OpenWrt Forum Archive

Topic: NHRP how to

The content of this topic has been archived on 5 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
gueroh
11 Nov 2011, 16:27

HI all

I'm trying to create a DMVPN aganist a Cisco box. This is driving me crazy. I'm using Backfire 10.03.1_RC5 on a Virtual Machine. I ahve Cisco acting as HUB and another Cisco as Spoke. They are working together correctly.

here is the installed module I have on OpenWRT

root@OpenWrt:/# opkg list-installed
base-files - 43.20-unknown
busybox - 1.15.3-2
dnsmasq - 2.55-6
dropbear - 0.52-4
firewall - 2-26
grub - 0.97-3
hotplug2 - 1.0-beta-3
ip - 2.6.29-1-2
ipsec-tools - 0.7.3-3
iptables - 1.4.6-2
iptables-mod-conntrack - 1.4.6-2
iptables-mod-nat - 1.4.6-2
kernel - 2.6.32.27-1
kmod-3c59x - 2.6.32.27-1
kmod-8139too - 2.6.32.27-1
kmod-crc-ccitt - 2.6.32.27-1
kmod-crypto-core - 2.6.32.27-1
kmod-crypto-des - 2.6.32.27-1
kmod-crypto-hmac - 2.6.32.27-1
kmod-crypto-md5 - 2.6.32.27-1
kmod-crypto-sha1 - 2.6.32.27-1
kmod-e100 - 2.6.32.27-1
kmod-e1000 - 2.6.32.27-1
kmod-gre - 2.6.32.27-1
kmod-ipsec - 2.6.32.27-1
kmod-ipsec4 - 2.6.32.27-1
kmod-ipt-conntrack - 2.6.32.27-1
kmod-ipt-core - 2.6.32.27-1
kmod-ipt-nat - 2.6.32.27-1
kmod-ipt-nathelper - 2.6.32.27-1
kmod-iptunnel4 - 2.6.32.27-1
kmod-libphy - 2.6.32.27-1
kmod-natsemi - 2.6.32.27-1
kmod-ne2k-pci - 2.6.32.27-1
kmod-pcnet32 - 2.6.32.27-1
kmod-ppp - 2.6.32.27-1
kmod-pppoe - 2.6.32.27-1
kmod-r8169 - 2.6.32.27-1
kmod-sis900 - 2.6.32.27-1
kmod-tg3 - 2.6.32.27-1
kmod-via-rhine - 2.6.32.27-1
kmod-via-velocity - 2.6.32.27-1
libc - 0.9.30.1-43.20
libcares - 1.7.4-1
libgcc - 4.1.2-43.20
libip4tc - 1.4.6-2
libiwinfo - 15
liblua - 5.1.4-7
libncurses - 5.7-2
libopenssl - 0.9.8p-1
libuci - 12012009.6-3
libuci-lua - 12012009.6-3
libxtables - 1.4.6-2
lua - 5.1.4-7
luci - 0.10+svn7292-1
luci-app-firewall - 0.10+svn7292-1
luci-i18n-english - 0.10+svn7292-1
luci-lib-core - 0.10+svn7385-1
luci-lib-ipkg - 0.10+svn7292-1
luci-lib-lmo - 0.10+svn7385-1
luci-lib-nixio - 0.10+svn7385-1
luci-lib-sys - 0.10+svn7385-1
luci-lib-web - 0.10+svn7385-1
luci-mod-admin-core - 0.10+svn7292-1
luci-mod-admin-full - 0.10+svn7292-1
luci-sgi-cgi - 0.10+svn7385-1
luci-theme-base - 0.10+svn7385-1
luci-theme-openwrt - 0.10+svn7385-1
mtd - 13
nano - 2.2.6-1
opennhrp - 0.11.3-1
opkg - 576-1
ppp - 2.4.4-16
ppp-mod-pppoe - 2.4.4-16
uci - 12012009.6-3
udevtrigger - 106-1
uhttpd - 22
zlib - 1.2.3-5

