<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:14.0pt">Hello all,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">I tried to implement DMVPN with Quagga nhrpd & Strongswan. The nhrp doesn't work.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">I have followed the NHRP & DMVPN document from:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">http://docs.frrouting.org/en/latest/nhrpd.html<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">I have used the patch from:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">https://gitlab.alpinelinux.org/alpine/aports/-/tree/master/main/strongswan<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">Following are some details:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">1. The NHRPD create an ipsec connection that seems to be working well. (ipsec statusall report of an established connection)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">2. The nhrp registration request is sent inside the secure channel. Is that correct behavior?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">3. On the spoke I get frequent messages of:
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> 2020/09/13 09:03:39 NHRP: Send Registration-Request(3) 20.20.20.12 -> 20.20.20.12<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> 2020/09/13 09:03:41 NHRP: NHS: Register 20.20.20.12 -> 20.20.20.12 (timeout 4)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">4. I get the follow show status on the spoke:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> SF1v# show ip nhrp nhs<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> Iface FQDN NBMA Protocol<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> gre1 30.30.30.11 30.30.30.11 (unspec)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> SF1v# show ip nhrp cache<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> Iface Type Protocol NBMA Flags Identity<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> gre1 local 20.20.20.12 - -<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> SF1v# show dmvpn<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> Src Dst Flags SAs Identity<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> 30.30.30.12 30.30.30.11 n 1 30.30.30.11<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">5. I get the follow show status on the HUB:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> SF1v# show ip nhrp nhs<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> Iface FQDN NBMA Protocol<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> gre1 30.30.30.11 - (unspec)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> SF1v# show ip nhrp cache<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> Iface Type Protocol NBMA Flags Identity<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> gre1 local 20.20.20.11 - -<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> SF1v# show dmvpn<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> Src Dst Flags SAs Identity<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> 30.30.30.11 30.30.30.12 1 30.30.30.12<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">=================================================
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">6. HUB configuration:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">=================================================<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">#=============== IPSEC CONFIGURATION =================<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " "> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo "config setup ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo "conn dmvpn">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " authby=secret ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " auto=add ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " keyexchange=ikev2 ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " ike=aes256-aes256-sha256-modp2048 ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " esp=aes256-aes256-sha256-modp2048 ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " dpdaction=clear ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " dpddelay=300s ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " left=%any ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " leftid=%any ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " right=%any ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " rightid=%any ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " leftprotoport=gre ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " rightprotoport=gre ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " type=transport ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " keyingtries=%forever ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo "# ipsec.secrets - strongSwan IPsec secrets file" > /etc/ipsec.secrets<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo "%any : PSK \"rami\"" >> /etc/ipsec.secrets<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ipsec rereadall <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ipsec start<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">#=============== clean config =================<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">rm /opt/smartswitch/etc/quagga/nhrpd0.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">#=============== interface config =================<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip link add name eth4.20 link eth4 type vlan id 20<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip address add 30.30.30.11/255.255.255.0 dev eth4.20<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip link set dev eth4.20 up<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip tunnel add gre1 mode gre key 42 dev eth4.20 ttl 64
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip addr add 20.20.20.11/32 dev gre1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip link set gre1 up<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">iptables -A FORWARD -i gre1 -o gre1 -m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 --hashlimit-mode srcip,dstip --hashlimit-srcmask 24 --hashlimit-dstmask 24 --hashlimit-name loglimit-0 -j NFLOG
--nflog-group 1 <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">touch /opt/smartswitch/etc/quagga/nhrpd0.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">nhrpd -f /opt/smartswitch/etc/quagga/nhrpd0.conf -i /var/run/nhrpd0.pid -P 3000 start &<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"># Quagga nhrp config on HUB<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">vtysh<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">configure terminal<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">log syslog<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">debug nhrp common<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">nhrp nflog-group 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">interface gre1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">description DMVPN Tunnel Interface<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip address 20.20.20.11/32<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip nhrp network-id 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip nhrp redirect<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip nhrp registration no-unique<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip nhrp shortcut <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"># no link-detect<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">tunnel protection vici profile dmvpn<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">tunnel source eth4.20<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">router bgp 65000<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> bgp router-id 20.20.20.11<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> no bgp ebgp-requires-policy<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> neighbor SPOKES peer-group<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> neighbor SPOKES disable-connected-check<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> neighbor 20.20.20.12 remote-as 65001<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> neighbor 20.20.20.12 peer-group SPOKES<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> address-family ipv4 unicast<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> network 11.11.11.11/24<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> redistribute nhrp<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> exit-address-family<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> end<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">exit<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">=================================================
