[strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)

Michael Schwartzkopff ms at sys4.de
Mon Oct 26 07:10:06 CET 2020


On 26.10.20 05:47, TomK wrote:
> Hey All,
>
> I've configured the VTI's and routing is now fully working between the
> 9 VLAN's.
>
> XFRM, as far as I can tell, isn't as well documented.  I might try
> this later on o see if OpenWRT supprots it.
>
> Thx,
>
> On 10/25/2020 9:48 PM, TomK wrote:
>> Hey Noel,
>>
>> I have four VLAN's on the Azure side.  I need all these VLAN's
>> visible to my on-prem VLAN's, 5 on-prem VLAN's in total.  The on-prem
>> GW can see those Azure VLAN's.  The mapping works well.
>>
>> However, the on-prem StrongSwan GW running on my Raspberry Pi 2
>> (OpenWRT) isn't redistributing the Azure VLAN's at the moment since
>> they are sitting in table 220 where OSPF can't see them.
>>
>>  From the Azure side, I can ping the on-prem GW just fine, including
>> the ability to ssh to the on-prem OpenWRT GW from Azure.  However, I
>> can't ping any of the other on-prem VLAN's from the Azure side, of
>> course. Not until OSPF sees the Azure VLAN's I'm thinking.
>>
>> This is mostly a POC so I have plenty of room to experiment. This is
>> the goal.
>>
>> Cheers,
>> TK
>>
>>
>> On 10/25/2020 8:51 PM, Noel Kuntze wrote:
>>> Hello Tom,
>>>
>>> That is the right wiki page.
>>> What I forgot to mention though is that with interfaces, you can
>>> then talk your routing protocol over it.
>>> It does not give you information about the subnets though for which
>>> IPsec policies are installed.
>>>
>>> What is the goal of this in the end?
>>>
>>> Kind regards
>>>
>>> Noel
>>>
>>> Am 26.10.20 um 01:33 schrieb TomK:
>>>> Hey Noel,
>>>>
>>>> Thanks.  That would certainly make it automatic with either BIRD or
>>>> Quagga.
>>>>
>>>> I'll have a look at the pages again to see what it takes to create
>>>> these.  Thinking this is still the right page for VTI and XFRM
>>>> information?
>>>>
>>>> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
>>>>
>>>> Cheers,
>>>> TK
>>>>
>>>> On 10/25/2020 4:59 PM, Noel Kuntze wrote:
>>>>> Hi Tom,
>>>>>
>>>>> The routes in table 220 are only used to tell the kernel which
>>>>> source IP to use for sending packets to a remote network.
>>>>> They aren't part of XFRM and only tangentially pertain IPsec.
>>>>> Also, routes are only added if they are required, so those routes
>>>>> in table 220 are not necessarily complete.
>>>>>
>>>>> A better solution for your use case would be to use route based
>>>>> IPsec by using dedicated VTIs or XFRM interfaces and running
>>>>> OSPF/BGP/whatever over those virtual links.
>>>>>
>>>>> Kind regards
>>>>>
>>>>> Noel
>>>>>
>>>>> Am 25.10.20 um 19:05 schrieb TomK:
>>>>>> Hey All,
>>>>>>
>>>>>> I'm interested in finding out how to import routes from
>>>>>> StrongSwan IPSec installed XFRM tables (220) into Quagga (OSPF,
>>>>>> 254)?
>>>>>>
>>>>>> The XFRM policy based rules are saved in table 220 while Quagga
>>>>>> (OSPF) saves the routes in table 254.  I have an IPSec StrongSwan
>>>>>> on-prem GW paired up with one of the Cloud providers.  The
>>>>>> connection is established fine however I can't ping the remote
>>>>>> VLAN's from any other device on the on-prem network except from
>>>>>> the on-prem GW itself.
>>>>>>
>>>>>> I would like to make OSPF aware of table 220 so it can import the
>>>>>> rules.  Or at least find another way to export the rules in table
>>>>>> 220 and into table 254.  Either import from or export to would
>>>>>> work but I haven't been able to find articles on the web
>>>>>> addressing this issue.
>>>>>>
>>>>>> Is this possible?
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
>
>

Hi,


I wrote two blog articles explaining how to achieve do route based VPN
with dynamic routing.

https://blog.sys4.de/routing-based-vpn-with-strongswan-de.html

https://blog.sys4.de/routing-based-vpn-with-strongswan-ii-de.html


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201026/c7682761/attachment.sig>


More information about the Users mailing list