Page MenuHomePhabricator

OpenNHRP / DMVPN not working in HUB mode
Closed, InvalidPublicBUG

Description

OpenNHRP / DMVPN was working in HUB mode with a Cisco 2811 spoke in this version 1.2.0-rolling+201808230337

Logfiles show:

Sep 15 10:04:28 AC1 opennhrp[2773]: OpenNHRP debian/0.14.1-1+vyos2+current1-4-g41f0852 starting
Sep 15 10:04:29 AC1 charon: 13[CFG] rereading secrets
Sep 15 10:04:29 AC1 charon: 13[CFG] loading secrets from '/etc/ipsec.secrets'
Sep 15 10:04:29 AC1 charon: 13[CFG]   loaded IKE secret for 46.38.234.19 %any
Sep 15 10:04:29 AC1 charon: 13[CFG] rereading ca certificates from '/etc/ipsec.d/cacerts'
Sep 15 10:04:29 AC1 charon: 13[CFG] rereading aa certificates from '/etc/ipsec.d/aacerts'
Sep 15 10:04:29 AC1 charon: 13[CFG] rereading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sep 15 10:04:29 AC1 charon: 13[CFG] rereading attribute certificates from '/etc/ipsec.d/acerts'
Sep 15 10:04:29 AC1 charon: 13[CFG] rereading crls from '/etc/ipsec.d/crls'
Sep 15 10:04:29 AC1 ipsec_starter[2722]: # deprecated keyword 'nat_traversal' in config setup
Sep 15 10:04:29 AC1 ipsec_starter[2722]: # deprecated keyword 'virtual_private' in config setup
Sep 15 10:04:29 AC1 ipsec_starter[2722]: ### 2 parsing errors (0 fatal) ###
Sep 15 10:04:29 AC1 charon: 15[CFG] received stroke: add connection 'remote-access'
Sep 15 10:04:29 AC1 charon: 15[CFG] added configuration 'remote-access'
Sep 15 10:04:29 AC1 charon: 05[CFG] rereading secrets
Sep 15 10:04:29 AC1 charon: 05[CFG] loading secrets from '/etc/ipsec.secrets'
Sep 15 10:04:29 AC1 charon: 05[CFG]   loaded IKE secret for 46.38.234.19 %any
Sep 15 10:04:29 AC1 charon: 05[CFG] rereading ca certificates from '/etc/ipsec.d/cacerts'
Sep 15 10:04:29 AC1 charon: 05[CFG] rereading aa certificates from '/etc/ipsec.d/aacerts'
Sep 15 10:04:29 AC1 charon: 05[CFG] rereading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sep 15 10:04:29 AC1 charon: 05[CFG] rereading attribute certificates from '/etc/ipsec.d/acerts'
Sep 15 10:04:29 AC1 charon: 05[CFG] rereading crls from '/etc/ipsec.d/crls'
Sep 15 10:04:29 AC1 ipsec_starter[2722]: # deprecated keyword 'nat_traversal' in config setup
Sep 15 10:04:29 AC1 ipsec_starter[2722]: # deprecated keyword 'virtual_private' in config setup
Sep 15 10:04:29 AC1 ipsec_starter[2722]: ### 2 parsing errors (0 fatal) ###
Sep 15 10:04:29 AC1 xl2tpd[2868]: Not looking for kernel SAref support.
Sep 15 10:04:29 AC1 xl2tpd[2868]: This binary does not support kernel L2TP.
Sep 15 10:04:29 AC1 systemd[1]: Started LSB: layer 2 tunelling protocol daemon.
Sep 15 10:04:29 AC1 xl2tpd[2864]: Starting xl2tpd: xl2tpd.
Sep 15 10:04:29 AC1 xl2tpd[2869]: xl2tpd version xl2tpd-1.3.6 started on AC1.cldII.mybll.net PID:2869
Sep 15 10:04:29 AC1 xl2tpd[2869]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Sep 15 10:04:29 AC1 xl2tpd[2869]: Forked by Scott Balmos and David Stipp, (C) 2001
Sep 15 10:04:29 AC1 xl2tpd[2869]: Inherited by Jeff McAdams, (C) 2002
Sep 15 10:04:29 AC1 xl2tpd[2869]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Sep 15 10:04:29 AC1 xl2tpd[2869]: Listening on IP address 46.38.234.19, port 1701
Sep 15 10:04:31 AC1 systemd[1]: Stopped LSB: SNMP agents.
Sep 15 10:04:31 AC1 systemd[1]: Starting LSB: SNMP agents...
Sep 15 10:04:31 AC1 systemd[1]: Started LSB: SNMP agents.
Sep 15 10:04:31 AC1 snmpd[2928]: Starting SNMP services::  snmpd
Sep 15 10:04:31 AC1 sudo: pam_unix(sudo:session): session closed for user root
Sep 15 10:04:33 AC1 commit: Successful change to active configuration by user root on unknown
Sep 15 10:04:33 AC1 vyatta-router[1629]: Starting VyOS router: migrate rl-system firewall configure.
Sep 15 10:04:34 AC1 systemd[1]: Reloading.
Sep 15 10:04:34 AC1 systemd[1]: Started VyOS Router.
Sep 15 10:04:34 AC1 systemd[1]: Starting Getty on tty1...
Sep 15 10:04:35 AC1 systemd[1]: Started Getty on tty1.
Sep 15 10:04:35 AC1 systemd[1]: Starting Login Prompts.
Sep 15 10:04:35 AC1 systemd[1]: Reached target Login Prompts.
Sep 15 10:04:35 AC1 systemd[1]: Starting LSB: AWS EC2 instance init script to fetch and load ssh public key...
Sep 15 10:04:36 AC1 systemd[1]: Started LSB: AWS EC2 instance init script to fetch and load ssh public key.
Sep 15 10:04:36 AC1 systemd[1]: Starting Multi-User System.
Sep 15 10:04:36 AC1 systemd[1]: Reached target Multi-User System.
Sep 15 10:04:36 AC1 systemd[1]: Starting Graphical Interface.
Sep 15 10:04:36 AC1 systemd[1]: Reached target Graphical Interface.
Sep 15 10:04:36 AC1 systemd[1]: Starting Update UTMP about System Runlevel Changes...
Sep 15 10:04:37 AC1 systemd[1]: Started Update UTMP about System Runlevel Changes.
Sep 15 10:04:37 AC1 systemd[1]: Startup finished in 14.689s (kernel) + 1min 4.986s (userspace) = 1min 19.675s.

