NHRP + IPSEC (not allowing dynamic routing)

[UNKOWN-MK]

I am trying to configure NHRP with mgre and ipsec. without ipsec configure my nhrp setup is working as expected, But when I protected the mgre tunnel with ipsec profile,the dynamic routes are showing invalid type and the shortcut between spoke to spoke is deleted automatically.

We are using FRR for nhrp and Strongswan for ipsec.

my nhrp status are like this ================================HUB======================================== QN-0F0007# show ip nhrp Iface Type Protocol NBMA Claimed NBMA Flags Identity gre1 dynamic 10.0.0.1 192.168.7.167 192.168.7.167 T
gre1 local 10.0.0.254 192.168.7.32 192.168.7.32 - gre1 dynamic 10.0.0.2 192.168.7.99 192.168.7.99 T

==================================== SPOKE -1 =============================== QN-0F0019# show ip nhrp Iface Type Protocol NBMA Claimed NBMA Flags Identity gre1 local 10.0.0.1 192.168.7.167 192.168.7.167 - gre1 nhs 10.0.0.254 192.168.7.32 192.168.7.32 T 10.0.0.254 gre1 invalid 10.0.0.2 - - A - gre1 invalid 192.168.171.159 - - A -

==================================== SPOKE -2 =============================== QN-0F0019# show ip nhrp Iface Type Protocol NBMA Claimed NBMA Flags Identity gre1 local 10.0.0.2 192.168.7.99 192.168.7.99 - gre1 nhs 10.0.0.254 192.168.7.32 192.168.7.32 T 10.0.0.254 gre1 invalid 10.0.0.1 - - A - gre1 invalid 192.168.170.135 - - A -

Hub configuration for Nhrp and bgp

frr version 8.5.1 frr defaults traditional log file /var/log/frr/nhrpd.log no ipv6 forwarding nhrp nflog-group 1 log syslog informational no service integrated-vtysh-config ! debug nhrp all ! interface gre1 ip address 10.0.0.254/32 ip nhrp holdtime 3600 ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp redirect ip nhrp registration no-unique ip nhrp shortcut tunnel source eth0 exit ! router bgp 65000 no bgp ebgp-requires-policy neighbor SPOKES peer-group neighbor SPOKES disable-connected-check neighbor 10.0.0.1 remote-as 65001 neighbor 10.0.0.1 peer-group SPOKES neighbor 10.0.0.2 remote-as 65002 neighbor 10.0.0.2 peer-group SPOKES ! address-family ipv4 unicast network 192.168.169.0/24 redistribute nhrp exit-address-family exit ! end

spoke configuration of nhrp and bgp

frr version 8.5.1 frr defaults traditional log file /var/log/frr/nhrpd.log no ipv6 forwarding log stdout log syslog informational no service integrated-vtysh-config ! debug nhrp all ! interface gre1 ip address 10.0.0.1/32 ip nhrp holdtime 3600 ip nhrp map 10.0.0.254 192.168.7.32 ip nhrp map multicast 192.168.7.32 ip nhrp network-id 1 ip nhrp nhs 10.0.0.254 nbma 192.168.7.32 ip nhrp redirect ip nhrp registration no-unique ip nhrp shortcut no link-detect tunnel protection vici profile dmvpn tunnel source eth0 exit ! router bgp 65001 no bgp ebgp-requires-policy neighbor 10.0.0.254 remote-as 65000 neighbor 10.0.0.254 disable-connected-check ! address-family ipv4 unicast network 192.168.170.0/24 exit-address-family exit ! end

/etc/ipsec.conf (In both Spokes) conn dmvpn authby=secret auto=add keyexchange=ikev2 ike=aes256-aes256-sha256-modp2048 esp=aes256-aes256-sha256-modp2048 dpdaction=restart dpddelay=300s left=%any leftid=%any right=192.168.7.32 rightid=%any leftprotoport=gre rightprotoport=gre type=transport keyingtries=%forever /etc/ipsec.conf (In Hub) conn dmvpn authby=secret auto=add keyexchange=ikev2 ike=aes256-aes256-sha256-modp2048 esp=aes256-aes256-sha256-modp2048 dpdaction=restart dpddelay=300s left=%any leftid=%any right=%any rightid=%any leftprotoport=gre rightprotoport=gre type=transport keyingtries=%forever

[github-actions[bot]]

This issue is stale because it has been open 180 days with no activity. Comment or remove the autoclose label in order to avoid having this issue closed.

[frrbot[bot]]

This issue will be automatically closed in the specified period unless there is further activity.