I know since i discovered the DMVPN in 2004/5 this is a very intelligent combination of IPsec, GRE and NHRP. Many Thanks to the Guys at Cisco, Christoph, Frederick and all other.
This week i discovered “opennhrp” on sourceforge.
It took me a minute or two to have a VM with debian up and the needed tools installed.
I used VMWare with a bridged ethernet interface for testing, installed debian 4.0 netinstall iso and upgraded to sid / testing, so i got Kernel Version 2.6.26-1-686.
Then downloaded ipsec-tools-0.8-alpha20090126.tar.bz2 from the site. you have to install some libs and tools to build ipsec tools, like kernel headers and so on:-) and done some configure and make stuff.
I went to make opennhrp, well all done with out a problem to here.
Next i configured racoon and ipsec-tools and opennhrp like this:
/etc/ipsec-tools.conf #!/usr/sbin/setkey -f spdflush; spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require; spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;
/etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
remote anonymous {
exchange_mode main,aggressive;
lifetime time 24 hour;
# nat_traversal on;
script "/etc/opennhrp/racoon-ph1down.sh" phase1_down;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 5;
}
}
sainfo anonymous {
lifetime time 12 hour;
encryption_algorithm 3des, blowfish 448, rijndael;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
/etc/racoon/psk.txt 10.2.0.90 1234
/etc/opennhrp/opennhrp.conf
interface gre1
map 172.255.255.1/24 10.2.0.90 register cisco
cisco-authentication 1234
shortcut
No get the Tunnel UP:
ip tunnel add gre1 mode gre key 1234 ttl 64 ip addr add 172.255.255.2/24 dev gre1 ip tunnel change gre1 local 10.0.81.115 ip link set gre1 up
Now its time to get on the other side.
We are using a Cisco 1812 with c181x-advsecurityk9-mz.124-15.T7.bin running.
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
!
crypto isakmp key 1234 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TRANSFORMSET_3 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile Profile3
set transform-set TRANSFORMSET_3
!
interface Tunnel888
ip address 172.255.255.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip flow ingress
ip nhrp authentication 1234
ip nhrp map multicast dynamic
ip nhrp network-id 10064
ip nhrp holdtime 360
ip nhrp max-send 200 every 10
ip route-cache same-interface
ip tcp adjust-mss 1350
load-interval 30
tunnel source 10.2.0.90
tunnel mode gre multipoint
tunnel key 1234
tunnel protection ipsec profile Profile3
and viola
Router# sh dmvpn interface tunnel 888 Load for five secs: 8%/3%; one minute: 9%; five minutes: 10% Time source is NTP, 22:14:22.148 CET Sat Feb 14 2009 Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer Tunnel888, Type:Hub, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 10.0.81.115 172.255.255.2 UP never D
Router# ping 172.255.255.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.255.255.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
this looks great:-)
Many thanks Timo for doing such a impressiv work. I like the cisco for they impressiv boxes and i also like opensource software.
— edit February 15, 2009 at 12:09 am —
I found after a while no packets traveling, the nhrp registration had gone on the cisco side may be holdtimers differ so added “holding-time 360” to the opennhrp.conf , a opennhrpctl purge fixed the problem.
Hello Eduardo,
primary we use Cisco Routers as Hubs.. But it should not be the problem for a linux system to handle the connections. A problem could be the crypto speed for the system, i have no experience how much crypto a pc based hardware can handle..
chrees Patrick
I haven’t worked with LINUX a lot. Could you tell me
where should i write this part of the configuration
“ip tunnel add gre1 mode gre key 1234 ttl 64
ip addr add 172.255.255.2/24 dev gre1
ip tunnel change gre1 local 10.0.81.115
ip link set gre1 up”
I write it in the root console, but afterwards i cant ping the ip of the tunnel interface.
And what do you mean by “a opennhrpctl purge fixed the problem.”
Thank you.
Hello Vlad
the “ip ” command can be submited on the shell or you put the needed entries in your network configuration, this depends on your distribution…
The OpenNHRP Package delivers a command “opennhrpctl” an wenn you use this with the purge option the tunnel will be reestablished.
