On 2018-09-12, Tim Jones <b631093f-779b-4d67-9ffe-5f6d5b1d3...@protonmail.ch> wrote: > >> sounds like a nexthop validation issue. What does`bgpctl show nexthop` gives >> you? Do you have a route to them? > > It gives this : > > Flags: * = nexthop valid > > Nexthop Route Prio Gateway Iface > 10.250.250.250 > > > But surely I have a route if I can ping ? (As part of my testing, I redefined > the next-hops as RFC1918 to ensure that if ping worked it meant the IKED VPN > worked). > > If I do `ipsecctl -sa` I can see the flows that IKED created. But are you > saying these flows don't get recognised by BGPD ? > >
IPsec on OpenBSD uses flows not routes. They won't be seen by things (like bgpd) that are looking for routes. The simplest way is probably to run gre or gif over the tunnel. (Overhead for gif+ipsec transport mode is exactly the same as ipsec tunnel mode because they are the same packet format, so you aren't losing a lot by doing this).
