Page MenuHomeVyOS Platform
Create Task
Maniphest T4031

Ability to configure DMVPN in vrf
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Add ability to configure DMVPN in vrf context.

dmvpn-vrf.png (547×742 px, 32 KB)

It works if spoke1 mGRE tun100 interface in vrf, and external interface eth0 without vrf.
It doesn't work if tun100 and eth0 are in different vrf's.

Spoke01 configuration:

set interfaces ethernet eth0 address '100.64.1.10/24'
set interfaces ethernet eth0 description 'External-link'
set interfaces tunnel tun100 address '10.0.0.11/24'
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 multicast 'enable'
set interfaces tunnel tun100 parameters ip key '1'
set interfaces tunnel tun100 source-address '0.0.0.0'
set interfaces tunnel tun100 vrf 'mgmt'
set protocols nhrp tunnel tun100 cisco-authentication 'secret'
set protocols nhrp tunnel tun100 holding-time '300'
set protocols nhrp tunnel tun100 map 10.0.0.1/24 nbma-address '203.0.113.1'
set protocols nhrp tunnel tun100 map 10.0.0.1/24 register
set protocols nhrp tunnel tun100 multicast 'nhs'
set protocols nhrp tunnel tun100 redirect
set protocols nhrp tunnel tun100 shortcut
set vpn ipsec esp-group ESP-HUB compression 'disable'
set vpn ipsec esp-group ESP-HUB lifetime '1800'
set vpn ipsec esp-group ESP-HUB mode 'transport'
set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
set vpn ipsec ike-group IKE-HUB close-action 'none'
set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
set vpn ipsec ike-group IKE-HUB lifetime '3600'
set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
set vrf bind-to-all
set vrf name mgmt table '100'

Ping from spoke1 => spoke2:

vyos@spoke-1:~$ ping 10.0.0.12 vrf mgmt count 5
PING 10.0.0.12 (10.0.0.12) 56(84) bytes of data.
64 bytes from 10.0.0.12: icmp_seq=1 ttl=64 time=1.27 ms
64 bytes from 10.0.0.12: icmp_seq=2 ttl=64 time=1.55 ms
64 bytes from 10.0.0.12: icmp_seq=3 ttl=64 time=1.08 ms

If I attach vrf "FOO" to eth0 interface, IPSec can't establish Phase1

vyos@spoke-1:~$ sudo swanctl -l
(unnamed): #14, CONNECTING, IKEv1, 057faeb8c6e55899_i 49912e089f7bac47_r*
  local  '%any' @ 100.64.1.10[500]
  remote '%any' @ 203.0.113.1[500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  passive: ISAKMP_VENDOR MAIN_MODE ISAKMP_NATD
dmvpn-NHRPVPN-tun100: #1, CONNECTING, IKEv1, 590e9bdc549b80ca_i* 0000000000000000_r
  local  '%any' @ 100.64.1.10[500]
  remote '%any' @ 203.0.113.1[500]
  queued:  QUICK_MODE
  active:  ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
vyos@spoke-1:~$

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Related Objects

Event Timeline

Viacheslav created this task.Dec 1 2021, 11:45 AM
pasik added a subscriber: pasik.Dec 1 2021, 2:26 PM
maugli13 added a subscriber: maugli13.Jan 12 2022, 4:18 PM
diodep added a subscriber: diodep.Mar 3 2023, 2:47 AM

You can manually modify strongswan's systemd service file to add 'ip vrf exec charond'. But it causes other problem.

diodep mentioned this in T5049: Configure GRE over IPsec tunnel when source port is in VRF, OSPF causes GRE tunnel broken..Mar 3 2023, 3:03 AM
diodep mentioned this in T5116: Better VRF support.Mar 28 2023, 7:21 AM
a.apostoliuk added a subscriber: a.apostoliuk.EditedMay 15 2023, 3:45 PM

I reproduced the problem.
I received the next logs

May 15 15:25:41 vyos charon[11214]: 13[NET] <TEST|1> sending packet: from 192.0.4.2[500] to 192.0.3.2[500] (421 bytes)
May 15 15:25:41 vyos charon-systemd[11214]: sending packet: from 192.0.4.2[500] to 192.0.3.2[500] (421 bytes)
May 15 15:25:41 vyos charon[11214]: 04[NET] error writing to socket: Network is unreachable
May 15 15:25:41 vyos charon-systemd[11214]: error writing to socket: Network is unreachable

192.0.4.2 - local ip on eth0 in vrf INTERNET
192.0.3.2 - remote ip that is reachable via vrf INTERNET

If to add the command

set protocols static route <global netmask> next-hop <global gateway> vrf <INTERNET VRF>

it will work.
If to use the command

set vrf name <INTERNET VRF> protocols static route <global netmask> next-hop <global gateway>

nothing happens.

The problem is in strongswan. It searches routes in the global routing table.
So the solution is now to leak routes to the remote IPSEC peer from vrf to the global routing table.

SrividyaA added a subscriber: SrividyaA.Jun 8 2023, 9:32 AM
kevinrausch added a subscriber: kevinrausch.Jan 16 2024, 2:20 PM
Viacheslav closed this task as Resolved.Jan 20 2024, 2:45 AM
Viacheslav claimed this task.

Should work with route leaking