Hello. I was struggling to find kind of complete procedure/example explaining how to configure DMVPN on OpenWRT in step by step tutorial, covering all needed parts, so I hope this will help some newbies like me to make it a bit easier...
Most of the configurations/procedures were sourced from OpenWRT offical wiki and articles found / referenced there.
This procedure was used to set-up an virtual DMVPN network (Tier1) with one DMVPN HUB (CISCO) and 3 spokes (2 CISCO + 1 OpenWRT - ChaosCalmer). IPSec in transport mode over GRE used racoon configuration script/method (RoadWarrior configuration mode is used). OSPF routing protocol is also implemented (Quagga on OpenWRT).
This configuration was tested on GNC3 and was working nicely.
For making this simple all keys & passwords used here in this example were all set to 1234.
Also FW configuration is not included in this article.
How to set up FW for racoon is nicely described on OpenWRT wiki here:
https://wiki.openwrt.org/doc/howto/vpn. … all.racoon
(I didn't test it with the configuration example bellow)
**********************************************************************************
To make DMVPN work on OpenWRT you also need to implement IPsec (Racoon).
At first I tried to make DMVPN work without IPSec but wasn't able to ...
The procedures/configs in this article were tested on the following example:
CISCO R1 (HUB):
internal int f0/0 : 192.168.10.1/24
external int f1/0 : 192.168.0.1/24
tunnel int Tunnel0: 10.0.0.1/29 on f1/0
CISCO R2 (SPOKE):
internal int f0/0 : 192.168.20.1/24
external int f1/0 : 192.168.0.2/24
tunnel int Tunnel0: 10.0.0.2/29 on f1/0
CISCO R3 (SPOKE):
internal int f0/0 : 192.168.30.1/24
external int f1/0 : 192.168.0.3/24
tunnel int Tunnel0: 10.0.0.3/29 on f1/0
OpenWRT (SPOKE):
internal int br-lan (eth0): 192.168.40.1/24
external int eth1 : 192.168.0.4/24
tunnel int gre0: 10.0.0.3/29 on f1/0
All external interfaces were interconnected (network 192.168.0.0/24).
All routers configured with PAT.
*************************************************************************************
1.
install packages
ipsec-tools => racoon, setkey, and kernel encryption modules
kmod-crypto-authenc => Module for block cipher modes (AEAD) (automatically installed with ipsec-tools in latest trunk)
kmod-ipsec => Basic security module (automatically installed with ipsec-tools in latest trunk)
kmod-ipsec4 => IPv4 security module
kmod-ipsec6 => IPv6 security module
ip => Required to make scripting easier
openssl-util => Certificate handling
iptables-mod-nat-extra => For VPN networks with overlapping IP addresses
ip6tables => IPv6 firewall support
opennhrp => OpenNHRP
*************************************************************************************
2.
- create the file /etc/init.d/racoon and insert the script from the webpage as described on OpenWRT wiki here:
https://wiki.openwrt.org/doc/howto/vpn. … ics.racoon
I had to comment out 9th line of the script as I didn't find /etc/functions.sh file in my OpenWRT:
#. /etc/functions.sh
**********************************************************************************
3.
Continue as described in the one of the last sections on OpenWRT wiki:
An automatic reload of security policies after a router reconnect - create a script like this in /etc/hotplug.d/iface/35
-racoon :
#!/bin/sh
ListenInterface() {
local iface="$1"
if [ "$INTERFACE" = "$iface" ]; then
/etc/init.d/racoon restart
fi
}
RacoonInstance() {
config_list_foreach "$1" listen ListenInterface
}
if [ "$ACTION" = "ifup" ]; then
config_load racoon
config_foreach RacoonInstance racoon
fi
********************************************************************************
4.
Create/edit the file /etc/ipsec-tools.conf as follows:
#!/usr/sbin/setkey -f
spdflush;
flush;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;
*********************************************************************************
Note: to check if proper SPDs are inserted in kernel use command: setkey -DP
for manuall adding rules as defined in the config file use: setkey -f /etc/ipsec-tools.conf
! to trigger racoon an initial security policy database (SPD) must be created
by loading routes defined in /etc/ipsec-tools.conf and executing: setkey -f /etc/ipsec-tools.conf
*********************************************************************************
5.
Create/edit/modify the racoon config file /etc/config/racoon as needed.
