Azure side, of course. Not
> until OSPF sees the Azure VLAN's I'm thinking.
>
> This is mostly a POC so I have plenty of room to experiment. This is the
> goal.
>
> Cheers,
> TK
>
>
> On 10/25/2020 8:51 PM, Noel Kuntze wrote:
>> Hello Tom,
>>
>> That is the right wiki page.
>> What I forgot to mention though is that with interfaces, you can then
>> talk your routing protocol over it.
>> It does not give you information about the subnets though for which
>> IPsec policies are installed.
>>
>> What is the goal of this in the end?
>>
>> Kind regards
>>
>> Noel
>>
>> Am 26.10.20 um 01:33 schrieb TomK:
>>> Hey Noel,
>>>
>>> Thanks. That would certainly make it automatic with either BIRD or
>>> Quagga.
>>>
>>> I'll have a look at the pages again to see what it takes to create
>>> these. Thinking this is still the right page for VTI and XFRM
>>> information?
>>>
>>> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
>>>
>>> Cheers,
>>> TK
>>>
>>> On 10/25/2020 4:59 PM, Noel Kuntze wrote:
>>>> Hi Tom,
>>>>
>>>> The routes in table 220 are only used to tell the kernel which
>>>> source IP to use for sending packets to a remote network.
>>>> They aren't part of XFRM and only tangentially pertain IPsec.
>>>> Also, routes are only added if they are required, so those routes in
>>>> table 220 are not necessarily complete.
>>>>
>>>> A better solution for your use case would be to use route based
>>>> IPsec by using dedicated VTIs or XFRM interfaces and running
>>>> OSPF/BGP/whatever over those virtual links.
>>>>
>>>> Kind regards
>>>>
>>>> Noel
>>>>
>>>> Am 25.10.20 um 19:05 schrieb TomK:
>>>>> Hey All,
>>>>>
>>>>> I'm interested in finding out how to import routes from StrongSwan
>>>>> IPSec installed XFRM tables (220) into Quagga (OSPF, 254)?
>>>>>
>>>>> The XFRM policy based rules are saved in table 220 while Quagga
>>>>> (OSPF) saves the routes in table 254. I have an IPSec StrongSwan
>>>>> on-prem GW paired up with one of the Cloud providers. The
>>>>> connection is established fine however I can't ping the remote
>>>>> VLAN's from any other device on the on-prem network except from the
>>>>> on-prem GW itself.
>>>>>
>>>>> I would like to make OSPF aware of table 220 so it can import the
>>>>> rules. Or at least find another way to export the rules in table
>>>>> 220 and into table 254. Either import from or export to would work
>>>>> but I haven't been able to find articles on the web addressing this
>>>>> issue.
>>>>>
>>>>> Is this possible?
>>>>>
>>>>
>>>
>>>
>>
>
>
--
Thx,
TK.
More information about the Users
mailing list