Below the configuration files

root@OpenWrt:/# vi /etc/ipsec-tools.conf


#!/usr/sbin/setkey -f
   spdflush;
   spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
  spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;
root@OpenWrt:/# vi /etc/racoon.conf
}
 path pre_shared_key "/etc/racoon/psk.txt";
   remote anonymous {
   exchange_mode main,aggressive;
   lifetime time 24 hour;
   # nat_traversal on;
    script "/etc/opennhrp/racoon-ph1down.sh" phase1_down;
    proposal {
    encryption_algorithm 3des;
    hash_algorithm sha1;
     authentication_method pre_shared_key;
     dh_group 5;
                }
         }
      sainfo anonymous {
      lifetime time 12 hour;
      encryption_algorithm 3des, blowfish 448, rijndael;
      authentication_algorithm hmac_sha1, hmac_md5;
      compression_algorithm deflate;
  }
root@OpenWrt:/# vi /etc/racoon/psk.txt
# IPv4/v6 addresses
172.16.250.3 1234
interface gre1
        map 22.22.255.1/24 172.16.250.3 register cisco
        cisco-authentication 1234
        shortcut

Than when I try to load the IP Gre module it is not recognized and all the commands after that fail.

root@OpenWrt:/# insmod ip_gre
insmod: can't insert 'ip_gre': unknown symbol in module, or unknown parameter
root@OpenWrt:/#    ip tunnel add gre1 mode gre key 1234 ttl 64
ioctl: No such device
root@OpenWrt:/#    ip addr add 22.22.255.1/24 dev gre1
Cannot find device "gre1"
root@OpenWrt:/#    ip tunnel change gre1 local 172.16.250.24
ioctl: No such device
root@OpenWrt:/#    ip link set gre1 up
Cannot find device "gre1"
root@OpenWrt:/#

Any suggestions where I configuring incorrectly?

Am I missing something?

Thanks to you all in advance.


Cristiano

Post #2
MatusK
20 Nov 2015, 14:22

Hello. I was struggling to find kind of complete procedure/example explaining how to configure DMVPN on OpenWRT in step by step tutorial, covering all needed parts, so I hope this will help some newbies like me to make it a bit easier...
Most of the configurations/procedures were sourced from OpenWRT offical wiki and articles found / referenced there.
This procedure was used to set-up an virtual DMVPN network (Tier1) with one DMVPN HUB (CISCO) and 3 spokes (2 CISCO + 1 OpenWRT - ChaosCalmer). IPSec in transport mode over GRE used racoon configuration script/method (RoadWarrior configuration mode is used). OSPF routing protocol is also implemented (Quagga on OpenWRT).
This configuration was tested on GNC3 and was working nicely.

For making this simple all keys & passwords used here in this example were all set to 1234.
Also FW configuration is not included in this article.
How to set up FW for racoon is nicely described on OpenWRT wiki here:
https://wiki.openwrt.org/doc/howto/vpn. … all.racoon
(I didn't test it with the configuration example bellow)

**********************************************************************************

To make DMVPN work on OpenWRT you also need to implement IPsec (Racoon).
At first I tried to make DMVPN work without IPSec but wasn't able to ...

The procedures/configs in this article were tested on the following example:

CISCO R1 (HUB):
    internal int f0/0 : 192.168.10.1/24
    external int f1/0 : 192.168.0.1/24
    tunnel int Tunnel0: 10.0.0.1/29 on f1/0

CISCO R2 (SPOKE):
    internal int f0/0 : 192.168.20.1/24
    external int f1/0 : 192.168.0.2/24
    tunnel int Tunnel0: 10.0.0.2/29 on f1/0

CISCO R3 (SPOKE):
    internal int f0/0 : 192.168.30.1/24
    external int f1/0 : 192.168.0.3/24
    tunnel int Tunnel0: 10.0.0.3/29 on f1/0

OpenWRT (SPOKE):
    internal int br-lan (eth0): 192.168.40.1/24
    external int eth1 :         192.168.0.4/24
    tunnel int gre0:           10.0.0.3/29 on f1/0

All external interfaces were interconnected (network 192.168.0.0/24).
All routers configured with PAT.