The following configuration is used (kept only DMVPN related stuff):

interfaces {
    tunnel tun100 {
        address xxx.xxx.253.134/29
        encapsulation gre
        ip {
            ospf {
                dead-interval 40
                hello-interval 10
                network point-to-multipoint
                priority 2
                retransmit-interval 5
                transmit-delay 1
            }
        }
        local-ip xxx.xxx.234.19
        multicast enable
        parameters {
            ip {
                key xxxxxx
            }
        }
    }
}
protocols {
    nhrp {
        tunnel tun100 {
            cisco-authentication xxx
            holding-time 300
            multicast dynamic
            redirect
            shortcut
        }
    }
}
vpn {
    ipsec {
        esp-group ESP-HUB {
            compression disable
            lifetime 1800
            mode tunnel
            pfs dh-group2
            proposal 1 {
                encryption aes256
                hash sha1
            }
            proposal 2 {
                encryption 3des
                hash md5
            }
        }
        ike-group IKE-HUB {
            ikev2-reauth no
            key-exchange ikev1
            lifetime 3600
            proposal 1 {
                dh-group 2
                encryption aes256
                hash sha1
            }
            proposal 2 {
                dh-group 2
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        logging {
            log-level 2
        }
        nat-networks {
            allowed-network xxx.xxx.0.0/8 {
            }
            allowed-network xxx.xxx.0.0/12 {
            }
            allowed-network xxx.xxx.0.0/16 {
            }
        }
        nat-traversal enable
        profile NHRPVPN {
            authentication {
                mode pre-shared-secret
                pre-shared-secret ****************
            }
            bind {
                tunnel tun100
            }
            esp-group ESP-HUB
            ike-group IKE-HUB
        }
    }
    l2tp {
        remote-access {
            authentication {
                mode radius
                radius-server xxx.xxx.100.10 {
                    key xxxxxx
                }
                radius-server xxx.xxx.100.20 {
                    key xxxxxx
                }
            }
            client-ip-pool {
                start xxx.xxx.222.1
                stop xxx.xxx.222.14
            }
            dns-servers {
                server-1 xxx.xxx.254.31
                server-2 xxx.xxx.254.32
            }
            idle 180
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                ike-lifetime 60
                lifetime 600
            }
            mtu 1400
            outside-address xxx.xxx.234.19
            outside-nexthop xxx.xxx.234.19
        }
    }
}

