[strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)

[TomK]

On 10/26/2020 2:10 AM, Michael Schwartzkopff wrote:
> On 26.10.20 05:47, TomK wrote:
>> Hey All,
>>
>> I've configured the VTI's and routing is now fully working between the
>> 9 VLAN's.
>>
>> XFRM, as far as I can tell, isn't as well documented.  I might try
>> this later on o see if OpenWRT supprots it.
>>
>> Thx,
>>
>> On 10/25/2020 9:48 PM, TomK wrote:
>>> Hey Noel,
>>>
>>> I have four VLAN's on the Azure side.  I need all these VLAN's
>>> visible to my on-prem VLAN's, 5 on-prem VLAN's in total.  The on-prem
>>> GW can see those Azure VLAN's.  The mapping works well.
>>>
>>> However, the on-prem StrongSwan GW running on my Raspberry Pi 2
>>> (OpenWRT) isn't redistributing the Azure VLAN's at the moment since
>>> they are sitting in table 220 where OSPF can't see them.
>>>
>>>   From the Azure side, I can ping the on-prem GW just fine, including
>>> the ability to ssh to the on-prem OpenWRT GW from Azure.  However, I
>>> can't ping any of the other on-prem VLAN's from the Azure side, of
>>> course. Not until OSPF sees the Azure VLAN's I'm thinking.
>>>
>>> This is mostly a POC so I have plenty of room to experiment. This is
>>> the goal.
>>>
>>> Cheers,
>>> TK
>>>
>>>
>>> On 10/25/2020 8:51 PM, Noel Kuntze wrote:
>>>> Hello Tom,
>>>>
>>>> That is the right wiki page.
>>>> What I forgot to mention though is that with interfaces, you can
>>>> then talk your routing protocol over it.
>>>> It does not give you information about the subnets though for which
>>>> IPsec policies are installed.
>>>>
>>>> What is the goal of this in the end?
>>>>
>>>> Kind regards
>>>>
>>>> Noel
>>>>
>>>> Am 26.10.20 um 01:33 schrieb TomK:
>>>>> Hey Noel,
>>>>>
>>>>> Thanks.  That would certainly make it automatic with either BIRD or
>>>>> Quagga.
>>>>>
>>>>> I'll have a look at the pages again to see what it takes to create
>>>>> these.  Thinking this is still the right page for VTI and XFRM
>>>>> information?
>>>>>
>>>>> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
>>>>>
>>>>> Cheers,
>>>>> TK
>>>>>
>>>>> On 10/25/2020 4:59 PM, Noel Kuntze wrote:
>>>>>> Hi Tom,
>>>>>>
>>>>>> The routes in table 220 are only used to tell the kernel which
>>>>>> source IP to use for sending packets to a remote network.
>>>>>> They aren't part of XFRM and only tangentially pertain IPsec.
>>>>>> Also, routes are only added if they are required, so those routes
>>>>>> in table 220 are not necessarily complete.
>>>>>>
>>>>>> A better solution for your use case would be to use route based
>>>>>> IPsec by using dedicated VTIs or XFRM interfaces and running
>>>>>> OSPF/BGP/whatever over those virtual links.
>>>>>>
>>>>>> Kind regards
>>>>>>
>>>>>> Noel
>>>>>>
>>>>>> Am 25.10.20 um 19:05 schrieb TomK:
>>>>>>> Hey All,
>>>>>>>
>>>>>>> I'm interested in finding out how to import routes from
>>>>>>> StrongSwan IPSec installed XFRM tables (220) into Quagga (OSPF,
>>>>>>> 254)?
>>>>>>>
>>>>>>> The XFRM policy based rules are saved in table 220 while Quagga
>>>>>>> (OSPF) saves the routes in table 254.  I have an IPSec StrongSwan
>>>>>>> on-prem GW paired up with one of the Cloud providers.  The
>>>>>>> connection is established fine however I can't ping the remote
>>>>>>> VLAN's from any other device on the on-prem network except from
>>>>>>> the on-prem GW itself.
>>>>>>>
>>>>>>> I would like to make OSPF aware of table 220 so it can import the
>>>>>>> rules.  Or at least find another way to export the rules in table
>>>>>>> 220 and into table 254.  Either import from or export to would
>>>>>>> work but I haven't been able to find articles on the web
>>>>>>> addressing this issue.
>>>>>>>
>>>>>>> Is this possible?
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>>
> 
> Hi,
> 
> 
> I wrote two blog articles explaining how to achieve do route based VPN
> with dynamic routing.
> 
> https://blog.sys4.de/routing-based-vpn-with-strongswan-de.html
> 
> https://blog.sys4.de/routing-based-vpn-with-strongswan-ii-de.html
> 
> 
> Mit freundlichen Grüßen,
> 
I'll check it out.  Thank you.

-- 
Thx,
TK.