[strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)

TomK tomkcpr at mdevsys.com
Thu Oct 29 04:03:41 CET 2020 

On 10/26/2020 8:42 AM, TomK wrote:
> On 10/26/2020 2:10 AM, Michael Schwartzkopff wrote:
>> On 26.10.20 05:47, TomK wrote:
>>> Hey All,
>>>
>>> I've configured the VTI's and routing is now fully working between the
>>> 9 VLAN's.
>>>
>>> XFRM, as far as I can tell, isn't as well documented.  I might try
>>> this later on o see if OpenWRT supprots it.
>>>
>>> Thx,
>>>
>>> On 10/25/2020 9:48 PM, TomK wrote:
>>>> Hey Noel,
>>>>
>>>> I have four VLAN's on the Azure side.  I need all these VLAN's
>>>> visible to my on-prem VLAN's, 5 on-prem VLAN's in total. The on-prem
>>>> GW can see those Azure VLAN's.  The mapping works well.
>>>>
>>>> However, the on-prem StrongSwan GW running on my Raspberry Pi 2
>>>> (OpenWRT) isn't redistributing the Azure VLAN's at the moment since
>>>> they are sitting in table 220 where OSPF can't see them.
>>>>
>>>>   From the Azure side, I can ping the on-prem GW just fine, including
>>>> the ability to ssh to the on-prem OpenWRT GW from Azure. However, I
>>>> can't ping any of the other on-prem VLAN's from the Azure side, of
>>>> course. Not until OSPF sees the Azure VLAN's I'm thinking.
>>>>
>>>> This is mostly a POC so I have plenty of room to experiment. This is
>>>> the goal.
>>>>
>>>> Cheers,
>>>> TK
>>>>
>>>>
>>>> On 10/25/2020 8:51 PM, Noel Kuntze wrote:
>>>>> Hello Tom,
>>>>>
>>>>> That is the right wiki page.
>>>>> What I forgot to mention though is that with interfaces, you can
>>>>> then talk your routing protocol over it.
>>>>> It does not give you information about the subnets though for which
>>>>> IPsec policies are installed.
>>>>>
>>>>> What is the goal of this in the end?
>>>>>
>>>>> Kind regards
>>>>>
>>>>> Noel
>>>>>
>>>>> Am 26.10.20 um 01:33 schrieb TomK:
>>>>>> Hey Noel,
>>>>>>
>>>>>> Thanks.  That would certainly make it automatic with either BIRD or
>>>>>> Quagga.
>>>>>>
>>>>>> I'll have a look at the pages again to see what it takes to create
>>>>>> these.  Thinking this is still the right page for VTI and XFRM
>>>>>> information?
>>>>>>
>>>>>> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
>>>>>>
>>>>>> Cheers,
>>>>>> TK
>>>>>>
>>>>>> On 10/25/2020 4:59 PM, Noel Kuntze wrote:
>>>>>>> Hi Tom,
>>>>>>>
>>>>>>> The routes in table 220 are only used to tell the kernel which
>>>>>>> source IP to use for sending packets to a remote network.
>>>>>>> They aren't part of XFRM and only tangentially pertain IPsec.
>>>>>>> Also, routes are only added if they are required, so those routes
>>>>>>> in table 220 are not necessarily complete.
>>>>>>>
>>>>>>> A better solution for your use case would be to use route based
>>>>>>> IPsec by using dedicated VTIs or XFRM interfaces and running
>>>>>>> OSPF/BGP/whatever over those virtual links.
>>>>>>>
>>>>>>> Kind regards
>>>>>>>
>>>>>>> Noel
>>>>>>>
>>>>>>> Am 25.10.20 um 19:05 schrieb TomK:
>>>>>>>> Hey All,
>>>>>>>>
>>>>>>>> I'm interested in finding out how to import routes from
>>>>>>>> StrongSwan IPSec installed XFRM tables (220) into Quagga (OSPF,
>>>>>>>> 254)?
>>>>>>>>
>>>>>>>> The XFRM policy based rules are saved in table 220 while Quagga
>>>>>>>> (OSPF) saves the routes in table 254.  I have an IPSec StrongSwan
>>>>>>>> on-prem GW paired up with one of the Cloud providers.  The
>>>>>>>> connection is established fine however I can't ping the remote
>>>>>>>> VLAN's from any other device on the on-prem network except from
>>>>>>>> the on-prem GW itself.
>>>>>>>>
>>>>>>>> I would like to make OSPF aware of table 220 so it can import the
>>>>>>>> rules.  Or at least find another way to export the rules in table
>>>>>>>> 220 and into table 254.  Either import from or export to would
>>>>>>>> work but I haven't been able to find articles on the web
>>>>>>>> addressing this issue.
>>>>>>>>
>>>>>>>> Is this possible?
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>> Hi,
>>
>>
>> I wrote two blog articles explaining how to achieve do route based VPN
>> with dynamic routing.
>>
>> https://blog.sys4.de/routing-based-vpn-with-strongswan-de.html
>>
>> https://blog.sys4.de/routing-based-vpn-with-strongswan-ii-de.html
>>
>>
>> Mit freundlichen Grüßen,
>>
> I'll check it out.  Thank you.
>
I've tossed in a post as well:

https://microdevsys.com/wp/microsoft-azure-to-cloudera-cdh-via-vpn-gateway/

Included all the issues and successes I encountered along the way.  Hope 
that helps someone.

-- 
Thx,
TK.

More information about the Users mailing list