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0-rolling+201809150337
Why the issue appeared?
Other
c-po created this task.Sep 15 2018, 8:12 AM
c-po assigned this task to dmbaturin.
c-po edited projects, added VyOS 1.2.x (VyOS 1.2.0-rc1); removed VyOS 1.2.x.
c-po added a subscriber: runar.Sep 18 2018, 5:37 PM

As requested by @runar:

VyOS 1.2.0-rolling+201808230337

cpo@AC1:~$ sudo swanctl --list-conns
remote-access-win-aaa: IKEv1, no reauthentication
  local:  46.38.234.19
  remote: %any
  local pre-shared key authentication:
    id: 46.38.234.19
  remote pre-shared key authentication:
  remote-access-win-aaa: TRANSPORT, no rekeying
    local:  dynamic[udp/l2f]
    remote: 0.0.0.0/0[udp/l2f]
  remote-access-mac-zzz: TRANSPORT, no rekeying
    local:  dynamic[udp/l2f]
    remote: 0.0.0.0/0[udp]
  remote-access: TRANSPORT, no rekeying
    local:  dynamic[udp/l2f]
    remote: 0.0.0.0/0
vpnprof-dmvpn-tun100: IKEv1, reauthentication every 3600s
  local:  %any
  remote: %any
  local pre-shared key authentication:
  remote pre-shared key authentication:
  dmvpn: TUNNEL, rekeying every 1800s
    local:  dynamic[gre]
    remote: dynamic[gre]

cpo@AC1:~$ cat /etc/swanctl/swanctl.conf
# generated by /opt/vyatta/sbin/dmvpn-config.pl

connections {
        vpnprof-dmvpn-tun100 {
                proposals = aes256-sha1-modp1024,aes128-sha1-modp1024
                version = 1
                rekey_time = 3600s
                keyingtries = 0
                local {
                        auth = psk
                }
                remote {
                        auth = psk
                }
                children {
                        dmvpn {
                                esp_proposals = aes256-sha1-modp1024,3des-md5-modp1024
                                rekey_time = 1800s
                                rand_time = 540s
                                local_ts = dynamic[gre]
                                remote_ts = dynamic[gre]
                                mode = tunnel
                        }
                }
        }
}
secrets {
        ike-dmvpn-tun100 {
                secret = supersecret
        }
}

VyOS 1.2.0-rolling+201809180337 both L2TP/IPSec and DMVPN

cpo@AC1:~$ sudo swanctl --list-conns
remote-access: IKEv1, no reauthentication, dpd delay 15s
  local:  46.38.234.19
  remote: %any
  local pre-shared key authentication:
    id: 46.38.234.19
  remote pre-shared key authentication:
  remote-access: TRANSPORT, no rekeying, dpd action is clear
    local:  dynamic[l2f]
    remote: dynamic
vpnprof-dmvpn-tun100: IKEv1, reauthentication every 3600s
  local:  %any
  remote: %any
  local pre-shared key authentication:
  remote pre-shared key authentication:
  dmvpn: TUNNEL, rekeying every 1800s
    local:  dynamic[gre]
    remote: dynamic[gre]
cpo@AC1:~$ cat /etc/swanctl/swanctl.conf
# generated by /opt/vyatta/sbin/dmvpn-config.pl

