At the end I solved the "ping: sendmsg: invalid argument" error by running this command manually:
ip neigh add 10.255.255.3 lladdr 192.168.17.135 dev gre1

Where 10.255.255.3 is the inside mGRE IP and 192.168.17.135 the NBMA address.

Does anybody know why nhrpd is not adding a layer 2 entry for next hop? From the logs I see it adds a /32 route to the next hop but not a layer 2 entry.

I'm using iproute-3.10.0-87.el7.x86_64 and kernel 3.10.0-693.el7.x86_64

On Fri, May 11, 2018 at 8:45 AM, Felipe Arturo Polanco <felipeapolanco@gmail.com> wrote:
I could move forward from this issue by reinstalling strongswan and using strongswan-swanctl service, apparently I was not using the patched version, I noticed that because the vici_query.c file I had in the source was different than the one in the patched repo.

Now I am seeing something quite strange.

I get both spoke and hub to establish an IPSec sessions and SA are being established, I do see the Spoke sending registration message to the hub, I see the Hub receiving it and sending back a reply but the reply never gets to the spoke.

Also the message counter in the SA statistics doesn't go up after a few messages.

The IP of the spoke gets installed in the hub routing table but I cannot ping it, if I try it, it comes with this error:

ping: sendmsg: invalid argument

I notice this happens as soon as the hub adds the route of the /32 host in its routing table, after that point communication is broken between hub and spoke and the hub's reply message never gets into the IPsec tunnel nor any other packet.

Any ideas about this?

Thanks,

On Wed, May 9, 2018 at 11:37 PM, Felipe Arturo Polanco <felipeapolanco@gmail.com> wrote:
Hi,

I'm having trouble getting DMVPN to work in FRR.


I installed patched strongswan as per the instruction in the README file:

But still I cannot figure out how to establish a connection between a hub and a spoke.

There is this error in the logs on both hub and spoke:
May 09 23:24:19 FRR01 charon-systemd[107289]: vici initiate 'dmvpn'
May 09 23:24:19 FRR01 nhrpd[107823]: VICI: Key 'success'='no'
May 09 23:24:19 FRR01 charon-systemd[107289]: unable to resolve %any, initiate aborted
May 09 23:24:19 FRR01 nhrpd[107823]: VICI: Key 'errmsg'='establishing CHILD_SA 'dmvpn' failed'
May 09 23:24:19 FRR01 charon-systemd[107289]: tried to checkin and delete nonexisting IKE_SA
May 09 23:24:19 FRR01 nhrpd[107823]: VICI: strongSwan: establishing CHILD_SA 'dmvpn' failed

Spoke:

FRR01# sh dmvpn
Src                      Dst                      Flags  SAs  Identity
192.168.17.131           192.168.17.135           n      0

FRR01# sh ip nhrp
Iface    Type     Protocol                 NBMA                     Flags  Identity
gre1     local    10.255.255.2             -                               -

interface gre1
 ip nhrp holdtime 3600
 ip nhrp network-id 1
 ip nhrp nhs dynamic nbma 192.168.17.135
 ip nhrp registration no-unique
 ip nhrp shortcut
 no link-detect
 tunnel protection vici profile dmvpn
 tunnel source ens37


-------

Hub:

FRR_RR01# sh dmvpn
Src                      Dst                      Flags  SAs  Identity
FRR_RR01# sh ip nhrp
Iface    Type     Protocol                 NBMA                     Flags  Identity
gre1     local    10.255.255.1             -                               -

interface gre1
 ip nhrp holdtime 3600
 ip nhrp network-id 1
 ip nhrp nhs dynamic nbma 192.168.17.135
 ip nhrp redirect
 ip nhrp registration no-unique
 ip nhrp shortcut
 no link-detect
 tunnel protection vici profile dmvpn
 tunnel source ens37

---

/etc/swanctl/swanctl.conf

[root@FRR_RR01 ~]# cat /etc/swanctl/swanctl.conf
connections {
        dmvpn {
                version = 2
                pull = no
                mobike = no
                dpd_delay = 15
                dpd_timeout = 30
                fragmentation = yes
                unique = replace
                rekey_time = 4h
                reauth_time = 13h
                proposals = aes256-sha512-ecp384
                local {
                        auth = psk
                        id = hub
                }
                remote {
                        auth = psk
                }
                children {
                        dmvpn {
                                esp_proposals = aes256-sha512-ecp384
                                local_ts = dynamic[gre]
                                remote_ts = dynamic[gre]
                                inactivity = 90m
                                rekey_time = 100m
                                mode = transport
                                dpd_action = clear
                                reqid = 1
                        }
                }
        }
}


---


Any idea what could be wrong?