[Xorp-users] PIM-SM routing over an IPSEC PF_KEY tunnel with no interface

[Scott Mcdermott]

To xorp-users@xorp.org on Sun 13/03 18:47 -0800:
> > However, even if somehow magically you can tell the XORP
> > implementation that the packets have arrived on the
> > IPSEC tunnel, [you still need an interface for
> > MRT_ADD_VIF/MRT_ADD_MFC]
> > 
> > I am not familiar with IPSEC configuration, but it
> > appears that there is no IP address associated with that
> > tunnel.  Hence, the kernel itself cannot use that tunnel
> > for multicast forwarding.
> 
> Well, ultimately the packets do go out an interface once
> they are ESP encapsulated [and I could use that one,
> relying on ipsec code to intercept before routing...but] I
> can't add an IPSEC policy for net 224/4 [...] So it seems
> that a GRE tunnel is the only solution. [...] We'll see
> how this works; I'll report back.

Works fine.  I set up a GRE tunnel on the IPSEC gateways,
with the local/remote IPs within the existing encryption
domain and a manufactured /30 for the tunnel, with Xorp set
up to add MFCs thereon.  It seems to have worked fine based
on xorpsh output, although we'll see how the conference
calling feature works tomorrow :)

It took me a while to figure get the RP stuff right (I was
using dense-mode on a Cisco before so RPs are new to me),
and I had to add static routes (fib2mrib did not seem to
populate the MRIB for some reason), and figure out that I
wanted a different Multicast default route than Unicast
default route.

But once I got that working, seems to be running with no
problems.

Now if I could figure out how to properly run this
xorp_rtrmgr thing out of my init scripts without doing

        nohup ... </dev/null &>/dev/null &

and get it to log TRACE/INFO to syslog, then I will be all
set :)

Thanks!