Hi, I prefer to use XFRM interfaces on Linux. You get an dedicated interface for each site where you can use any static or dynamic (L3- based -- Did you consider to use eBGP between your sites?) routing setup. You can configure it like a VTI while not being a VTI ;-)
When using StrongSwan you need to use swanctl instead of the classic ipsec.conf configuration. The XFRM interface is referenced from StrongSwan by a XFRM interface ID (ip link: if_id | swanctl: if_id_in + if_id_out). And once you have a dedicated XFRM interface you can move it into a VRF or a netns ;-) Regards, Thomas On Tue, 2024-11-19 at 21:35 -0800, Brian C. Hill via Bird-users wrote: > Hello, > > I want to use bird to mutually propagate routes throughout several > sites connected with vpn gateways, probably with ospf. > > e.g. site A net(s) <-> site A vpn gateway <-> vpn 'concentrator' > <-> site B vpn gateway <-> hosts site B net(s), etc.. > > I couldn't find many posts about the best strategy to use, and the > ones did find are many years old, but it seems to boil down to these > options: > > > > • use a script to migrate xfrm route table (220) to a bird-readable > > table > > > > • use static routes inside bird > > > > • use vti instead of xfrm > > > My questions: > > 1) Is it sill the case that bird cannot read directly from the xfrm > table? (I tried this with a pipe config but nothing gets imported) > > 2) What is the strategy that most of you are using now? (as opposed > to many years ago) > > Thanks! > > Brian > > >
