[FROG] DMVPN NHRP assitance
Felipe Arturo Polanco
felipeapolanco at gmail.com
Fri May 11 08:45:12 EDT 2018
I could move forward from this issue by reinstalling strongswan and using
strongswan-swanctl service, apparently I was not using the patched version,
I noticed that because the vici_query.c file I had in the source was
different than the one in the patched repo.
Now I am seeing something quite strange.
I get both spoke and hub to establish an IPSec sessions and SA are being
established, I do see the Spoke sending registration message to the hub, I
see the Hub receiving it and sending back a reply but the reply never gets
to the spoke.
Also the message counter in the SA statistics doesn't go up after a few
messages.
The IP of the spoke gets installed in the hub routing table but I cannot
ping it, if I try it, it comes with this error:
ping: sendmsg: invalid argument
I notice this happens as soon as the hub adds the route of the /32 host in
its routing table, after that point communication is broken between hub and
spoke and the hub's reply message never gets into the IPsec tunnel nor any
other packet.
Any ideas about this?
Thanks,
On Wed, May 9, 2018 at 11:37 PM, Felipe Arturo Polanco <
felipeapolanco at gmail.com> wrote:
> Hi,
>
> I'm having trouble getting DMVPN to work in FRR.
>
> I followed this guide:
> https://wiki.alpinelinux.org/wiki/Dynamic_Multipoint_VPN_(
> DMVPN)_Phase_3_with_Quagga_NHRPd#Hub_Node
>
> I installed patched strongswan as per the instruction in the README file:
> https://github.com/FRRouting/frr/blob/master/nhrpd/README.nhrpd
>
> But still I cannot figure out how to establish a connection between a hub
> and a spoke.
>
> There is this error in the logs on both hub and spoke:
> May 09 23:24:19 FRR01 charon-systemd[107289]: vici initiate 'dmvpn'
> May 09 23:24:19 FRR01 nhrpd[107823]: VICI: Key 'success'='no'
> May 09 23:24:19 FRR01 charon-systemd[107289]: unable to resolve %any,
> initiate aborted
> May 09 23:24:19 FRR01 nhrpd[107823]: VICI: Key 'errmsg'='establishing
> CHILD_SA 'dmvpn' failed'
> May 09 23:24:19 FRR01 charon-systemd[107289]: tried to checkin and delete
> nonexisting IKE_SA
> May 09 23:24:19 FRR01 nhrpd[107823]: VICI: strongSwan: establishing
> CHILD_SA 'dmvpn' failed
>
> Spoke:
>
> FRR01# sh dmvpn
> Src Dst Flags SAs Identity
> 192.168.17.131 192.168.17.135 n 0
>
> FRR01# sh ip nhrp
> Iface Type Protocol NBMA Flags
> Identity
> gre1 local 10.255.255.2 -
> -
>
> interface gre1
> ip nhrp holdtime 3600
> ip nhrp network-id 1
> ip nhrp nhs dynamic nbma 192.168.17.135
> ip nhrp registration no-unique
> ip nhrp shortcut
> no link-detect
> tunnel protection vici profile dmvpn
> tunnel source ens37
>
>
> -------
>
> Hub:
>
> FRR_RR01# sh dmvpn
> Src Dst Flags SAs Identity
> FRR_RR01# sh ip nhrp
> Iface Type Protocol NBMA Flags
> Identity
> gre1 local 10.255.255.1 -
> -
>
> interface gre1
> ip nhrp holdtime 3600
> ip nhrp network-id 1
> ip nhrp nhs dynamic nbma 192.168.17.135
> ip nhrp redirect
> ip nhrp registration no-unique
> ip nhrp shortcut
> no link-detect
> tunnel protection vici profile dmvpn
> tunnel source ens37
>
> ---
>
> /etc/swanctl/swanctl.conf
>
> [root at FRR_RR01 ~]# cat /etc/swanctl/swanctl.conf
> connections {
> dmvpn {
> version = 2
> pull = no
> mobike = no
> dpd_delay = 15
> dpd_timeout = 30
> fragmentation = yes
> unique = replace
> rekey_time = 4h
> reauth_time = 13h
> proposals = aes256-sha512-ecp384
> local {
> auth = psk
> id = hub
> }
> remote {
> auth = psk
> }
> children {
> dmvpn {
> esp_proposals = aes256-sha512-ecp384
> local_ts = dynamic[gre]
> remote_ts = dynamic[gre]
> inactivity = 90m
> rekey_time = 100m
> mode = transport
> dpd_action = clear
> reqid = 1
> }
> }
> }
> }
>
>
> ---
>
>
> Any idea what could be wrong?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.frrouting.org/pipermail/frog/attachments/20180511/382bc51d/attachment.html>
More information about the frog
mailing list