Thanks Ruben, I'll give the script option a go. Iain
On 11 November 2013 14:19, Ruben Laban <r.laban+li...@ism.nl> wrote: > Hi, > > > On 10-11-2013 16:35, Iain Buchanan wrote: > >> I’m in pretty much the same position. I’ve tried Ondrej Zajicek’s >> suggestion of using transport mode IPSEC links, but this doesn’t seem to >> create visible routes (I’m using the netkey stack, which may be the >> issue). At the moment I’ve got GRE tunnels working on top of the IPSEC >> links, and if I enable debugging mode I can see instances of Bird >> communicating with one another over them (but not sending any of the >> OpenSWAN link information). >> > > The idea here is to have IPsec protected GRE tunnels over which one can > talk OSPF. There wouldn't be any IPsec routes to (re)distribute in that > case (as there's only transport ones). If you have other IPsec "routes" > (policies in fact) that you want to insert into OSPF, then you'll need one > of two alternatives indeed: > > * Have a script parse the IPsec policies, or > * Use the KLIPS stack instead of NETKEY, which gives you routes you can > insert into OSPF nicely (this is what I do). > > Regards, > Ruben > > >