[FROG] DMVPN NHRP assitance
Felipe Arturo Polanco
felipeapolanco at gmail.com
Fri May 18 15:29:46 EDT 2018
At the end I solved the "ping: sendmsg: invalid argument" error by running
this command manually:
ip neigh add 10.255.255.3 lladdr 192.168.17.135 dev gre1
Where 10.255.255.3 is the inside mGRE IP and 192.168.17.135 the NBMA
address.
Does anybody know why nhrpd is not adding a layer 2 entry for next hop?
>From the logs I see it adds a /32 route to the next hop but not a layer 2
entry.
I'm using iproute-3.10.0-87.el7.x86_64 and kernel 3.10.0-693.el7.x86_64
On Fri, May 11, 2018 at 8:45 AM, Felipe Arturo Polanco <
felipeapolanco at gmail.com> wrote:
> I could move forward from this issue by reinstalling strongswan and using
> strongswan-swanctl service, apparently I was not using the patched version,
> I noticed that because the vici_query.c file I had in the source was
> different than the one in the patched repo.
>
> Now I am seeing something quite strange.
>
> I get both spoke and hub to establish an IPSec sessions and SA are being
> established, I do see the Spoke sending registration message to the hub, I
> see the Hub receiving it and sending back a reply but the reply never gets
> to the spoke.
>
> Also the message counter in the SA statistics doesn't go up after a few
> messages.
>
> The IP of the spoke gets installed in the hub routing table but I cannot
> ping it, if I try it, it comes with this error:
>
> ping: sendmsg: invalid argument
>
> I notice this happens as soon as the hub adds the route of the /32 host in
> its routing table, after that point communication is broken between hub and
> spoke and the hub's reply message never gets into the IPsec tunnel nor any
> other packet.
>
> Any ideas about this?
>
> Thanks,
>
> On Wed, May 9, 2018 at 11:37 PM, Felipe Arturo Polanco <
> felipeapolanco at gmail.com> wrote:
>
>> Hi,
>>
>> I'm having trouble getting DMVPN to work in FRR.
>>
>> I followed this guide:
>> https://wiki.alpinelinux.org/wiki/Dynamic_Multipoint_VPN_(DM
>> VPN)_Phase_3_with_Quagga_NHRPd#Hub_Node
>>
>> I installed patched strongswan as per the instruction in the README file:
>> https://github.com/FRRouting/frr/blob/master/nhrpd/README.nhrpd
>>
>> But still I cannot figure out how to establish a connection between a hub
>> and a spoke.
>>
>> There is this error in the logs on both hub and spoke:
>> May 09 23:24:19 FRR01 charon-systemd[107289]: vici initiate 'dmvpn'
>> May 09 23:24:19 FRR01 nhrpd[107823]: VICI: Key 'success'='no'
>> May 09 23:24:19 FRR01 charon-systemd[107289]: unable to resolve %any,
>> initiate aborted
>> May 09 23:24:19 FRR01 nhrpd[107823]: VICI: Key 'errmsg'='establishing
>> CHILD_SA 'dmvpn' failed'
>> May 09 23:24:19 FRR01 charon-systemd[107289]: tried to checkin and delete
>> nonexisting IKE_SA
>> May 09 23:24:19 FRR01 nhrpd[107823]: VICI: strongSwan: establishing
>> CHILD_SA 'dmvpn' failed
>>
>> Spoke:
>>
>> FRR01# sh dmvpn
>> Src Dst Flags SAs Identity
>> 192.168.17.131 192.168.17.135 n 0
>>
>> FRR01# sh ip nhrp
>> Iface Type Protocol NBMA
>> Flags Identity
>> gre1 local 10.255.255.2 -
>> -
>>
>> interface gre1
>> ip nhrp holdtime 3600
>> ip nhrp network-id 1
>> ip nhrp nhs dynamic nbma 192.168.17.135
>> ip nhrp registration no-unique
>> ip nhrp shortcut
>> no link-detect
>> tunnel protection vici profile dmvpn
>> tunnel source ens37
>>
>>
>> -------
>>
>> Hub:
>>
>> FRR_RR01# sh dmvpn
>> Src Dst Flags SAs Identity
>> FRR_RR01# sh ip nhrp
>> Iface Type Protocol NBMA
>> Flags Identity
>> gre1 local 10.255.255.1 -
>> -
>>
>> interface gre1
>> ip nhrp holdtime 3600
>> ip nhrp network-id 1
>> ip nhrp nhs dynamic nbma 192.168.17.135
>> ip nhrp redirect
>> ip nhrp registration no-unique
>> ip nhrp shortcut
>> no link-detect
>> tunnel protection vici profile dmvpn
>> tunnel source ens37
>>
>> ---
>>
>> /etc/swanctl/swanctl.conf
>>
>> [root at FRR_RR01 ~]# cat /etc/swanctl/swanctl.conf
>> connections {
>> dmvpn {
>> version = 2
>> pull = no
>> mobike = no
>> dpd_delay = 15
>> dpd_timeout = 30
>> fragmentation = yes
>> unique = replace
>> rekey_time = 4h
>> reauth_time = 13h
>> proposals = aes256-sha512-ecp384
>> local {
>> auth = psk
>> id = hub
>> }
>> remote {
>> auth = psk
>> }
>> children {
>> dmvpn {
>> esp_proposals = aes256-sha512-ecp384
>> local_ts = dynamic[gre]
>> remote_ts = dynamic[gre]
>> inactivity = 90m
>> rekey_time = 100m
>> mode = transport
>> dpd_action = clear
>> reqid = 1
>> }
>> }
>> }
>> }
>>
>>
>> ---
>>
>>
>> Any idea what could be wrong?
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.frrouting.org/pipermail/frog/attachments/20180518/16f2a00c/attachment.html>
More information about the frog
mailing list