*************************************************************************************

1.

install packages

ipsec-tools => racoon, setkey, and kernel encryption modules
kmod-crypto-authenc => Module for block cipher modes (AEAD) (automatically installed with ipsec-tools in latest trunk)
kmod-ipsec => Basic security module (automatically installed with ipsec-tools in latest trunk)
kmod-ipsec4 => IPv4 security module
kmod-ipsec6 => IPv6 security module
ip => Required to make scripting easier
openssl-util => Certificate handling
iptables-mod-nat-extra => For VPN networks with overlapping IP addresses
ip6tables => IPv6 firewall support
opennhrp => OpenNHRP
*************************************************************************************

2.
- create the file /etc/init.d/racoon  and insert the script from the webpage as described on OpenWRT wiki here:

https://wiki.openwrt.org/doc/howto/vpn. … ics.racoon

I had to comment out 9th line of the script as I didn't find /etc/functions.sh file in my OpenWRT:


#. /etc/functions.sh
**********************************************************************************

3. 
Continue as described in the one of the last sections on OpenWRT wiki:

An automatic reload of security policies after a router reconnect - create a script like this in /etc/hotplug.d/iface/35

-racoon  :

#!/bin/sh

ListenInterface() {
  local iface="$1"
  if [ "$INTERFACE" = "$iface" ]; then
    /etc/init.d/racoon restart
  fi
}

RacoonInstance() {
  config_list_foreach "$1" listen ListenInterface
}

if [ "$ACTION" = "ifup" ]; then
  config_load racoon
  config_foreach RacoonInstance racoon
fi
********************************************************************************

4. 

Create/edit the file /etc/ipsec-tools.conf as follows:

    #!/usr/sbin/setkey -f

    spdflush;
    flush;
    spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
    spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;

*********************************************************************************
Note: to check if proper SPDs are inserted in kernel use command: setkey -DP
for manuall adding rules as defined in the config file use: setkey -f /etc/ipsec-tools.conf

! to trigger racoon an initial security policy database (SPD) must be created
by loading routes defined in /etc/ipsec-tools.conf and executing: setkey -f /etc/ipsec-tools.conf
*********************************************************************************

5.

Create/edit/modify the racoon config file  /etc/config/racoon as needed.
(note the settings here should match CISCO HUB/spokes settings)
I decided to use 3des,md5,group2 and pre-shared key on Phase1(ISAKMP), and 3des,md5 and group2 on Phase2 (SA):

    config 'racoon'

    #once finished with racoon debugging change foreground
    #and debugging modes below to '0'

      option 'foreground' '1'
      option 'debug' '1'
      option 'zone' 'vpn'
      list   'listen' 'wan'

    config 'tunnel' 'GRE'
      option 'enabled' '1'
      option 'nat_traversal' 'off'
      option 'remote' 'anonymous'
      option 'dpd_delay' '30'
      option 'remote_device' 'cisco'
      option 'pre_shared_key' '1234'
      option 'exchange_mode' 'main'
      option 'my_identifier' 'openwrt'
      list   'p1_proposal' 'pre_g2_3des_md5'
      list   'sainfo' 'R1_LAN'

    config 'p1_proposal' 'pre_g2_3des_md5'
      option 'lifetime' '28800'
      option 'encryption_algorithm' '3des'
      option 'hash_algorithm' 'md5'
      option 'authentication_method' 'pre_shared_key'
      option 'dh_group' '2'

    config 'sainfo' 'R1_LAN'
      option 'remote_subnet' '192.168.10.0/24'
      option 'local_subnet' '192.168.40.0/24'
      option 'p2_proposal' 'g2_3des_sha1'

    config 'p2_proposal' 'g2_3des_sha1'
      option 'lifetime' '120'
      option 'pfs_group' '2'
      option 'encryption_algorithm' '3des'
      option 'authentication_algorithm' 'hmac_md5'


**********************************************************************************
Note:
/etc/racoon.conf file is ignored by RACOON and the settings are taken from  /var/racoon/racoon.conf which is generated by script in /etc/init.d/racoon and setting in /etc/config/racoon

The file /etc/racoon/psk.txt is also ignored and keys are also read from /etc/config/racoon (option 'pre_shared_key' '1234')

Make a dry run from command line: Enable forground operation in /etc/config/racoon by setting option 'foreground' '1' in
the section racoon and call /etc/init.d/racoon start. This will show you if there are any errors in your generated configuration file /var/racoon/racoon.conf
********************************************************************************

