Page MenuHomePhabricator

Opennhrp fail
Closed, ResolvedPublicBUG

Description

DMVPN is not working in 1.2
There is an error in NHRP output. It looks like script is using wrong syntax.

root@ipsec-dmvpn:/home/ma# opennhrp -v
opennhrp[4359]: OpenNHRP debian/0.14.1-1+vyos2+current1-2-geb8d3d0 starting
opennhrp[4359]: Adding static 10.0.0.1/24 nbma 192.168.100.200 dev tun10
....
Create link from 10.0.0.2 (192.168.100.204) to 10.0.0.1 (192.168.100.200)
10.0.0.2/24
swanctl: invalid option -- 'S'
Error: invalid options
strongSwan 5.5.1 swanctl
usage:
swanctl --terminate --child <name> | --ike <name | --child-id <id> | --ike-id <id>
[--timeout <s>] [--raw|--pretty]
--help (-h) show usage information
--child (-c) terminate by CHILD_SA name
--ike (-i) terminate by IKE_SA name
--child-id (-C) terminate by CHILD_SA reqid
--ike-id (-I) terminate by IKE_SA unique identifier
--timeout (-t) timeout in seconds before detaching
--raw (-r) dump raw response message
--pretty (-P) dump raw response message in pretty print
--loglevel (-l) verbosity of redirected log
--debug (-v) set debug level, default: 1
--options (-+) read command line options from file
--uri (-u) service URI to connect to
swanctl: invalid option -- 'S'
Error: invalid options
strongSwan 5.5.1 swanctl
usage:
swanctl --initiate --child <name> [--timeout <s>] [--raw|--pretty]
--help (-h) show usage information
--child (-c) initate a CHILD_SA configuration
--timeout (-t) timeout in seconds before detaching
--raw (-r) dump raw response message
--pretty (-P) dump raw response message in pretty print
--loglevel (-l) verbosity of redirected log
--debug (-v) set debug level, default: 1
--options (-+) read command line options from file
--uri (-u) service URI to connect to

opennhrp[4359]: [10.0.0.1] Peer up script failed: exitstatus 1

root@ipsec-dmvpn:/home/ma# cat /etc/opennhrp/opennhrp-script

!/bin/sh
_nhrp_config="/etc/opennhrp/opennhrp.conf"
_nhrp_ipsec="/etc/opennhrp/opennhrp.ipsec"
_strongswan_pid="/var/run/charon.pid"
_type="hub"

if ! grep "$NHRP_INTERFACE" $_nhrp_config | grep "hub"> /dev/null 2>&1; then
_type="spoke"
fi

case $1 in
interface-up)
ip route flush proto 42 dev $NHRP_INTERFACE
ip neigh flush dev $NHRP_INTERFACE
echo "int up"
;;
peer-register)
;;
peer-up)
if [ -n "$NHRP_DESTMTU" ]; then
ARGS=ip route get $NHRP_DESTNBMA from $NHRP_SRCNBMA | head -1
ip route add $ARGS proto 42 mtu $NHRP_DESTMTU
fi
echo "Create link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
if [[ ( ${_type} == "spoke" ) && ( -e ${_strongswan_pid} ) ]]; then
if grep "${NHRP_SRCADDR}" "${_nhrp_ipsec}"; then
swanctl -t -S $NHRP_SRCNBMA -R $NHRP_DESTNBMA /dev/null 2>&1

  • PROBLEM IS HERE --------

-------WRONG SYNTAX-----------
swanctl -i -c dmvpn -S $NHRP_SRCNBMA -R $NHRP_DESTNBMA || exit 1

  • END PROBLEM IS HERE ---------

    echo "peer-up error" fi

fi
;;
peer-down)
echo "Delete link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
if [[ ( ${_type} == "spoke" ) && ( -e ${_strongswan_pid} ) ]]; then
swanctl -t -S $NHRP_SRCNBMA -R $NHRP_DESTNBMA || exit 1
echo "peer-down error"
fi
ip route del $NHRP_DESTNBMA src $NHRP_SRCNBMA proto 42
;;
route-up)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is up"
ip route replace $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 via $NHRP_NEXTHOP dev $NHRP_INTERFACE
ip route flush cache
;;
route-down)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is down"
ip route del $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42
ip route flush cache
;;
esac

exit 0

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.2.0-rolling+201806260337
Why the issue appeared?
Will be filled on close

Event Timeline

oleksandr.mamenko triaged this task as Normal priority.Jun 29 2018, 9:13 PM
oleksandr.mamenko created this task.
oleksandr.mamenko created this object in space S1 VyOS Public.
syncer assigned this task to UnicronNL.Jun 30 2018, 4:07 PM
syncer added subscribers: Maintainers, Core Community.
c-po added a subscriber: c-po.Jun 30 2018, 4:45 PM