connections {
        vpnprof-dmvpn-tun100 {
                proposals = aes256-sha1-modp1024,aes128-sha1-modp1024
                version = 1
                rekey_time = 3600s
                keyingtries = 0
                local {
                        auth = psk
                }
                remote {
                        auth = psk
                }
                children {
                        dmvpn {
                                esp_proposals = aes256-sha1-modp1024,3des-md5-modp1024
                                rekey_time = 1800s
                                rand_time = 540s
                                local_ts = dynamic[gre]
                                remote_ts = dynamic[gre]
                                mode = tunnel
                        }
                }
        }
}
secrets {
        ike-dmvpn-tun100 {
                secret = supersecret
        }
}

VyOS 1.2.0-rolling+201809180337 L2TP/IPSec only

cpo@AC1# sudo swanctl --list-conns
remote-access: IKEv1, no reauthentication, dpd delay 15s
  local:  46.38.234.19
  remote: %any
  local pre-shared key authentication:
    id: 46.38.234.19
  remote pre-shared key authentication:
  remote-access: TRANSPORT, no rekeying, dpd action is clear
    local:  dynamic[l2f]
    remote: dynamic
[edit]

cpo@AC1# cat /etc/swanctl/swanctl.conf
# generated by /opt/vyatta/sbin/dmvpn-config.pl

connections {
[edit]

VyOS 1.2.0-rolling+201809180337 DMVPN only

cpo@AC1# sudo swanctl --list-conns
vpnprof-dmvpn-tun100: IKEv1, reauthentication every 3600s
  local:  %any
  remote: %any
  local pre-shared key authentication:
  remote pre-shared key authentication:
  dmvpn: TUNNEL, rekeying every 1800s
    local:  dynamic[gre]
    remote: dynamic[gre]
[edit]
cpo@AC1# cat /etc/swanctl/swanctl.conf
# generated by /opt/vyatta/sbin/dmvpn-config.pl

connections {
        vpnprof-dmvpn-tun100 {
                proposals = aes256-sha1-modp1024,aes128-sha1-modp1024
                version = 1
                rekey_time = 3600s
                keyingtries = 0
                local {
                        auth = psk
                }
                remote {
                        auth = psk
                }
                children {
                        dmvpn {
                                esp_proposals = aes256-sha1-modp1024,3des-md5-modp1024
                                rekey_time = 1800s
                                rand_time = 540s
                                local_ts = dynamic[gre]
                                remote_ts = dynamic[gre]
                                mode = tunnel
                        }
                }
        }
}
secrets {
        ike-dmvpn-tun100 {
                secret = supersecret
        }
}
[edit]
runar added a comment.Sep 20 2018, 8:21 AM

Hi @c-po !

I've now sucessfully labbed your config, and are able to get dmvpn up and running with your ipsec config :

DMVPN LAB Running on:
Version: VyOS 1.2.0-rolling+201809182126 (custom build)
Built by: root@af1ec0ccee08
Hardware vendor: QEMU