6.  Create/modify the file /etc/opennhrp/opennhrp.conf as needed:

    interface gre1
       map 10.0.0.1/29 192.168.0.1 register cisco
       cisco-authentication 1234
       shortcut
       multicast dynamic

***********************************************************************************

7.  to create tunnel and bring it up execute the following:

    ip tunnel add gre1 mode gre key 1234 ttl 64
    ip addr add 10.0.0.4/29 dev gre1
    ip tunnel change gre1 local 192.168.0.4
    ip link set gre1 up

**************************************************
Note: to execute these commands at the boot time I created a script (name it for ex. /etc/racoon/gre-tunnel-up.sh), gave it exec privileges, put some delay at the begining of the script (sleep 1m), paste the above commands after sleep command, and finally call this script in rc.local to be ran in the background =>edit /etc/rc.local and insert this line at the end of the file:

/etc/racoon/gre-tunnel-up.sh &


Create this file: /etc/racoon/gre-tunnel-up.sh to have following content :

    #!/bin/sh

    #wait 1 minute
    sleep 1m

    #create GRE tunnel and bring it up


    ip tunnel add gre1 mode gre key 1234 ttl 64
    ip addr add 10.0.0.4/29 dev gre1
    ip tunnel change gre1 local 192.168.0.4
    ip mtu 1438
    ip link set gre1 up

    #line bellow was added due to required reducing of MTU on GRE tunnel to match MTU on CISCO devices
    #original size was set to 1472, on CISCO side is 1438

    ifconfig gre1 mtu 1438


    #to trigger racoon an initial security policy database (SPD) must be created

    setkey -f /etc/ipsec-tools.conf


***********************************************************************************

8. CISCO R1 (HUB) IPSEC and Tunnel interface configuration  :


!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 1234 address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
!
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
!
!
interface Tunnel0
description mGRE - DMVPN Tunnel
ip address 10.0.0.1 255.255.255.248
no ip redirects
ip nhrp authentication 1234
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 1
tunnel path-mtu-discovery
tunnel protection ipsec profile protect-gre
!



*************************************************************************************************
9. CISCO R2(SPOKE)


!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 1234 address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
!
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
!
!
interface Tunnel0
description R2 mGRE - DMVPN Tunnel
ip address 10.0.0.2 255.255.255.248
no ip redirects
ip nhrp authentication 1234
ip nhrp map multicast dynamic
ip nhrp map 10.0.0.1 192.168.0.1
ip nhrp map multicast 192.168.0.1
ip nhrp network-id 1
ip nhrp nhs 10.0.0.1
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 1234
tunnel protection ipsec profile protect-gre
!



*******************************
CISCO SPOKE R3(SPOKE)


!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 1234 address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
!
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
!
!
interface Tunnel0
description R3 mGRE - DMVPN Tunnel
ip address 10.0.0.3 255.255.255.248
no ip redirects
ip nhrp authentication 1234
ip nhrp map multicast dynamic
ip nhrp map 10.0.0.1 192.168.0.1
ip nhrp map multicast 192.168.0.1
ip nhrp network-id 1
ip nhrp nhs 10.0.0.1
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 1234
tunnel protection ipsec profile protect-gre
!



*******************************************************************************************
Note:
to check if DMVPN is created you can use "show dmvpn" command
to check ipsec : "show crypto session"
to debug : "debug crypto isakmp" resp. "debug crypto ipsec"




*****************************************************************
***    OSPF installation & set up (CISCO +  OpenWRT:quagga -> zebra & ospfd )    ***
*****************************************************************

CISCO R1 (HUB):

!
interface Tunnel0
.
.

  ip ospf network broadcast
  ip ospf hello-interval 30
  ip ospf priority 255
.
.

!
router ospf 1
router-id 10.0.0.1
passive-interface FastEthernet0/0
network 10.0.0.0 0.0.0.7 area 0
network 10.0.1.0 0.0.0.7 area 0
network 192.168.10.0 0.0.0.255 area 0
!
ip forward-protocol nd
.
.