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">7. SPOKE configuration:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">=================================================<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">#=============== IPSEC CONFIGURATION =================<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " "> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo "config setup ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo "conn dmvpn">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " authby=secret ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " auto=add ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " keyexchange=ikev2 ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " ike=aes256-aes256-sha256-modp2048 ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " esp=aes256-aes256-sha256-modp2048 ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " dpdaction=clear ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " dpddelay=300s ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " left=%any ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " leftid=%any ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " right=%any ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " rightid=%any ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " leftprotoport=gre ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " rightprotoport=gre ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " type=transport ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo " keyingtries=%forever ">> /etc/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo "# ipsec.secrets - strongSwan IPsec secrets file" > /etc/ipsec.secrets<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">echo "%any : PSK \"rami\"" >> /etc/ipsec.secrets<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ipsec rereadall <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ipsec start<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">#=============== clean config =================<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">rm /opt/smartswitch/etc/quagga/nhrpd0.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">#=============== interface config =================<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip link add name eth4.20 link eth4 type vlan id 20<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip address add 30.30.30.12/255.255.255.0 dev eth4.20<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip link set dev eth4.20 up<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip tunnel add gre1 mode gre key 42 dev eth4.20 ttl 64
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip addr add 20.20.20.12/32 dev gre1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip link set gre1 up<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">touch /opt/smartswitch/etc/quagga/nhrpd0.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">nhrpd -f /opt/smartswitch/etc/quagga/nhrpd0.conf -i /var/run/nhrpd0.pid -P 3000 start &<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"># quagga nhrp config on spoke
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">vtysh<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">configure terminal<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">log syslog<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">debug nhrp common<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">nhrp nflog-group 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">interface gre1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">description DMVPN Tunnel Interface<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> #config of HUB GRE IP<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip address 20.20.20.12/32<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip nhrp network-id 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip nhrp nhs dynamic nbma 30.30.30.11<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip nhrp redirect<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip nhrp registration no-unique<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">ip nhrp shortcut <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> no link-detect<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">tunnel protection vici profile dmvpn<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">tunnel source eth4.20<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">router bgp 65001<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> bgp router-id 20.20.20.12<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> no bgp ebgp-requires-policy<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> neighbor 20.20.20.11 remote-as 65000<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> neighbor 20.20.20.11 disable-connected-check<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> address-family ipv4 unicast<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> network 12.12.12.12/24<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> exit-address-family<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">end<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">exit<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">=================================================
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">8. Ipsec status on HUB<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"># ipsec statusall<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">Status of IKE charon daemon (strongSwan 5.8.4, Linux 4.19.125, armv7l):<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> uptime: 33 minutes, since Sep 13 09:28:12 2020<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> malloc: sbrk 778240, mmap 0, used 355704, free 422536<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> loaded plugins: charon pkcs11 aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac drbg curl
attr kernel-netlink resolve socket-default stroke vici updown xauth-generic led counters<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">Listening IP addresses:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> 10.10.10.11<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> 11.11.11.11<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> 30.30.30.11<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> 20.20.20.11<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">Connections:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> dmvpn: %any...%any IKEv2, dpddelay=300s<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> dmvpn: local: uses pre-shared key authentication<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> dmvpn: remote: uses pre-shared key authentication<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> dmvpn: child: dynamic[gre] === dynamic[gre] TRANSPORT, dpdaction=clear<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">Security Associations (1 up, 0 connecting):<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> dmvpn[1]: ESTABLISHED 32 minutes ago, 30.30.30.11[30.30.30.11]...30.30.30.12[30.30.30.12]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> dmvpn[1]: IKEv2 SPIs: 942411e640760acf_i c5c66aa6073921f8_r*, pre-shared key reauthentication in 2 hours<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> dmvpn[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> dmvpn{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c33ae7b3_i cd79d565_o<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> dmvpn{1}: AES_CBC_256/HMAC_SHA2_256_128, 9600 bytes_i, 0 bytes_o, rekeying in 13 minutes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> dmvpn{1}: 30.30.30.11/32[gre] === 30.30.30.12/32[gre]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">=================================================<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">=================================================
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">8. Ipsec status on spoke:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">/ # ipsec statusall<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">Status of IKE charon daemon (strongSwan 5.8.4, Linux 4.19.125, armv7l):<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> uptime: 32 minutes, since Sep 13 09:28:20 2020<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> malloc: sbrk 778240, mmap 0, used 357808, free 420432<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> loaded plugins: charon pkcs11 aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac drbg curl
attr kernel-netlink resolve socket-default stroke vici updown xauth-generic led counters<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">Listening IP addresses:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> 10.10.10.12<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> 12.12.12.12<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> 30.30.30.12<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> 20.20.20.12<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">Connections:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> dmvpn: %any...%any IKEv2, dpddelay=300s<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> dmvpn: local: uses pre-shared key authentication<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> dmvpn: remote: uses pre-shared key authentication<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> dmvpn: child: dynamic[gre] === dynamic[gre] TRANSPORT, dpdaction=clear<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">Security Associations (1 up, 0 connecting):<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> dmvpn[1]: ESTABLISHED 31 minutes ago, 30.30.30.12[30.30.30.12]...30.30.30.11[30.30.30.11]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> dmvpn[1]: IKEv2 SPIs: 942411e640760acf_i* c5c66aa6073921f8_r, pre-shared key reauthentication in 2 hours<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> dmvpn[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> dmvpn{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: cd79d565_i c33ae7b3_o<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> dmvpn{1}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 9100 bytes_o (91 pkts, 64s ago), rekeying in 12 minutes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> dmvpn{1}: 30.30.30.12/32[gre] === 30.30.30.11/32[gre]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">=================================================
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">Any help would be much appreciated.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">Best regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">Rami<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> <o:p></o:p></span></p>
</div>
</body>
</html>