HUB

vyos@vyos1# show
 interfaces {
     ethernet eth0 {
         address dhcp
         duplex auto
         smp-affinity auto
         speed auto
     }
     ethernet eth1 {
         address 192.168.1.1/24
         duplex auto
         hw-id 52:54:00:00:00:11
         smp-affinity auto
         speed auto
     }
     loopback lo {
     }
     tunnel tun100 {
         address 192.168.2.1/24
         encapsulation gre
         ip {
             ospf {
                 dead-interval 40
                 hello-interval 10
                 network point-to-multipoint
                 priority 2
                 retransmit-interval 5
                 transmit-delay 1
             }
         }
         local-ip 192.168.1.1
         multicast enable
         parameters {
             ip {
                 key 1234
             }
         }
     }
 }
 protocols {
     nhrp {
         tunnel tun100 {
             cisco-authentication xxx
             holding-time 300
             multicast dynamic
             redirect
             shortcut
         }
     }
 }
 service {
     ssh {
     }
 }
 system {
     config-management {
         commit-revisions 100
     }
     console {
         device ttyS0 {
             speed 9600
         }
     }
     host-name vyos1
     login {
         user vyos {
             authentication {
                 encrypted-password $6$GaFsktRwXInDxnL$hUzWAnTxfHE0x6/h2NxgkxDE9czdri9kUcgVaw/M9dN1/W03dd83F7oLiwbOlRDgh8ztS0SeeNldM7KXXdzXQ1
                 plaintext-password ""
             }
             level admin
         }
     }
     ntp {
         server 0.pool.ntp.org {
         }
         server 1.pool.ntp.org {
         }
         server 2.pool.ntp.org {
         }
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
     time-zone UTC
 }
 vpn {
     ipsec {
         esp-group ESP-HUB {
             compression disable
             lifetime 1800
             mode tunnel
             pfs dh-group2
             proposal 1 {
                 encryption aes256
                 hash sha1
             }
             proposal 2 {
                 encryption 3des
                 hash md5
             }
         }
         ike-group IKE-HUB {
             ikev2-reauth no
             key-exchange ikev1
             lifetime 3600
             proposal 1 {
                 dh-group 2
                 encryption aes256
                 hash sha1
             }
             proposal 2 {
                 dh-group 2
                 encryption aes128
                 hash sha1
             }
         }
         ipsec-interfaces {
             interface eth1
         }
         logging {
             log-level 2
         }
         nat-networks {
             allowed-network xxx.xxx.0.0/8 {
             }
             allowed-network xxx.xxx.0.0/12 {
             }
             allowed-network xxx.xxx.0.0/16 {
             }
         }
         nat-traversal enable
         profile NHRPVPN {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret topsecret
             }
             bind {
                 tunnel tun100
             }
             esp-group ESP-HUB
             ike-group IKE-HUB
         }
     }
 }

SPOKE

vyos@vyos2# show
 interfaces {
     ethernet eth0 {
         address dhcp
         duplex auto
         smp-affinity auto
         speed auto
     }
     ethernet eth1 {
         address 192.168.1.2/24
         duplex auto
         hw-id 52:54:00:00:00:22
         smp-affinity auto
         speed auto
     }
     loopback lo {
     }
     tunnel tun100 {
         address 192.168.2.2/24
         encapsulation gre
         ip {
             ospf {
                 dead-interval 40
                 hello-interval 10
                 network point-to-multipoint
                 priority 2
                 retransmit-interval 5
                 transmit-delay 1
             }
         }
         local-ip 192.168.1.2
         multicast enable
         parameters {
             ip {
                 key 1234
             }
         }
     }
 }
 protocols {
     nhrp {
         tunnel tun100 {
             cisco-authentication xxx
             holding-time 300
             map 192.168.2.1/24 {
                 cisco
                 nbma-address 192.168.1.1
                 register
             }
             multicast nhs
             redirect
             shortcut
         }
     }
 }
 service {
     ssh {
     }
 }
 system {
     config-management {
         commit-revisions 100
     }
     console {
         device ttyS0 {
             speed 9600
         }
     }
     host-name vyos2
     login {
         user vyos {
             authentication {
                 encrypted-password $6$GaFsktRwXInDxnL$hUzWAnTxfHE0x6/h2NxgkxDE9czdri9kUcgVaw/M9dN1/W03dd83F7oLiwbOlRDgh8ztS0SeeNldM7KXXdzXQ1
                 plaintext-password ""
             }
             level admin
         }
     }
     ntp {
         server 0.pool.ntp.org {
         }
         server 1.pool.ntp.org {
         }
         server 2.pool.ntp.org {
         }
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
     time-zone UTC
 }
 vpn {
     ipsec {
         esp-group ESP-HUB {
             compression disable
             lifetime 1800
             mode tunnel
             pfs dh-group2
             proposal 1 {
                 encryption aes256
                 hash sha1
             }
             proposal 2 {
                 encryption 3des
                 hash md5
             }
         }
         ike-group IKE-HUB {
             ikev2-reauth no
             key-exchange ikev1
             lifetime 3600
             proposal 1 {
                 dh-group 2
                 encryption aes256
                 hash sha1
             }
             proposal 2 {
                 dh-group 2
                 encryption aes128
                 hash sha1
             }
         }
         ipsec-interfaces {
             interface eth1
         }
         logging {
             log-level 2
         }
         nat-networks {
             allowed-network xxx.xxx.0.0/8 {
             }
             allowed-network xxx.xxx.0.0/12 {
             }
             allowed-network xxx.xxx.0.0/16 {
             }
         }
         nat-traversal enable
         profile NHRPVPN {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret topsecret
             }
             bind {
                 tunnel tun100
             }
             esp-group ESP-HUB
             ike-group IKE-HUB
         }
     }
 }
syncer triaged this task as Normal priority.Sep 25 2018, 2:03 PM
c-po added a comment.Oct 8 2018, 6:50 PM

