OpenNHRP Activity
Brought to you by:
fabled80
Activity for OpenNHRP
-
Haiyang posted a comment on ticket #8
created merge request for this bug https://sourceforge.net/p/opennhrp/code/merge-requests/1/
-
this is the fix related to Ticket https://sourceforge.net/p/opennhrp/support-requests/8/
-
Spoke hasn’t learnt correct NBMA-Address for another cisco spoke when both spokes are behind the nat
-
packet sniffer from one of the spoke
-
fix: matching nat cie to peer's protocol address
-
Lucas Holcomb posted a comment on ticket #3
Hey Timo, I am looking to setup just Phase 1 of DMVPN, so just NHRP registrations. Multicast will need to go from spoke to hub and vice-versa, including PIM, RIP, possibly OSPF, and user multicast data. The communications can always happen via spoke to the hub first before routing from HUB to another spokes. This also needs to be protected via IPsec, using strongswan route based VPN. I know OpenNHRP doesn't fully function with strongswan, but does phase 1 work with it/any settings needed for multicast....
-
Timo Teras committed [2e0ae4]
fix builds with gcc10
-
fix incomplete conversion to system libev
-
raghavendar posted a comment on a wiki page
I hope you understood my scenario @Timo Teras.
-
Thanks timo for that info, actually i'm using patched strongswan, BGPD(FRR) and OPENNHRP at HUB(it doesn't initiate a tunnel request ,when it gets tunnel establishing request, it responds to that. ). At initiator side i'm using NHRPD(FRR), patched strongswan, BGPD(FRR). so with this i'm able to establish phase 1 tunnel but when i ping from one spoke to another spoke my hub is not initiating redirect messge itself. What i think which causing the problem to initiate a redirect request from opennhrp...
-
No. The strongSwan patches at https://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras-release will enable writing opennhrp-script that would work mostly (with some restrictions). The exercise to do the script is left for the reader. I strongly recommend using quagga or frr nrhpd because it solves several issues opennhrp had and superior in almost any aspect. See also: http://git.savannah.gnu.org/cgit/quagga.git/tree/nhrpd/README.nhrpd
-
So there is no patch available to make opennhrp work with strongswan ?
-
Quagga/NHRP and frr/nhrpd supercede opennhrp and integrate with strongswan. For further information see: - https://wiki.alpinelinux.org/wiki/Dynamic_Multipoint_VPN_(DMVPN)_Phase_3_with_Quagga_NHRPd - https://git.alpinelinux.org/cgit/dmvpn-tools/about/
-
Is there any patch available for opennhrp to work with strongswan ?
-
Eran Hadar created ticket #7
Spoke Destination unreachable
-
Vladislav posted a comment on ticket #6
Thanks for the answer! 1) I can not use the latest version of Quagga and FRR because there are no deb packages for the Debian 7 operating system. 2) I use IPsec, but it's not a racoon/strongSwan, I use a proprietary implementation of IPsec by S-Terra CSP (Russian vendor with GOST cipher algorithms). I assumed that the NHRP protocol should not depend on IPsec. Is this assumption wrong? If the problem described by me can be reproduced without using IPsec, then this is a problem/bug in opennhrp?
-
To start off I recommend using Quagga/NHRP or FRR/NHRP if possible. I am not sure how IPsec is configured, but that likely is the cause. This is because NHRP does not detect liveliness but depends on IPsec to do it. If IPsec is not in use, this would cause the issue. If IPsec is in use, the racoon's phase1_dead hook is not likely configured, or the script is not working. On ipsec-tools/opennhrp the dead peer detection works so that ipsec-tools executes a dead peer hook which should be a script executing...
-
To start off I recommend using Quagga/NHRP or FRR/NHRP if possible. I am not sure how IPsec is configured, but that likely is the cause. This is because NHRP does not detect liveliness but depends on IPsec to do it. If IPsec is not in use, this would cause the issue. If IPsec is in use, the racoon's phase1_dead hook is not likely configured, or the script is working. On ipsec-tools/opennhrp the dead peer detection works so that ipsec-tools executes a dead peer hook which should be a script executing...
-
opennhrp configurations: 1) Hub1: root@Hub1:~# cat /etc/opennhrp/opennhrp.conf interface mgre0 map 10.10.10.200/24 172.16.200.2 multicast dynamic holding-time 600 cisco-authentication secret #redirect non-caching 2) Hub2: root@Hub2:~# cat /etc/opennhrp/opennhrp.conf interface mgre0 map 10.10.10.100/24 172.16.100.2 multicast dynamic holding-time 600 cisco-authentication secret #redirect non-caching 3) Spoke1: root@Spoke1:~# cat /etc/opennhrp/opennhrp.conf interface mgre0 map 10.10.10.100/24 172.16.100.2...
-
[Dual Hub] A direct spoke to spoke connection breaks down if the primary Hub fails
-
Rajat Handa created ticket #5
Spoke to Spoke traffic not working as expected
-
Spoke to Spoke traffic not working as expected
-
G Man posted a comment on ticket #3
When the public interface has a secondary ip configured, i.e, IPADDR2 & PREFIX2,...
-
Very good. Unfortunately the kernel bugs cannot be worked around. The only solution...
-
Its the kernel. Works after upgrading. Any workaround for this issue to avoid the...
-
I was able to send GRE packet to the hub. For every NHRP registration request from...
-
The "Unknown (0x2001)" is just tcpdump saying it does not know how to decode nhrp...
-
I think my kernel doesnt like sending a NHRP packet on a tunnel created to transmit...
-
tcpdump at spoke: tcpdump -s 0 -v -n proto gre 17:35:51.470103 IP (tos 0x0, ttl 64,...
-
Yes and no. Yes, the NHRP registration goes inside GRE tunnel and is thus IPsec....
-
Yes, firewall is disabled on edge vms. There is one intermediate firewall on Google...
-
Well all IPsec side looks ok. Do note that ping will not work until nhrpd has been...
-
Re-did everything. Still can't get it to work. Haven't checked 3.10 kernel issues...
-
It is normal for the transport mode to show the local node IP in the private format....
-
Alright, the tunnel was established after switching to transport mode. Status of...
-
When NAT is detect. UDP encapsulation is negotiated automatically by IPsec. You can...
-
Yes, you are right transport mode shld work in NAT as well. But, certain environments...
-
That's the reason then. Tunnel/transport setting needs to match both ends. And in...
-
Mine is pretty similar to original. Using PSK. Notice change in mode to tunnel -...
-
Mine is pretty similar to original. Using PSK. Notice change in mode to tunnel -...
-
Looks like something wrong in the strongSwan connection configuration. My config...
-
I tried following the instructions on a bunch of GCE Centos 7 VMs on separate networks....
-
neil key created ticket #4
openNHRP , DMVPN phase 1 only
-
strongSwan is not supported with opennhrp. It is not possible to fully integrate...
-
Cipher created ticket #3
NHRP registration with a Cisco router does not work
-
fix race condition to stop processing dns requests
-
Vyacheslav posted a comment on ticket #2
Not relevant.He understood himself.
-
modify packet destination only for registration...
-
do not establish shortcut entry if cie code ind...
-
Can I get a full list of values for opennhrp.conf
-
DMVPN without cisco)
-
cisco calls it no-unique, so rename to that
-
support non-unique registration
-
update kernel notes
-
OpenNHRP released /OldFiles/opennhrp-0.4.tar.bz2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
update kernel bugs
-
add readme about kernel versions and bugs
-
remove bundled libev, and depend it to be a sys...
-
netlink: additional fixes to route-table matchi...
-
netlink: honor configured route-table for short...
1