(note the settings here should match CISCO HUB/spokes settings)
I decided to use 3des,md5,group2 and pre-shared key on Phase1(ISAKMP), and 3des,md5 and group2 on Phase2 (SA):
config 'racoon'
#once finished with racoon debugging change foreground
#and debugging modes below to '0'
option 'foreground' '1'
option 'debug' '1'
option 'zone' 'vpn'
list 'listen' 'wan'
config 'tunnel' 'GRE'
option 'enabled' '1'
option 'nat_traversal' 'off'
option 'remote' 'anonymous'
option 'dpd_delay' '30'
option 'remote_device' 'cisco'
option 'pre_shared_key' '1234'
option 'exchange_mode' 'main'
option 'my_identifier' 'openwrt'
list 'p1_proposal' 'pre_g2_3des_md5'
list 'sainfo' 'R1_LAN'
config 'p1_proposal' 'pre_g2_3des_md5'
option 'lifetime' '28800'
option 'encryption_algorithm' '3des'
option 'hash_algorithm' 'md5'
option 'authentication_method' 'pre_shared_key'
option 'dh_group' '2'
config 'sainfo' 'R1_LAN'
option 'remote_subnet' '192.168.10.0/24'
option 'local_subnet' '192.168.40.0/24'
option 'p2_proposal' 'g2_3des_sha1'
config 'p2_proposal' 'g2_3des_sha1'
option 'lifetime' '120'
option 'pfs_group' '2'
option 'encryption_algorithm' '3des'
option 'authentication_algorithm' 'hmac_md5'
**********************************************************************************
Note:
/etc/racoon.conf file is ignored by RACOON and the settings are taken from /var/racoon/racoon.conf which is generated by script in /etc/init.d/racoon and setting in /etc/config/racoon
The file /etc/racoon/psk.txt is also ignored and keys are also read from /etc/config/racoon (option 'pre_shared_key' '1234')
Make a dry run from command line: Enable forground operation in /etc/config/racoon by setting option 'foreground' '1' in
the section racoon and call /etc/init.d/racoon start. This will show you if there are any errors in your generated configuration file /var/racoon/racoon.conf
********************************************************************************
6. Create/modify the file /etc/opennhrp/opennhrp.conf as needed:
interface gre1
map 10.0.0.1/29 192.168.0.1 register cisco
cisco-authentication 1234
shortcut
multicast dynamic
***********************************************************************************
7. to create tunnel and bring it up execute the following:
ip tunnel add gre1 mode gre key 1234 ttl 64
ip addr add 10.0.0.4/29 dev gre1
ip tunnel change gre1 local 192.168.0.4
ip link set gre1 up
**************************************************
Note: to execute these commands at the boot time I created a script (name it for ex. /etc/racoon/gre-tunnel-up.sh), gave it exec privileges, put some delay at the begining of the script (sleep 1m), paste the above commands after sleep command, and finally call this script in rc.local to be ran in the background =>edit /etc/rc.local and insert this line at the end of the file:
/etc/racoon/gre-tunnel-up.sh &
Create this file: /etc/racoon/gre-tunnel-up.sh to have following content :
#!/bin/sh
#wait 1 minute
sleep 1m
#create GRE tunnel and bring it up
ip tunnel add gre1 mode gre key 1234 ttl 64
ip addr add 10.0.0.4/29 dev gre1
ip tunnel change gre1 local 192.168.0.4
ip mtu 1438
ip link set gre1 up
#line bellow was added due to required reducing of MTU on GRE tunnel to match MTU on CISCO devices
#original size was set to 1472, on CISCO side is 1438
ifconfig gre1 mtu 1438
#to trigger racoon an initial security policy database (SPD) must be created
setkey -f /etc/ipsec-tools.conf
***********************************************************************************
8. CISCO R1 (HUB) IPSEC and Tunnel interface configuration :
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 1234 address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
!
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
!
!
interface Tunnel0
description mGRE - DMVPN Tunnel
ip address 10.0.0.1 255.255.255.248
no ip redirects
ip nhrp authentication 1234
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 1
tunnel path-mtu-discovery
tunnel protection ipsec profile protect-gre
!
*************************************************************************************************
9. CISCO R2(SPOKE)
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 1234 address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
!
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
!
!
interface Tunnel0
description R2 mGRE - DMVPN Tunnel
ip address 10.0.0.2 255.255.255.248
no ip redirects
ip nhrp authentication 1234
ip nhrp map multicast dynamic
ip nhrp map 10.0.0.1 192.168.0.1
ip nhrp map multicast 192.168.0.1
ip nhrp network-id 1
ip nhrp nhs 10.0.0.1
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 1234
tunnel protection ipsec profile protect-gre
!
*******************************
CISCO SPOKE R3(SPOKE)
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 1234 address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
!
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
!
!
interface Tunnel0
description R3 mGRE - DMVPN Tunnel
ip address 10.0.0.3 255.255.255.248
no ip redirects
ip nhrp authentication 1234
ip nhrp map multicast dynamic
ip nhrp map 10.0.0.1 192.168.0.1
ip nhrp map multicast 192.168.0.1
ip nhrp network-id 1
ip nhrp nhs 10.0.0.1
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 1234
tunnel protection ipsec profile protect-gre
!