The problem still exists using VyOS 1.2.0-rc1.

The DMVPN tunnel shortly comes up (VyOS DMVPN HUB with Cisco 2811 spoke) and I see and OSPF route in my OSPF network.
The route is inserted on the VyOS HUB and goes away rather soon.

Oct  8 19:50:00 vyos ospfd[1691]: Packet[DD]: Neighbor 172.16.254.10 Negotiation done (Master).
Oct  8 19:50:00 vyos ospfd[1691]: AdjChg: Nbr 172.16.254.10 on tun100:172.16.253.134: Loading -> Full (LoadingDone)
Oct  8 19:50:00 vyos ospfd[1691]: LSA[Type5:0.0.0.0]: Not originate AS-external-LSA for default
Oct  8 19:50:10 vyos zebra[1652]: [EC 4043309088] Unknown netlink nlmsg_type RTM_GETNEIGH(30) vrf 0
Oct  8 19:50:38 vyos zebra[1652]: message repeated 6 times: [ [EC 4043309088] Unknown netlink nlmsg_type RTM_GETNEIGH(30) vrf 0]
Oct  8 19:50:41 vyos ospfd[1691]: AdjChg: Nbr 172.16.254.10 on tun100:172.16.253.134: Full -> Init (1-WayReceived)
Oct  8 19:50:50 vyos zebra[1652]: [EC 4043309088] Unknown netlink nlmsg_type RTM_GETNEIGH(30) vrf 0
Oct  8 19:51:08 vyos zebra[1652]: message repeated 2 times: [ [EC 4043309088] Unknown netlink nlmsg_type RTM_GETNEIGH(30) vrf 0]
Oct  8 19:51:20 vyos ospfd[1691]: Packet[DD]: Neighbor 172.16.254.10 Negotiation done (Master).
Oct  8 19:51:20 vyos ospfd[1691]: AdjChg: Nbr 172.16.254.10 on tun100:172.16.253.134: Loading -> Full (LoadingDone)
Oct  8 19:51:20 vyos ospfd[1691]: LSA[Type5:0.0.0.0]: Not originate AS-external-LSA for default
Oct  8 19:51:30 vyos zebra[1652]: [EC 4043309088] Unknown netlink nlmsg_type RTM_GETNEIGH(30) vrf 0
Oct  8 19:51:59 vyos zebra[1652]: message repeated 6 times: [ [EC 4043309088] Unknown netlink nlmsg_type RTM_GETNEIGH(30) vrf 0]
Oct  8 19:52:06 vyos ospfd[1691]: AdjChg: Nbr 172.16.254.10 on tun100:172.16.253.134: Full -> Init (1-WayReceived)
Oct  8 19:52:16 vyos zebra[1652]: [EC 4043309088] Unknown netlink nlmsg_type RTM_GETNEIGH(30) vrf 0