I can confirm it was working with Version: VyOS 1.2.0-rolling+201806050337

c-po added a comment.Jun 30 2018, 4:49 PM

... and also working with latest rolling version VyOS 1.2.0-rolling+201806300337. Please note there was a time with a "bad" StrongSWAN version, maybe that's what you have.

c-po moved this task from Need Triage to Finished on the VyOS 1.2 Crux board.
syncer moved this task from Finished to Backlog on the VyOS 1.2 Crux board.Jun 30 2018, 5:25 PM
syncer added a subscriber: syncer.

Problem exists, related to missing options

c-po added a comment.Jun 30 2018, 5:30 PM

@oleksandr.mamenko could you please provide a config snippet?

I`m using:

protocols {
    nhrp {
        tunnel tun100 {
            cisco-authentication **
            holding-time 300
            multicast dynamic
            redirect
            shortcut
        }
    }
}
vpn {
    ipsec {
        esp-group ESP-HUB {
            compression disable
            lifetime 1800
            mode tunnel
            pfs dh-group2
            proposal 1 {
                encryption aes256
                hash sha1
            }
            proposal 2 {
                encryption 3des
                hash md5
            }
        }
        ike-group IKE-HUB {
            ikev2-reauth no
            key-exchange ikev1
            lifetime 3600
            proposal 1 {
                dh-group 2
                encryption aes256
                hash sha1
            }
            proposal 2 {
                dh-group 2
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        logging {
            log-level 1
        }
        nat-networks {
            allowed-network xxx.xxx.0.0/8 {
            }
            allowed-network xxx.xxx.0.0/12 {
            }
            allowed-network xxx.xxx.0.0/16 {
            }
        }
        nat-traversal enable
        profile NHRPVPN {
            authentication {
                mode pre-shared-secret
                pre-shared-secret ****************
            }
            bind {
                tunnel tun100
            }
            esp-group ESP-HUB
            ike-group IKE-HUB
        }
    }
}

Please note this is also a L2TP/IPSec endpoint thus the nat traversal stuff.

@c-po problem exists on SPOKE node
1.I have updated to latest rolling
ma@ipsec-dmvpn:~$ sh ver
Version: VyOS 1.2.0-rolling+201806300337
Built by: autobuild@vyos.net
Built on: Sat 30 Jun 2018 03:37 UTC
Build ID: b813533d-49f2-44fb-9b35-9a15e2821f35

Architecture: x86_64
Boot via: installed image
System type: VMware guest

Hardware vendor: VMware, Inc.
Hardware model: VMware Virtual Platform
Hardware S/N: Unknown
Hardware UUID: Unknown

Copyright: VyOS maintainers and contributors
2. Checking strongswan version
ma@ipsec-dmvpn:~$ sudo su
root@ipsec-dmvpn:/home/ma# dpkg -l strongswan
Desired=Unknown/Install/Remove/Purge/Hold

Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
/ Name Version Architecture Description

+++-=============================================-===========================-===========================-===============================================================================================
ii strongswan 5.5.1-4+deb9u1 all IPsec VPN solution metapackage
3. Errors in log file
root@ipsec-dmvpn:/home/ma# grep nhrp /var/log/messages
Jun 30 19:30:15 ipsec-dmvpn opennhrp.init[2717]: Preparing Next Hop Resolution Protocol: opennhrp.
Jun 30 19:30:18 ipsec-dmvpn opennhrp[2985]: OpenNHRP debian/0.14.1-1+vyos2+current1-2-geb8d3d0 starting
Jun 30 19:30:19 ipsec-dmvpn opennhrp[3057]: OpenNHRP debian/0.14.1-1+vyos2+current1-2-geb8d3d0 starting
Jun 30 19:30:24 ipsec-dmvpn opennhrp[3064]: [10.0.0.1] Peer up script failed: exitstatus 1
Jun 30 19:30:24 ipsec-dmvpn opennhrp[3064]: [10.0.0.1] Peer up script failed: exitstatus 1
4. Restarting opennhrp with VERBOSE to see errors in realtime.
Yo will find the same error output for wrong syntax.
root@ipsec-dmvpn:/home/ma# pkill opennhrp
root@ipsec-dmvpn:/home/ma# opennhrp -v
opennhrp[3563]: OpenNHRP debian/0.14.1-1+vyos2+current1-2-geb8d3d0 starting
opennhrp[3563]: Adding static 10.0.0.1/24 nbma 192.168.100.200 dev tun10
opennhrp[3563]: Interface lo: configured UP, mtu=0
opennhrp[3563]: Interface eth0: configured UP, mtu=1500
opennhrp[3563]: Interface eth1: configured UP, mtu=1500
opennhrp[3563]: Interface gre0: config change, mtu=1476
opennhrp[3563]: Interface gretap0: config change, mtu=1462
opennhrp[3563]: Interface erspan0: config change, mtu=1450
opennhrp[3563]: Interface tun10: configured UP, mtu=1472
opennhrp[3563]: Interface tun10: GRE configuration changed. Purged 1 peers.
opennhrp[3563]: Adding local 10.0.0.2/32 dev tun10
opennhrp[3563]: Adding local 10.0.0.255/32 alias 10.0.0.2 dev tun10
opennhrp[3563]: Filter code installed (21 opcodes)
Create link from 10.0.0.2 (192.168.100.204) to 10.0.0.1 (192.168.100.200)
10.0.0.2/24
swanctl: invalid option -- 'S'
Error: invalid options
strongSwan 5.5.1 swanctl
usage:

