Date: Thu, 20 Jul 2017 18:17:43 +0200 From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: FreeBSD Net <freebsd-net@freebsd.org> Subject: ipsec encryption only via given route Message-ID: <3526072.muFbfPklCK@energia>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Hey group, Across a few data centers I have a some routers running IPsec+BGP tunnels to Azure. Microsoft side is nicely following BGP sessions. My routers are unfortunately not. Routes in route table are updated just fine from BIRD but unfortunately they are overridden by IPSec policy which is static. That means that all hosts in given data center will route to Azure via tunnel on this data center's router whenever the IPsec tunnel is established, disregarding BGP. That seems to work for now, but I already see problems with failover, that is IPsec timeout is way longer than BGP timeout and I expect more problems with balancing traffic. Routers are running FreeBSD 11.0 with Bird as routing daemon. IPsec daemon of choice is Strongswan. Tunnels are IKEv2 with single static subnet on Azure side and one big subnet on my side covering all datacenters and a few extra ones covering some other locations that route through datacenters. Can I somehow make IPsec encryption to happen AFTER routing decision and ensure that it happens only when traffic leaves via specified interface? -- | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCWXDXpwAKCRDjtFCvbXs6 FJgtAJwPdcgoSM3Jr5xNYXOH9JQ+iLLQ0wCg9RZg2MPCkllxvGWaTrc2x/5Y/ho= =FrV+ -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3526072.muFbfPklCK>