I’m not entirely sure that this is the correct place to ask my question, so if you are aware of a more appropriate forum, please let me know.


I am trying to figure out the best way to accommodate the use of BGP over an IPsec tunnel in order to negotiate routes to networks on both ends of the tunnel.


With a pseudo-interface (route based ipsec), running BGP on the pseudo interface would “just work”. Without an interface, I’m not sure how to get policies added dynamically as the routing tables are dynamically changed by BGP.


I thought I might be able to mark packets with iptables and then base SPD entries on the firewall marks. I’m unsure this is supported with iptables fw-marking, and it’s not clear to me how I would single out packets which were destined for the remote end of the ipsec connection.


Has anyone found a suitable solution that does not involve manually creating policies for all subnets on both sides of the tunnel?