The Cisco IOS configuration is:

crypto pki token default removal timeout 0
crypto keyring DMVPN
  pre-shared-key address 1.2.3.4 key <secretkey>
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 30 periodic
crypto isakmp profile DMVPN
   keyring DMVPN
   match identity address x.x.234.19 255.255.255.255
!
crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac
 mode transport
!
crypto ipsec profile DMVPN
 set security-association idle-time 720
 set transform-set DMVPN-AES256
!
interface Tunnel10
 description Tunnel to DMVPN HUB
 ip address 172.16.253.129 255.255.255.248
 no ip redirects
 ip nhrp authentication <nhrp secret key>
 ip nhrp map multicast x.x.234.19
 ip nhrp map 172.16.253.134 11.22.33.44
 ip nhrp network-id 1
 ip nhrp holdtime 600
 ip nhrp nhs 172.16.253.134
 ip nhrp registration timeout 75
 tunnel source Dialer1
 tunnel mode gre multipoint
 tunnel key 1

After the tunnel was up one short time - it doesn't come up again. IMHO this change is caused by the StrongSwan 5.5.1 -> 5.6.2 update.

c-po added a comment.Oct 9 2018, 7:31 AM

Killing OpenNHRP as suggested by @runar and relaunching it with:

$ sudo pkill opennhrp
$ sudo /usr/sbin/opennhrp -v -a /var/run/opennhrp.socket -c /etc/opennhrp/opennhrp.conf -s /etc/opennhrp/opennhrp-script -p /var/run/opennhrp.pid

gave the following log:

opennhrp[3711]: OpenNHRP debian/0.14.1-1+vyos2+current1-4-g41f0852 starting
opennhrp[3711]: Interface lo: configured UP, mtu=0
opennhrp[3711]: Interface eth0: configured UP, mtu=1500
opennhrp[3711]: Interface gre0: config change, mtu=1476
opennhrp[3711]: Interface gretap0: config change, mtu=1462
opennhrp[3711]: Interface erspan0: config change, mtu=1450
opennhrp[3711]: Interface tun100: configured UP, mtu=1472
opennhrp[3711]: Interface tun100: GRE configuration changed. Purged 0 peers.
opennhrp[3711]: Interface vtun30: configured UP, mtu=1500
opennhrp[3711]: Interface vtun20: configured UP, mtu=1500
opennhrp[3711]: Adding local 172.16.253.134/32 dev tun100
opennhrp[3711]: Adding local 172.16.253.135/32 alias 172.16.253.134 dev tun100
opennhrp[3711]: Adding local-route 172.16.253.134/32 dev tun100
opennhrp[3711]: Filter code installed (21 opcodes)
opennhrp[3711]: Multicast from 172.16.253.134 to 224.0.0.5
opennhrp[3711]: NL-ARP(tun100) who-has 172.16.253.129
opennhrp[3711]: Multicast from 172.16.253.134 to 224.0.0.5
opennhrp[3711]: NL-ARP(tun100) who-has 172.16.253.129
opennhrp[3711]: Multicast from 172.16.253.134 to 224.0.0.5
opennhrp[3711]: Received Registration Request from proto src 172.16.253.129 to 172.16.253.134
opennhrp[3711]: [172.16.253.129] Peer registration authorized
opennhrp[3711]: Adding dynamic 172.16.253.129/32 nbma 217.249.217.93 dev tun100 mtu 17912 expires_in 9:59
opennhrp[3711]: Sending Registration Reply from proto src 172.16.253.134 to 172.16.253.129 (1 bindings accepted, 0 rejected)
Error: either "to" is duplicate, or "uid" is a garbage.
Create link from 172.16.253.134 (46.38.234.19) to 172.16.253.129 (217.249.217.93)
opennhrp[3711]: [172.16.253.129] Peer up script: success
opennhrp[3711]: NL-ARP(tun100) 172.16.253.129 is-at 217.249.217.93
opennhrp[3711]: [172.16.253.129] Peer inserted to multicast list
opennhrp[3711]: Sending packet 4, from: 172.16.253.129 (nbma 217.249.217.93), to: 172.16.253.134 (nbma 217.249.217.93)
opennhrp[3711]: Multicast from 172.16.253.134 to 224.0.0.5
opennhrp[3711]: Multicast from 172.16.253.134 to 224.0.0.5
opennhrp[3711]: Multicast from 172.16.253.134 to 224.0.0.5
opennhrp[3711]: Multicast from 172.16.253.134 to 224.0.0.5
opennhrp[3711]: Removing dynamic 172.16.253.129/32 nbma 217.249.217.93 dev tun100 mtu 17912 used up expires_in 9:44
opennhrp[3711]: Adding local-route 172.16.253.129/32 nexthop 172.16.253.129 dev tun100
opennhrp[3711]: NL-ARP(tun100) 172.16.253.129 not-reachable
Delete link from 172.16.253.134 (46.38.234.19) to 172.16.253.129 (217.249.217.93)
RTNETLINK answers: No such process
opennhrp[3711]: Multicast from 172.16.253.134 to 224.0.0.5
opennhrp[3711]: Multicast from 172.16.253.134 to 224.0.0.5
opennhrp[3711]: NL-ARP(tun100) who-has 172.16.253.129
opennhrp[3711]: NL-ARP(tun100) who-has 172.16.253.129
opennhrp[3711]: Multicast from 172.16.253.134 to 224.0.0.5
opennhrp[3711]: NL-ARP(tun100) who-has 172.16.253.129
opennhrp[3711]: NL-ARP(tun100) who-has 172.16.253.129
opennhrp[3711]: NL-ARP(tun100) who-has 172.16.253.129
opennhrp[3711]: Multicast from 172.16.253.134 to 224.0.0.5
opennhrp[3711]: NL-ARP(tun100) who-has 172.16.253.129
opennhrp[3711]: NL-ARP(tun100) who-has 172.16.253.129
opennhrp[3711]: Multicast from 172.16.253.134 to 224.0.0.5
opennhrp[3711]: Removing local-route 172.16.253.129/32 nexthop 172.16.253.129 dev tun100 up
opennhrp[3711]: Multicast from 172.16.253.134 to 224.0.0.5
opennhrp[3711]: NL-ARP(tun100) who-has 172.16.253.129
opennhrp[3711]: Removing local 172.16.253.135/32 alias 172.16.253.134 dev tun100 up
opennhrp[3711]: Removing local 172.16.253.134/32 dev tun100 up
opennhrp[3711]: Removing local-route 172.16.253.134/32 dev tun100 up

