Open zendulkaj opened 3 years ago
qlyoung
commented
3 years ago NHRP is in alpha at this time and we are looking for someone to maintain it. Can't make any guarantees about it working or not. I'll leave the issue open in case someone wants it.
pguibert6WIND
commented
3 years ago Did you try without nhrp authentication of cisco ?
zendulkaj
commented
3 years ago Do you know reason why some configuration items are missing in FRR/NHRP implementation (in comparison with opennrhp)? The "cisco-authentication" is used in many Cisco configuration of DMVPN.
I am newbie in DMVPN and I have another question regarding NHRP flags (U, T, A) and DMVPN flags meaning in NHPR/DMVPN status (see bellow). So far I do not find any explanation what these flags exactly mean.
However, DMVPN (Cisco - FRR) works with this configuration:
Cisco: ! interface Tunnel11 ip address 192.168.234.1 255.255.255.0 no ip redirects ip nhrp map multicast dynamic ip nhrp network-id 1234 no ip nhrp record no ip nhrp cache non-authoritative ip ospf 1 area 0 tunnel source GigabitEthernet0 tunnel mode gre multipoint tunnel key 1234 tunnel protection ipsec profile profile_ikev2 !
FRR/NHRP.conf: ! hostname Router password test enable password test ! line vty ! interface gre1 description DMVPN Tunnel Interface ip nhrp holdtime 60 ip nhrp network-id 1234 ip nhrp nhs 192.168.234.1 nbma 85.xx.xx.xx ip nhrp redirect ip nhrp registration no-unique ip nhrp shortcut tunnel protection vici profile ipsec1 tunnel source usb0 ! debug nhrp all
Router# show ip nhrp Iface Type Protocol NBMA Flags Identity gre1 local 192.168.234.3 - - gre1 nhs 192.168.234.1 85.xx.xx.xx UT server.cisco
Router# show ipv6 nhrp % No entries
Router# show dmvpn
Src Dst Flags SAs Identity
89.xx.xx.x 85.xx.xx.xx n 1 server.cisco
pguibert6WIND
commented
3 years ago => https://tools.ietf.org/html/rfc2332 described U,T,A flags
=> with opennhrp, you can use ospf, but not with frr.
=> I recomend you to look at current issues and pull requests using keyword nhrp, as there is some activity. for isntance, I think someone is looking at how to implement multicast traffic with frr over dmvpn.
Jafaral
commented
3 years ago @pguibert6WIND , Does opennhrp support mullticast ? how did they get ospf to work ?
zendulkaj
commented
3 years ago I looked into RFC for flags and I found
A : Authoritative bit
U: Uniqueness bit.But flags T is not mentioned there.
Yes, I noticed that FRR/NHRP does not support multicast so OSPF does not work.
pguibert6WIND
commented
3 years ago @pguibert6WIND , Does opennhrp support mullticast ? how did they get ospf to work ?
Opennhrp uses a userplan patch, that is to say that they interrupt all multicast packets and do a processing per multicast packet for each nhrp peer. I think this is not very perf, and I would prefer a kernel support for that.
pguibert6WIND
commented
3 years ago I looked into RFC for flags and I found
A : Authoritative bit U: Uniqueness bit.But flags T is not mentioned there.
Yes, I noticed that FRR/NHRP does not support multicast so OSPF does not work.
T stands for timeout. that means a timer is attached to the session.
sarthurdev
commented
3 years ago Is there any plan for adding support of cisco-authentication to nhrpd?
xrpixer
commented
1 year ago Bump. +1 for this.
maugli13
commented
1 year ago Bump. "Nice to have" feature. Will help with smooth migration from the existing DMVPN network
I would like to use the NHRP / FRR implementation, but when I test the NHRP / FRR implementation, then the DMVPN does not work with Cisco (the openhrp implementation works in this configuration).
I noticed that some commands are not supported by NHRP / FRR, but by openhrp they are supported. i.e. cisco-authentication. https://sourceforge.net/p/opennhrp/code/ci/613277fda0f3a54e670e3e4b521adb82a6a5ed46/tree/nhrp/opennhrp.c#l257 This may be the reason why NHRP registration fails. See log below. Or I missed something in nhrp configuration?
Some packets are sent via GRE/IPSEC but there is no answer from cisco:
gre1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.234.4 Mask:255.255.255.255 UP RUNNING MULTICAST MTU:1472 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:80 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:7360 (7.1 KB)
IPsec:
ipsec1: #32, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-256 installed 84s ago, rekeying in 2487s, expires in 3516s in c8cbc95d, 0 bytes, 0 packets out 4c892df5, 240 bytes, 2 packets, 52s ago local 192.168.7.232/32[gre] remote 85.xx.xx.xx/32[gre]
Cisco configuration:
interface Tunnel11 ip address 192.168.234.1 255.255.255.0 no ip redirects ip nhrp authentication 1234 ip nhrp map multicast dynamic ip nhrp network-id 1234 no ip nhrp record no ip nhrp cache non-authoritative tunnel source GigabitEthernet0 tunnel mode gre multipoint tunnel key 1234 tunnel protection ipsec profile ikev2 !