Cheers Patrick
I need a help!
Аfter the execution of everything described above
in Ubuntu 9.10 with kernel-2.6.31-14-generic
I have received and continue to get the following:
in syslog:
opennhrp[3372]: [172.255.255.1] Peer up script failed: exitstatus 1
in console:
Create link from (192.168.68.128) to 172.255.255.1 (10.2.0.90)
racoonctl: unknown protocol -w
opennhrp[3372]: [172.255.255.1] Peer up script failed: exitstatus 1
I have this working as follows:
ipsec-tools pkg installed
root@ovpn-desktop:~# lsmod
Module Size Used by
ip_gre 14880 0
tun 13788 0
gre1 net addr:172.255.255.2 Mask:255.255.255.0
UP RUNNING NOARP MTU:1472 Metric:1
What is wrong ?
Hi you are using the wrong version of the IPSEC Tools.
Ops …maybe this –
Create link from (192.168.68.128) for eth0, but after set to correct … again the same …?!?
hallo
as far from my side it sould work with dynamic tunnels.
Patrick
Hi Patrick,
the gre tunnel on linux spoke is a multipoint gre? This is necessary to build dynamic spoke-to-spoke tunnels.
Thanks!
hi scroolz,
a far as i testet the setup multipoint tunnels should work. it was just for the fun i testet the setup;-) and i will do some testing when the weather gets colder again.
for the moment i don’t find the time to bring the project to a new level. and we currently not use dynamic tunnels in our network.
Patrick
Thanks Patrick.
I got some errors when installing ipsec-tools-0.8-alpha20090126.tar.bz2. Can you explain the right libs, tools and procedures that you used to make this up? Can you help?
Thanks again!
Hi
what error do you get? can you post it…
Patrick
Thanks foy your reply…
during “make” i got this errors:
/usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_globallookup’:
dso_dlfcn.c:(.text+0x2d): undefined reference to `dlopen’
dso_dlfcn.c:(.text+0x43): undefined reference to `dlsym’
dso_dlfcn.c:(.text+0x4d): undefined reference to `dlclose’
/usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_pathbyaddr’:
dso_dlfcn.c:(.text+0x8f): undefined reference to `dladdr’
dso_dlfcn.c:(.text+0xe9): undefined reference to `dlerror’
/usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_func’:
dso_dlfcn.c:(.text+0x451): undefined reference to `dlsym’
dso_dlfcn.c:(.text+0x528): undefined reference to `dlerror’
/usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_var’:
dso_dlfcn.c:(.text+0x5b1): undefined reference to `dlsym’
dso_dlfcn.c:(.text+0x688): undefined reference to `dlerror’
/usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_unload’:
dso_dlfcn.c:(.text+0x6f3): undefined reference to `dlclose’
/usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_load’:
dso_dlfcn.c:(.text+0x7d7): undefined reference to `dlopen’
dso_dlfcn.c:(.text+0x848): undefined reference to `dlclose’
dso_dlfcn.c:(.text+0x88d): undefined reference to `dlerror’
collect2: ld returned 1 exit status
make[4]: *** [eaytest] Error 1
make[4]: Leaving directory `/root/ipsec-tools-0.8-alpha20090903/src/racoon’
make[3]: *** [all] Error 2
make[3]: Leaving directory `/root/ipsec-tools-0.8-alpha20090903/src/racoon’
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/root/ipsec-tools-0.8-alpha20090903/src’
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/ipsec-tools-0.8-alpha20090903′
make: *** [all] Error 2
missing some lib, package?
If you could help… :/
Thanks again!
Hi
it seam you have a problem with your complier (gcc), glibc (glibc-devel) or the openssl installation.
Can you tell me what Distribution are you using? What packages have you installed?
Have you installed openssl from source?
What is the commandline / output from the ./configure ?
It seams that there is a problem with the Dynamic Linker.
HTH
Patrick
Hi Patrick,
me again…
After a lot of headache i have compiled ipsec-tools 0.8 from source in CentOS 5 but im still getting errors… racoonclt: unknown protocol -w
Do you have your procedures documented to help us?
Best regards!