<div dir="ltr">I could move forward from this issue by reinstalling strongswan and using strongswan-swanctl service, apparently I was not using the patched version, I noticed that because the vici_query.c file I had in the source was different than the one in the patched repo.<div><br></div><div>Now I am seeing something quite strange.</div><div><br></div><div>I get both spoke and hub to establish an IPSec sessions and SA are being established, I do see the Spoke sending registration message to the hub, I see the Hub receiving it and sending back a reply but the reply never gets to the spoke.</div><div><br></div><div>Also the message counter in the SA statistics doesn't go up after a few messages.</div><div><br></div><div>The IP of the spoke gets installed in the hub routing table but I cannot ping it, if I try it, it comes with this error:</div><div><br></div><div><font color="#000000" style="background-color:rgb(255,255,0)">ping: sendmsg: invalid argument</font><br></div><div><br></div><div>I notice this happens as soon as the hub adds the route of the /32 host in its routing table, after that point communication is broken between hub and spoke and the hub's reply message never gets into the IPsec tunnel nor any other packet.</div><div><br></div><div>Any ideas about this?</div><div><br></div><div>Thanks,</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 9, 2018 at 11:37 PM, Felipe Arturo Polanco <span dir="ltr"><<a href="mailto:felipeapolanco@gmail.com" target="_blank">felipeapolanco@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>I'm having trouble getting DMVPN to work in FRR.</div><div><br></div><div>I followed this guide:<br><a href="https://wiki.alpinelinux.org/wiki/Dynamic_Multipoint_VPN_(DMVPN)_Phase_3_with_Quagga_NHRPd#Hub_Node" target="_blank">https://wiki.alpinelinux.org/<wbr>wiki/Dynamic_Multipoint_VPN_(<wbr>DMVPN)_Phase_3_with_Quagga_<wbr>NHRPd#Hub_Node</a><br></div><div><br></div><div>I installed patched strongswan as per the instruction in the README file:</div><div><a href="https://github.com/FRRouting/frr/blob/master/nhrpd/README.nhrpd" target="_blank">https://github.com/FRRouting/<wbr>frr/blob/master/nhrpd/README.<wbr>nhrpd</a><br></div><div><br></div><div>But still I cannot figure out how to establish a connection between a hub and a spoke.</div><div><br></div><div>There is this error in the logs on both hub and spoke:</div><div><div>May 09 23:24:19 FRR01 charon-systemd[107289]: vici initiate 'dmvpn'</div><div>May 09 23:24:19 FRR01 nhrpd[107823]: VICI: Key 'success'='no'</div><div>May 09 23:24:19 FRR01 charon-systemd[107289]: unable to resolve %any, initiate aborted</div><div>May 09 23:24:19 FRR01 nhrpd[107823]: VICI: Key 'errmsg'='establishing CHILD_SA 'dmvpn' failed'</div><div>May 09 23:24:19 FRR01 charon-systemd[107289]: tried to checkin and delete nonexisting IKE_SA</div><div>May 09 23:24:19 FRR01 nhrpd[107823]: VICI: strongSwan: establishing CHILD_SA 'dmvpn' failed</div></div><div><br></div><div>Spoke:</div><div><br></div><div><div>FRR01# sh dmvpn</div><div>Src Dst Flags SAs Identity</div><div>192.168.17.131 192.168.17.135 n 0</div></div><div><br></div><div><div>FRR01# sh ip nhrp</div><div>Iface Type Protocol NBMA Flags Identity</div><div>gre1 local 10.255.255.2 - -</div></div><div><br></div><div><div>interface gre1</div><div> ip nhrp holdtime 3600</div><div> ip nhrp network-id 1</div><div> ip nhrp nhs dynamic nbma 192.168.17.135</div><div> ip nhrp registration no-unique</div><div> ip nhrp shortcut</div><div> no link-detect</div><div> tunnel protection vici profile dmvpn</div><div> tunnel source ens37</div></div><div><br></div><div><br></div><div>-------</div><div><br></div><div>Hub:</div><div><br></div><div><div>FRR_RR01# sh dmvpn</div><div>Src Dst Flags SAs Identity</div><div>FRR_RR01# sh ip nhrp</div><div>Iface Type Protocol NBMA Flags Identity</div><div>gre1 local 10.255.255.1 - -</div></div><div><br></div><div><div>interface gre1</div><div> ip nhrp holdtime 3600</div><div> ip nhrp network-id 1</div><div> ip nhrp nhs dynamic nbma 192.168.17.135</div><div> ip nhrp redirect</div><div> ip nhrp registration no-unique</div><div> ip nhrp shortcut</div><div> no link-detect</div><div> tunnel protection vici profile dmvpn</div><div> tunnel source ens37</div></div><div><br></div><div>---</div><div><br></div><div>/etc/swanctl/swanctl.conf</div><div><br></div><div><div>[root@FRR_RR01 ~]# cat /etc/swanctl/swanctl.conf</div><div>connections {</div><div> dmvpn {</div><div> version = 2</div><div> pull = no</div><div> mobike = no</div><div> dpd_delay = 15</div><div> dpd_timeout = 30</div><div> fragmentation = yes</div><div> unique = replace</div><div> rekey_time = 4h</div><div> reauth_time = 13h</div><div> proposals = aes256-sha512-ecp384</div><div> local {</div><div> auth = psk</div><div> id = hub</div><div> }</div><div> remote {</div><div> auth = psk</div><div> }</div><div> children {</div><div> dmvpn {</div><div> esp_proposals = aes256-sha512-ecp384</div><div> local_ts = dynamic[gre]</div><div> remote_ts = dynamic[gre]</div><div> inactivity = 90m</div><div> rekey_time = 100m</div><div> mode = transport</div><div> dpd_action = clear</div><div> reqid = 1</div><div> }</div><div> }</div><div> }</div><div>}</div></div><div><br></div><div><br></div><div>---</div><div><br></div><div><br></div><div>Any idea what could be wrong?</div></div>
</blockquote></div><br></div>