[strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)

Michael Schwartzkopff ms at sys4.de
Mon Oct 26 07:10:06 CET 2020

On 26.10.20 05:47, TomK wrote:
> Hey All,
> I've configured the VTI's and routing is now fully working between the
> 9 VLAN's.
> XFRM, as far as I can tell, isn't as well documented.  I might try
> this later on o see if OpenWRT supprots it.
> Thx,
> On 10/25/2020 9:48 PM, TomK wrote:
>> Hey Noel,
>> I have four VLAN's on the Azure side.  I need all these VLAN's
>> visible to my on-prem VLAN's, 5 on-prem VLAN's in total.  The on-prem
>> GW can see those Azure VLAN's.  The mapping works well.
>> However, the on-prem StrongSwan GW running on my Raspberry Pi 2
>> (OpenWRT) isn't redistributing the Azure VLAN's at the moment since
>> they are sitting in table 220 where OSPF can't see them.
>>  From the Azure side, I can ping the on-prem GW just fine, including
>> the ability to ssh to the on-prem OpenWRT GW from Azure.  However, I
>> can't ping any of the other on-prem VLAN's from the Azure side, of
>> course. Not until OSPF sees the Azure VLAN's I'm thinking.
>> This is mostly a POC so I have plenty of room to experiment. This is
>> the goal.
>> Cheers,
>> TK
>> On 10/25/2020 8:51 PM, Noel Kuntze wrote:
>>> Hello Tom,
>>> That is the right wiki page.
>>> What I forgot to mention though is that with interfaces, you can
>>> then talk your routing protocol over it.
>>> It does not give you information about the subnets though for which
>>> IPsec policies are installed.
>>> What is the goal of this in the end?
>>> Kind regards
>>> Noel
>>> Am 26.10.20 um 01:33 schrieb TomK:
>>>> Hey Noel,
>>>> Thanks.  That would certainly make it automatic with either BIRD or
>>>> Quagga.
>>>> I'll have a look at the pages again to see what it takes to create
>>>> these.  Thinking this is still the right page for VTI and XFRM
>>>> information?
>>>> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
>>>> Cheers,
>>>> TK
>>>> On 10/25/2020 4:59 PM, Noel Kuntze wrote:
>>>>> Hi Tom,
>>>>> The routes in table 220 are only used to tell the kernel which
>>>>> source IP to use for sending packets to a remote network.
>>>>> They aren't part of XFRM and only tangentially pertain IPsec.
>>>>> Also, routes are only added if they are required, so those routes
>>>>> in table 220 are not necessarily complete.
>>>>> A better solution for your use case would be to use route based
>>>>> IPsec by using dedicated VTIs or XFRM interfaces and running
>>>>> OSPF/BGP/whatever over those virtual links.
>>>>> Kind regards
>>>>> Noel
>>>>> Am 25.10.20 um 19:05 schrieb TomK:
>>>>>> Hey All,
>>>>>> I'm interested in finding out how to import routes from
>>>>>> StrongSwan IPSec installed XFRM tables (220) into Quagga (OSPF,
>>>>>> 254)?
>>>>>> The XFRM policy based rules are saved in table 220 while Quagga
>>>>>> (OSPF) saves the routes in table 254.  I have an IPSec StrongSwan
>>>>>> on-prem GW paired up with one of the Cloud providers.  The
>>>>>> connection is established fine however I can't ping the remote
>>>>>> VLAN's from any other device on the on-prem network except from
>>>>>> the on-prem GW itself.
>>>>>> I would like to make OSPF aware of table 220 so it can import the
>>>>>> rules.  Or at least find another way to export the rules in table
>>>>>> 220 and into table 254.  Either import from or export to would
>>>>>> work but I haven't been able to find articles on the web
>>>>>> addressing this issue.
>>>>>> Is this possible?


I wrote two blog articles explaining how to achieve do route based VPN
with dynamic routing.



Mit freundlichen Grüßen,


[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201026/c7682761/attachment.sig>

More information about the Users mailing list