We find an issue with DMVPN when NAT is used
After first boot somehow a spoke with global address can connect to the spoke behind NAT with encrypted traffic.
When spokes don't communicate with each other the connection "disconnecting" (child SA's deleted) after some timeout and connection should be established (IPSec) when spokes again communicate with each other.
On this step IPSec connection can't be established with the host behind NAT and traffic passed unencrypted via clear gre tunnels.
We ran tests with @zsdc and found that issue with opennhrp-script
This is solution fixes this bug
--- opennhrp-script.origin 2022-04-07 14:04:28.104709038 +0300 +++ opennhrp-script.patched 2022-04-07 14:50:00.108961890 +0300 @@ -28,9 +28,12 @@ logger -t ${_script_name} -p local7.notice "Create link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)" if [[ ( ${_type} == "spoke" ) && ( -e ${_strongswan_pid} ) ]]; then if grep "${NHRP_SRCADDR}" "${_nhrp_ipsec}"; then - swanctl -t -S $NHRP_SRCNBMA -R $NHRP_DESTNBMA > /dev/null 2>&1 - logger -t ${_script_name} -p local7.notice "IPSec: connect to $NHRP_SRCADDR ($NHRP_SRCNBMA)" - swanctl -i -c dmvpn -S $NHRP_SRCNBMA -R $NHRP_DESTNBMA || exit 1 + if swanctl -l -r | grep -q "^list-sa event {dmvpn-DMVPN-.* state=ESTABLISHED local-host=$NHRP_SRCNBMA.*remote-host=$NHRP_DESTNBMA"; then + logger -t ${_script_name} -p local7.notice "IPSec: connection to $NHRP_DESTADDR ($NHRP_DESTNBMA) already exists" + else + logger -t ${_script_name} -p local7.notice "IPSec: connect to $NHRP_DESTADDR ($NHRP_DESTNBMA)" + swanctl -i -c dmvpn -S $NHRP_SRCNBMA -R $NHRP_DESTNBMA || exit 1 + fi fi fi ;;