*******************************************************************************************
Note:
to check if DMVPN is created you can use "show dmvpn" command
to check ipsec : "show crypto session"
to debug : "debug crypto isakmp" resp. "debug crypto ipsec"
*****************************************************************
*** OSPF installation & set up (CISCO + OpenWRT:quagga -> zebra & ospfd ) ***
*****************************************************************
CISCO R1 (HUB):
!
interface Tunnel0
.
.
ip ospf network broadcast
ip ospf hello-interval 30
ip ospf priority 255
.
.
!
router ospf 1
router-id 10.0.0.1
passive-interface FastEthernet0/0
network 10.0.0.0 0.0.0.7 area 0
network 10.0.1.0 0.0.0.7 area 0
network 192.168.10.0 0.0.0.255 area 0
!
ip forward-protocol nd
.
.
***********************************************
CISCO R2 (SPOKE)
!
interface Tunnel0
ip ospf network non-broadcast
.
.
!
router ospf 1
router-id 10.0.0.2
passive-interface FastEthernet0/0
network 10.0.0.0 0.0.0.7 area 0
network 10.0.1.0 0.0.0.7 area 0
network 192.168.20.0 0.0.0.255 area 0
!
ip forward-protocol nd
.
.
***********************************************
CISCO R3 (SPOKE)
!
interface Tunnel0
ip ospf network non-broadcast
.
.
!
router ospf 1
router-id 10.0.0.3
passive-interface FastEthernet0/0
network 10.0.0.0 0.0.0.7 area 0
network 10.0.1.0 0.0.0.7 area 0
network 192.168.30.0 0.0.0.255 area 0
!
ip forward-protocol nd
.
.
************************************************
On OpenWRT:
opkg install quagga quagga-zebra quagga-ospfd
*******************************************************************************************
Create/modify your file /etc/quagga/ospfd.conf to look like this :
!
! Zebra configuration saved from vty
! 2015/11/18 13:21:47
!
password zebra
!
!
!create log file and put it's location over there
log file /var/log/ospfd.log
!
!
interface br-lan
!
interface eth0
!
interface eth1
!
interface gre0
!
!set GRE tunnel OSPF parameters (if are different) to match the HUB ones:
interface gre1
ip ospf network non-broadcast
ip ospf hello-interval 30
ip ospf dead-interval 120
ip ospf mtu-ignore
!
interface gretap0
!
interface lo
!
!set passive interfaces (those which don't use OSPF), and add networks to be advertised over OSPF
router ospf
ospf router-id 10.0.0.4
passive-interface eth0
passive-interface eth2
passive-interface eth3
passive-interface eth4
passive-interface gre0
network 10.0.0.0/29 area 0.0.0.0
network 192.168.40.0/24 area 0.0.0.0
!
access-list vty permit 127.0.0.0/8
access-list vty deny any
!
line vty
access-class vty
!
*******************************
Create/modify your /etc/quagga/zebra.conf to look like this:
!
! Zebra configuration saved from vty
! 2015/11/13 14:24:25
!
password zebra
!
debug zebra events
!
!create log file and put it's location over there
log file /var/log/zebra.log
!
interface br-lan
link-detect
ipv6 nd suppress-ra
!
interface eth0
link-detect
ipv6 nd suppress-ra
!
interface eth1
link-detect
ipv6 nd suppress-ra
!
interface gre0
ipv6 nd suppress-ra
!
interface gre1
link-detect
ipv6 nd suppress-ra
!
interface gretap0
ipv6 nd suppress-ra
!
interface lo
!
access-list vty permit 127.0.0.0/8
access-list vty deny any
!
ip forwarding
ipv6 forwarding
!
!
line vty
access-class vty
!
*********************************************************************
Note: once you start OSPF you can check debug info in specified log files,
once all is working as expected disable logging
*********************************************************************
Note2: to make OSPF work, I had to adjust hello-interval & dead-interval (both in ospfd.conf),
and MTU size (in gre-tunnel-up.sh script) to match the HUB OSPF settings
*********************************************************************
For troubleshooting on CISCO devices I found useful mainly these commands:
show ip ospf neighbor
show ip ospf interface
show ip interface
debug ip ospf packet
debug ip ospf hello
**************************************************************************************************
That should be all.
Enjoy.
*Later I made a small modification - created dual cloud DMVPN solution by setting router R2 as a DMVPN HUB in the second cloud (created second set of tunnel interfaces connecting all routers in a second virtual network/cloud). This second cloud should make connections & routing possible in case that 1st cloud goes down.
** I would like to thank to Michal D. for all his advises and for bringing OpenWRT into my life
Matus
(Last edited by MatusK on 20 Nov 2015, 14:29)