opennhrp configuration (works):
interface gre1 map 192.168.234.1/24 85.xx.xx.xx register holding-time 60 cisco-authentication 1234 shortcut redirect non-caching
NHRP/FRR configuration:
frr version 7.5 frr defaults traditional ! hostname Router password test enable password test ! line vty ! interface gre1 description DMVPN Tunnel Interface ip nhrp network-id 1234 ip nhrp map 192.168.234.1/24 85.xx.xx.xx register ip nhrp nhs dynamic nbma 85.xx.xx.xx ip nhrp redirect ip nhrp registration no-unique ip nhrp shortcut no ip nhrp record no ip nhrp cache non-authoritative tunnel protection vici profile ipsec1 tunnel source eth1 ! debug nhrp all
NHRP log:
2020-12-09 13:37:10 charon: 10[IKE] CHILD_SA ipsec1{28} established with SPIs c66b7ce6_i c08def2f_o and TS 192.168.7.232/32[gre] === 85.xx.xx.xx/32[gre] 2020-12-09 13:37:10 nhrpd[2683]: VICI: Message 7, 2686 bytes 2020-12-09 13:37:10 nhrpd[2683]: VICI: Event 'child-state-installed' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Section start 'ipsec1' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'uniqueid'='14' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'version'='2' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'state'='ESTABLISHED' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'local-host'='192.168.7.232' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'local-port'='4500' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'local-id'='client3@router' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'local-cert-data'='0‚^CČ0‚^B° ^C^B^A^B^B^T)ľřŔľ“wő…äÉçĺi´±ţ¨TM0^M^F^I†H†÷^M^A^A^K^E' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'remote-host'='85.xx.xx.xx' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'remote-port'='4500' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'remote-id'='server.cisco' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'remote-cert-data'='0‚^CÂ0‚^BŞ ^C^B^A^B^B^T)ľřŔľ“wő…äÉçĺi´±ţ¨TJ0^M^F^I†H†÷^M^A^A^K^E' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'initiator'='yes' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'initiator-spi'='fba7706e5ada98c9' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'responder-spi'='3f09d4b20002b451' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'nat-local'='yes' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'nat-any'='yes' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'encr-alg'='AES_CBC' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'encr-keysize'='256' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'integ-alg'='HMAC_SHA2_256_128' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'prf-alg'='PRF_HMAC_SHA2_256' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'dh-group'='MODP_2048' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'established'='0' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'reauth-time'='2706' 2020-12-09 13:37:10 nhrpd[2683]: VICI: List start 'tasks-active' 2020-12-09 13:37:10 nhrpd[2683]: VICI: List item: 'CHILD_CREATE' 2020-12-09 13:37:10 nhrpd[2683]: VICI: List item: 'IKE_AUTH_LIFETIME' 2020-12-09 13:37:10 nhrpd[2683]: VICI: List item: 'IKE_MOBIKE' 2020-12-09 13:37:10 nhrpd[2683]: VICI: List end 2020-12-09 13:37:10 nhrpd[2683]: VICI: Section start 'child-sas' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Section start 'ipsec1' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'name'='ipsec1' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'uniqueid'='28' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'reqid'='1' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'state'='INSTALLING' 2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'mode'='TUNNEL' 2020-12-09 13:37:10 nhrpd[2683]: VICI: List start 'local-ts' 2020-12-09 13:37:10 nhrpd[2683]: VICI: List item: '192.168.7.232/32[gre]' 2020-12-09 13:37:10 nhrpd[2683]: VICI: List end 2020-12-09 13:37:10 nhrpd[2683]: VICI: List start 'remote-ts' 2020-12-09 13:37:10 nhrpd[2683]: VICI: List item: '85.xx.xx.xx/32[gre]' 2020-12-09 13:37:10 nhrpd[2683]: VICI: List end 2020-12-09 13:37:10 nhrpd[2683]: VICI: Section end 2020-12-09 13:37:10 last message repeated 2 times 2020-12-09 13:37:11 nhrpd[2683]: NHS: Flush timer for 85.xx.xx.xx 2020-12-09 13:37:11 nhrpd[2683]: NHS: Register 192.168.234.4 - 192.168.234.4 (timeout 16) 2020-12-09 13:37:11 nhrpd[2683]: Send Registration-Request(3) 192.168.234.4 - 192.168.234.4 2020-12-09 13:37:11 nhrpd[2683]: PACKET: Send 192.168.7.232 - 85.xx.xx.xx 2020-12-09 13:37:14 nhrpd[2683]: Netlink: Received msg_type 28, msg_flags 0 2020-12-09 13:37:14 zebra[1485]: netlink_parse_info: netlink-listen (NS 0) type RTM_NEWNEIGH(28), len=76, seq=0, pid=0 2020-12-09 13:37:14 zebra[1485]: ^INeighbor Entry received is not on a VLAN or a BRIDGE, ignoring