swanctl --terminate --child <name> | --ike <name | --child-id <id> | --ike-id <id>
               [--timeout <s>] [--raw|--pretty]
         --help            (-h)  show usage information
         --child           (-c)  terminate by CHILD_SA name
         --ike             (-i)  terminate by IKE_SA name
         --child-id        (-C)  terminate by CHILD_SA reqid
         --ike-id          (-I)  terminate by IKE_SA unique identifier
         --timeout         (-t)  timeout in seconds before detaching
         --raw             (-r)  dump raw response message
         --pretty          (-P)  dump raw response message in pretty print
         --loglevel        (-l)  verbosity of redirected log
         --debug           (-v)  set debug level, default: 1
         --options         (-+)  read command line options from file
         --uri             (-u)  service URI to connect to

swanctl: invalid option -- 'S'
Error: invalid options
strongSwan 5.5.1 swanctl
usage:

swanctl --initiate --child <name> [--timeout <s>] [--raw|--pretty]
         --help            (-h)  show usage information
         --child           (-c)  initate a CHILD_SA configuration
         --timeout         (-t)  timeout in seconds before detaching
         --raw             (-r)  dump raw response message
         --pretty          (-P)  dump raw response message in pretty print
         --loglevel        (-l)  verbosity of redirected log
         --debug           (-v)  set debug level, default: 1
         --options         (-+)  read command line options from file
         --uri             (-u)  service URI to connect to

opennhrp[3563]: [10.0.0.1] Peer up script failed: exitstatus 1
opennhrp[3563]: Multicast from 10.0.0.2 to 224.0.0.5
^Copennhrp[3563]: Removing local 10.0.0.255/32 alias 10.0.0.2 dev tun10 up
opennhrp[3563]: Removing local 10.0.0.2/32 dev tun10 up
opennhrp[3563]: Removing static 10.0.0.1/24 nbma 192.168.100.200 dev tun10
opennhrp[3563]: NL-ARP(tun10) 10.0.0.1 not-reachable
root@ipsec-dmvpn:/home/ma#

5. Config file
ma@ipsec-dmvpn# show protocols nhrp
tunnel tun10 {

cisco-authentication SECRET
holding-time 10
map 10.0.0.1/24 {
    nbma-address 192.168.100.200
    register
}
multicast nhs
redirect
shortcut

}
[edit]
ma@ipsec-dmvpn# sh vpn
ipsec {

esp-group ESP-SPOKE {
    compression disable
    lifetime 1800
    mode tunnel
    pfs dh-group2
    proposal 1 {
        encryption aes256
        hash sha1
    }
    proposal 2 {
        encryption 3des
        hash md5
    }
}
ike-group IKE-SPOKE {
    ikev2-reauth no
    key-exchange ikev1
    lifetime 3600
    proposal 1 {
        dh-group 2
        encryption aes256
        hash sha1
    }
    proposal 2 {
        dh-group 2
        encryption aes128
        hash sha1
    }
}
ipsec-interfaces {
    interface eth0
}
profile NHRPVPN {
    authentication {
        mode pre-shared-secret
        pre-shared-secret SECRET
    }
    bind {
        tunnel tun10
    }
    esp-group ESP-SPOKE
    ike-group IKE-SPOKE
}

}
[edit]

syncer changed the subtype of this task from "Task" to "Bug".Oct 18 2018, 5:40 AM
syncer added a project: VyOS-1.2.0-GA.
syncer changed the visibility from "Subscribers" to "Public (No Login Required)".Nov 5 2018, 10:11 AM