[FROG] DMVPN NHRP assitance

Felipe Arturo Polanco felipeapolanco at gmail.com
Wed May 9 23:37:09 EDT 2018 

Hi,

I'm having trouble getting DMVPN to work in FRR.

I followed this guide:
https://wiki.alpinelinux.org/wiki/Dynamic_Multipoint_VPN_(DMVPN)_Phase_3_with_Quagga_NHRPd#Hub_Node

I installed patched strongswan as per the instruction in the README file:
https://github.com/FRRouting/frr/blob/master/nhrpd/README.nhrpd

But still I cannot figure out how to establish a connection between a hub
and a spoke.

There is this error in the logs on both hub and spoke:
May 09 23:24:19 FRR01 charon-systemd[107289]: vici initiate 'dmvpn'
May 09 23:24:19 FRR01 nhrpd[107823]: VICI: Key 'success'='no'
May 09 23:24:19 FRR01 charon-systemd[107289]: unable to resolve %any,
initiate aborted
May 09 23:24:19 FRR01 nhrpd[107823]: VICI: Key 'errmsg'='establishing
CHILD_SA 'dmvpn' failed'
May 09 23:24:19 FRR01 charon-systemd[107289]: tried to checkin and delete
nonexisting IKE_SA
May 09 23:24:19 FRR01 nhrpd[107823]: VICI: strongSwan: establishing
CHILD_SA 'dmvpn' failed

Spoke:

FRR01# sh dmvpn
Src                      Dst                      Flags  SAs  Identity
192.168.17.131           192.168.17.135           n      0

FRR01# sh ip nhrp
Iface    Type     Protocol                 NBMA                     Flags
Identity
gre1     local    10.255.255.2             -                               -

interface gre1
 ip nhrp holdtime 3600
 ip nhrp network-id 1
 ip nhrp nhs dynamic nbma 192.168.17.135
 ip nhrp registration no-unique
 ip nhrp shortcut
 no link-detect
 tunnel protection vici profile dmvpn
 tunnel source ens37


-------

Hub:

FRR_RR01# sh dmvpn
Src                      Dst                      Flags  SAs  Identity
FRR_RR01# sh ip nhrp
Iface    Type     Protocol                 NBMA                     Flags
Identity
gre1     local    10.255.255.1             -                               -

interface gre1
 ip nhrp holdtime 3600
 ip nhrp network-id 1
 ip nhrp nhs dynamic nbma 192.168.17.135
 ip nhrp redirect
 ip nhrp registration no-unique
 ip nhrp shortcut
 no link-detect
 tunnel protection vici profile dmvpn
 tunnel source ens37

---

/etc/swanctl/swanctl.conf

[root at FRR_RR01 ~]# cat /etc/swanctl/swanctl.conf
connections {
        dmvpn {
                version = 2
                pull = no
                mobike = no
                dpd_delay = 15
                dpd_timeout = 30
                fragmentation = yes
                unique = replace
                rekey_time = 4h
                reauth_time = 13h
                proposals = aes256-sha512-ecp384
                local {
                        auth = psk
                        id = hub
                }
                remote {
                        auth = psk
                }
                children {
                        dmvpn {
                                esp_proposals = aes256-sha512-ecp384
                                local_ts = dynamic[gre]
                                remote_ts = dynamic[gre]
                                inactivity = 90m
                                rekey_time = 100m
                                mode = transport
                                dpd_action = clear
                                reqid = 1
                        }
                }
        }
}


---


Any idea what could be wrong?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.frrouting.org/pipermail/frog/attachments/20180509/f1a0e9f1/attachment.html>

More information about the frog mailing list