***********************************************
CISCO R2 (SPOKE)
!
interface Tunnel0
ip ospf network non-broadcast
.
.
!
router ospf 1
router-id 10.0.0.2
passive-interface FastEthernet0/0
network 10.0.0.0 0.0.0.7 area 0
network 10.0.1.0 0.0.0.7 area 0
network 192.168.20.0 0.0.0.255 area 0
!
ip forward-protocol nd
.
.
***********************************************

CISCO R3 (SPOKE)
!
interface Tunnel0
ip ospf network non-broadcast
.
.
!
router ospf 1
router-id 10.0.0.3
passive-interface FastEthernet0/0
network 10.0.0.0 0.0.0.7 area 0
network 10.0.1.0 0.0.0.7 area 0
network 192.168.30.0 0.0.0.255 area 0
!
ip forward-protocol nd
.
.
************************************************


On OpenWRT:

opkg install quagga quagga-zebra quagga-ospfd

*******************************************************************************************
Create/modify your file /etc/quagga/ospfd.conf  to look like this :

!
! Zebra configuration saved from vty
!   2015/11/18 13:21:47
!
password zebra
!
!
!create log file and put it's location over there
log file /var/log/ospfd.log
!
!
interface br-lan
!
interface eth0
!
interface eth1
!
interface gre0
!
!set GRE tunnel OSPF parameters (if are different) to match the HUB ones:
interface gre1
ip ospf network non-broadcast
ip ospf hello-interval 30
ip ospf dead-interval 120
ip ospf mtu-ignore
!
interface gretap0
!
interface lo
!
!set passive interfaces (those which don't use OSPF), and add networks to be advertised over OSPF
router ospf
ospf router-id 10.0.0.4
passive-interface eth0
passive-interface eth2
passive-interface eth3
passive-interface eth4
passive-interface gre0
network 10.0.0.0/29 area 0.0.0.0
network 192.168.40.0/24 area 0.0.0.0
!

access-list vty permit 127.0.0.0/8
access-list vty deny any
!
line vty
access-class vty
!
*******************************


Create/modify your /etc/quagga/zebra.conf to look like this:

!
! Zebra configuration saved from vty
!   2015/11/13 14:24:25
!
password zebra
!
debug zebra events
!
!create log file and put it's location over there
log file /var/log/zebra.log
!
interface br-lan
link-detect
ipv6 nd suppress-ra
!
interface eth0
link-detect
ipv6 nd suppress-ra
!
interface eth1
link-detect
ipv6 nd suppress-ra
!
interface gre0
ipv6 nd suppress-ra
!
interface gre1
link-detect
ipv6 nd suppress-ra
!
interface gretap0
ipv6 nd suppress-ra
!
interface lo
!
access-list vty permit 127.0.0.0/8
access-list vty deny any
!
ip forwarding
ipv6 forwarding
!
!
line vty
access-class vty
!
*********************************************************************
Note: once you start OSPF you can check debug info in specified log files,
once all is working as expected disable logging
*********************************************************************
Note2: to make OSPF work, I had to adjust hello-interval & dead-interval (both in ospfd.conf),
and MTU size (in gre-tunnel-up.sh script) to match the HUB OSPF settings
*********************************************************************
For troubleshooting on CISCO devices I found useful mainly these commands:
    show ip ospf neighbor
    show ip ospf interface
    show ip interface
    debug ip ospf packet
    debug ip ospf hello

**************************************************************************************************

That should be all.
Enjoy.


*Later I made a small modification - created dual cloud DMVPN solution by setting router R2 as a DMVPN HUB in the second cloud (created second set of tunnel interfaces connecting all routers in a second virtual network/cloud). This second cloud should make connections & routing possible in case that 1st cloud goes down.

** I would like to thank to Michal D. for all his advises and for bringing OpenWRT into my life smile

Matus

(Last edited by MatusK on 20 Nov 2015, 14:29)

Post #3
mazilo
20 Nov 2015, 14:45

I don't have a need for this, yet. But, I do like to thank you for sharing this here. nice work.

Post #4
wuhao0015
6 Dec 2016, 04:54

nice work, but i have a question. i use pppoe connect to the internet, and my public internet ip will change everyday,and the gre1 will down . how to solve this problem?

The discussion might have continued from here.