I know since i discovered the DMVPN in 2004/5 this is a very intelligent combination of IPsec, GRE and NHRP. Many Thanks to the Guys at Cisco, Christoph, Frederick and all other.
This week i discovered “opennhrp” on sourceforge.
It took me a minute or two to have a VM with debian up and the needed tools installed.
I used VMWare with a bridged ethernet interface for testing, installed debian 4.0 netinstall iso and upgraded to sid / testing, so i got Kernel Version 2.6.26-1-686.
Then downloaded ipsec-tools-0.8-alpha20090126.tar.bz2 from the site. you have to install some libs and tools to build ipsec tools, like kernel headers and so on:-) and done some configure and make stuff.
I went to make opennhrp, well all done with out a problem to here.
Next i configured racoon and ipsec-tools and opennhrp like this:
/etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;
/etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
remote anonymous {
exchange_mode main,aggressive;
lifetime time 24 hour;
# nat_traversal on;
script "/etc/opennhrp/racoon-ph1down.sh" phase1_down;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 5;
}
}
sainfo anonymous {
lifetime time 12 hour;
encryption_algorithm 3des, blowfish 448, rijndael;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
/etc/racoon/psk.txt
10.2.0.90 1234
/etc/opennhrp/opennhrp.conf
interface gre1
map 172.255.255.1/24 10.2.0.90 register cisco
cisco-authentication 1234
shortcut
No get the Tunnel UP:
ip tunnel add gre1 mode gre key 1234 ttl 64
ip addr add 172.255.255.2/24 dev gre1
ip tunnel change gre1 local 10.0.81.115
ip link set gre1 up
Now its time to get on the other side.
We are using a Cisco 1812 with c181x-advsecurityk9-mz.124-15.T7.bin running.
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
!
crypto isakmp key 1234 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TRANSFORMSET_3 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile Profile3
set transform-set TRANSFORMSET_3
!
interface Tunnel888
ip address 172.255.255.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip flow ingress
ip nhrp authentication 1234
ip nhrp map multicast dynamic
ip nhrp network-id 10064
ip nhrp holdtime 360
ip nhrp max-send 200 every 10
ip route-cache same-interface
ip tcp adjust-mss 1350
load-interval 30
tunnel source 10.2.0.90
tunnel mode gre multipoint
tunnel key 1234
tunnel protection ipsec profile Profile3
and viola
Router# sh dmvpn interface tunnel 888
Load for five secs: 8%/3%; one minute: 9%; five minutes: 10%
Time source is NTP, 22:14:22.148 CET Sat Feb 14 2009
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel888, Type:Hub, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.0.81.115 172.255.255.2 UP never D
Router# ping 172.255.255.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.255.255.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
this looks great:-)
Many thanks Timo for doing such a impressiv work. I like the cisco for they impressiv boxes and i also like opensource software.
— edit February 15, 2009 at 12:09 am —
I found after a while no packets traveling, the nhrp registration had gone on the cisco side may be holdtimers differ so added “holding-time 360” to the opennhrp.conf , a opennhrpctl purge fixed the problem.