Re-enabling cisco_unity has no effect.

c-po added a comment.Oct 9 2018, 7:15 PM

Okay, the above error

opennhrp[3711]: Sending Registration Reply from proto src 172.16.253.134 to 172.16.253.129 (1 bindings accepted, 0 rejected)
Error: either "to" is duplicate, or "uid" is a garbage.
Create link from 172.16.253.134 (46.38.234.19) to 172.16.253.129 (217.249.217.93)

Can be fixed by replacing

ARGS=`ip route get $NHRP_DESTNBMA from $NHRP_SRCNBMA | head -1`

in /etc/opennhrp/opennhrp-script with

ARGS=`ip route get $NHRP_DESTNBMA from $NHRP_SRCNBMA | head -1 | sed 's/uid.*//'`

Unfortunately the tunnel still does not come up

c-po added a comment.EditedOct 9 2018, 8:43 PM

Ok, I can confirm that above config from @runar works for this setup using all VyOS 1.2.0-rc images

+-----+      +-----+                   +-----+     +-----+
| LR1 |------| CR1 |---OSPF BACKBONE---| CR2 |-----| LR2 |
+-----+      +-----+                   +-----+     +-----+
`------------------´                   `-----------------´
      ESXi 6.7                               ESXi 6.7
       node 1                                 node 2

DMVPN tunnel spans from LR1(eth1) to LR2(eth1). Looks like the problem is related to the Cisco Client. My gut feeling tells me its a StrongSwan/IPSec thing

c-po added a comment.Oct 11 2018, 7:31 PM

Okay, the problem is not DMVPN relevant. I have a weird OSPF routing problem. When disabling OSPF between both routers everything is ok.

c-po removed dmbaturin as the assignee of this task.Oct 11 2018, 7:32 PM
c-po closed this task as Invalid.
c-po changed Why the issue appeared? from Will be filled on close to Other.
c-po added a subscriber: dmbaturin.