ipsec encryption only via given route
Kajetan Staszkiewicz
vegeta at tuxpowered.net
Thu Jul 20 16:32:30 UTC 2017
Hey group,
Across a few data centers I have a some routers running IPsec+BGP tunnels to
Azure.
Microsoft side is nicely following BGP sessions.
My routers are unfortunately not. Routes in route table are updated just fine
from BIRD but unfortunately they are overridden by IPSec policy which is
static. That means that all hosts in given data center will route to Azure via
tunnel on this data center's router whenever the IPsec tunnel is established,
disregarding BGP. That seems to work for now, but I already see problems with
failover, that is IPsec timeout is way longer than BGP timeout and I expect
more problems with balancing traffic.
Routers are running FreeBSD 11.0 with Bird as routing daemon. IPsec daemon of
choice is Strongswan.
Tunnels are IKEv2 with single static subnet on Azure side and one big subnet
on my side covering all datacenters and a few extra ones covering some other
locations that route through datacenters.
Can I somehow make IPsec encryption to happen AFTER routing decision and
ensure that it happens only when traffic leaves via specified interface?
--
| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
| Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net |
| Vegeta | www: http://vegeta.tuxpowered.net |
`------------------------^---------------------------------------'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20170720/96c87689/attachment.sig>
More information about the freebsd-net
mailing list