On Fri, Nov 26, 2021 at 6:35 AM <pie...@towel42.nl> wrote: > I design crypto products that, for reasons of security, use static > routing to route IP traffic over their secure associations (SAs) to > their destination. As such, they do not participate in any routing > protocols, though they will pass unicast routing protocols between > routers in the customer network. Our customers would like to know if > they can use their routers to set up fail-over scenarios over the crypto > products (and perhaps the ISPs they're connected to).
Tunnel mode IPSec is actually a tunnel protocol (IP-IP I think? I don't remember) on top of transport mode IPSec where the tunnel is sort of implicit and subject to the SA definitions. If you want to use dynamic routing, your best bet is to separate the components: use a tunnel protocol like GRE explicitly between transport mode IPSec endpoints. This will expose GRE virtual interfaces on the two routers which are clean for whichever dynamic routing protocol you feel like using. https://tools.ietf.org/search/rfc3884 talks about something similar. Regards, Bill Herrin -- William Herrin b...@herrin.us https://bill.herrin.us/ _______________________________________________ Quagga-users mailing list Quagga-users@lists.quagga.net https://lists.quagga.net/mailman/listinfo/quagga-users
