Date: Thu, 20 Jul 2017 18:17:43 +0200 From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: FreeBSD Net <freebsd-net@freebsd.org> Subject: ipsec encryption only via given route Message-ID: <3526072.muFbfPklCK@energia>
next in thread | raw e-mail | index | archive | help
--nextPart2315736.B3RDAlX0kH Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="us-ascii" Hey group, Across a few data centers I have a some routers running IPsec+BGP tunnels t= o=20 Azure. Microsoft side is nicely following BGP sessions. My routers are unfortunately not. Routes in route table are updated just fi= ne=20 from=20BIRD but unfortunately they are overridden by IPSec policy which is=20 static. That means that all hosts in given data center will route to Azure = via=20 tunnel on this data center's router whenever the IPsec tunnel is establishe= d,=20 disregarding BGP. That seems to work for now, but I already see problems wi= th=20 failover, that is IPsec timeout is way longer than BGP timeout and I expect= =20 more problems with balancing traffic. Routers are running FreeBSD 11.0 with Bird as routing daemon. IPsec daemon = of=20 choice is Strongswan. Tunnels are IKEv2 with single static subnet on Azure side and one big subne= t=20 on my side covering all datacenters and a few extra ones covering some othe= r=20 locations that route through datacenters. Can I somehow make IPsec encryption to happen AFTER routing decision and=20 ensure that it happens only when traffic leaves via specified interface? =2D-=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' --nextPart2315736.B3RDAlX0kH Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCWXDXpwAKCRDjtFCvbXs6 FJgtAJwPdcgoSM3Jr5xNYXOH9JQ+iLLQ0wCg9RZg2MPCkllxvGWaTrc2x/5Y/ho= =FrV+ -----END PGP SIGNATURE----- --nextPart2315736.B3RDAlX0kH--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3526072.muFbfPklCK>