[FROG] DMVPN NHRP assitance

Felipe Arturo Polanco felipeapolanco at gmail.com
Fri May 18 15:29:46 EDT 2018


At the end I solved the "ping: sendmsg: invalid argument" error by running
this command manually:
ip neigh add 10.255.255.3 lladdr 192.168.17.135 dev gre1

Where 10.255.255.3 is the inside mGRE IP and 192.168.17.135 the NBMA
address.

Does anybody know why nhrpd is not adding a layer 2 entry for next hop?
>From the logs I see it adds a /32 route to the next hop but not a layer 2
entry.

I'm using iproute-3.10.0-87.el7.x86_64 and kernel 3.10.0-693.el7.x86_64

On Fri, May 11, 2018 at 8:45 AM, Felipe Arturo Polanco <
felipeapolanco at gmail.com> wrote:

> I could move forward from this issue by reinstalling strongswan and using
> strongswan-swanctl service, apparently I was not using the patched version,
> I noticed that because the vici_query.c file I had in the source was
> different than the one in the patched repo.
>
> Now I am seeing something quite strange.
>
> I get both spoke and hub to establish an IPSec sessions and SA are being
> established, I do see the Spoke sending registration message to the hub, I
> see the Hub receiving it and sending back a reply but the reply never gets
> to the spoke.
>
> Also the message counter in the SA statistics doesn't go up after a few
> messages.
>
> The IP of the spoke gets installed in the hub routing table but I cannot
> ping it, if I try it, it comes with this error:
>
> ping: sendmsg: invalid argument
>
> I notice this happens as soon as the hub adds the route of the /32 host in
> its routing table, after that point communication is broken between hub and
> spoke and the hub's reply message never gets into the IPsec tunnel nor any
> other packet.
>
> Any ideas about this?
>
> Thanks,
>
> On Wed, May 9, 2018 at 11:37 PM, Felipe Arturo Polanco <
> felipeapolanco at gmail.com> wrote:
>
>> Hi,
>>
>> I'm having trouble getting DMVPN to work in FRR.
>>
>> I followed this guide:
>> https://wiki.alpinelinux.org/wiki/Dynamic_Multipoint_VPN_(DM
>> VPN)_Phase_3_with_Quagga_NHRPd#Hub_Node
>>
>> I installed patched strongswan as per the instruction in the README file:
>> https://github.com/FRRouting/frr/blob/master/nhrpd/README.nhrpd
>>
>> But still I cannot figure out how to establish a connection between a hub
>> and a spoke.
>>
>> There is this error in the logs on both hub and spoke:
>> May 09 23:24:19 FRR01 charon-systemd[107289]: vici initiate 'dmvpn'
>> May 09 23:24:19 FRR01 nhrpd[107823]: VICI: Key 'success'='no'
>> May 09 23:24:19 FRR01 charon-systemd[107289]: unable to resolve %any,
>> initiate aborted
>> May 09 23:24:19 FRR01 nhrpd[107823]: VICI: Key 'errmsg'='establishing
>> CHILD_SA 'dmvpn' failed'
>> May 09 23:24:19 FRR01 charon-systemd[107289]: tried to checkin and delete
>> nonexisting IKE_SA
>> May 09 23:24:19 FRR01 nhrpd[107823]: VICI: strongSwan: establishing
>> CHILD_SA 'dmvpn' failed
>>
>> Spoke:
>>
>> FRR01# sh dmvpn
>> Src                      Dst                      Flags  SAs  Identity
>> 192.168.17.131           192.168.17.135           n      0
>>
>> FRR01# sh ip nhrp
>> Iface    Type     Protocol                 NBMA
>>  Flags  Identity
>> gre1     local    10.255.255.2             -
>>  -
>>
>> interface gre1
>>  ip nhrp holdtime 3600
>>  ip nhrp network-id 1
>>  ip nhrp nhs dynamic nbma 192.168.17.135
>>  ip nhrp registration no-unique
>>  ip nhrp shortcut
>>  no link-detect
>>  tunnel protection vici profile dmvpn
>>  tunnel source ens37
>>
>>
>> -------
>>
>> Hub:
>>
>> FRR_RR01# sh dmvpn
>> Src                      Dst                      Flags  SAs  Identity
>> FRR_RR01# sh ip nhrp
>> Iface    Type     Protocol                 NBMA
>>  Flags  Identity
>> gre1     local    10.255.255.1             -
>>  -
>>
>> interface gre1
>>  ip nhrp holdtime 3600
>>  ip nhrp network-id 1
>>  ip nhrp nhs dynamic nbma 192.168.17.135
>>  ip nhrp redirect
>>  ip nhrp registration no-unique
>>  ip nhrp shortcut
>>  no link-detect
>>  tunnel protection vici profile dmvpn
>>  tunnel source ens37
>>
>> ---
>>
>> /etc/swanctl/swanctl.conf
>>
>> [root at FRR_RR01 ~]# cat /etc/swanctl/swanctl.conf
>> connections {
>>         dmvpn {
>>                 version = 2
>>                 pull = no
>>                 mobike = no
>>                 dpd_delay = 15
>>                 dpd_timeout = 30
>>                 fragmentation = yes
>>                 unique = replace
>>                 rekey_time = 4h
>>                 reauth_time = 13h
>>                 proposals = aes256-sha512-ecp384
>>                 local {
>>                         auth = psk
>>                         id = hub
>>                 }
>>                 remote {
>>                         auth = psk
>>                 }
>>                 children {
>>                         dmvpn {
>>                                 esp_proposals = aes256-sha512-ecp384
>>                                 local_ts = dynamic[gre]
>>                                 remote_ts = dynamic[gre]
>>                                 inactivity = 90m
>>                                 rekey_time = 100m
>>                                 mode = transport
>>                                 dpd_action = clear
>>                                 reqid = 1
>>                         }
>>                 }
>>         }
>> }
>>
>>
>> ---
>>
>>
>> Any idea what could be wrong?
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.frrouting.org/pipermail/frog/attachments/20180518/16f2a00c/attachment.html>


More information about the frog mailing list