Does not connect Cisco spoke (10.0.0.3) to VyOS hub (10.0.0.1).
vyos@vyos# run show nhrp tunnel Status: ok Interface: tun0 Type: local Protocol-Address: 10.0.0.7/32 Alias-Address: 10.0.0.1 Flags: up Interface: tun0 Type: local Protocol-Address: 10.0.0.1/32 Flags: up Interface: tun0 Type: negative Protocol-Address: 10.0.0.3/32 NBMA-Address: 192.168.122.91 Expires-In: 2:49
journalctl:
Jul 19 18:36:16 vyos sudo[3501]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/ip route get 192.168.122.91 from 192.168.122.100 Jul 19 18:36:16 vyos sudo[3501]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0) Jul 19 18:36:16 vyos sudo[3501]: pam_unix(sudo:session): session closed for user root Jul 19 18:36:16 vyos sudo[3504]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/ip route add 192.168.122.91 from 192.168.122.100 dev eth0 uid 0 Jul 19 18:36:16 vyos sudo[3504]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0) Jul 19 18:36:16 vyos sudo[3504]: pam_unix(sudo:session): session closed for user root Jul 19 18:36:16 vyos opennhrp[3284]: [10.0.0.3] Peer up script failed: exitstatus 1
Check route:
vyos@vyos# ip route get 192.168.122.91 from 192.168.122.100 192.168.122.91 from 192.168.122.100 dev eth0 uid 1002 cache [edit] vyos@vyos#
The script uses the wrong ip route commands:
COMMAND=/usr/sbin/ip route add 192.168.122.91 from 192.168.122.100 dev eth0 uid 0
VyOS Hub config:
set interfaces ethernet eth0 address '192.168.122.100/24' set interfaces tunnel tun0 address '10.0.0.1/29' set interfaces tunnel tun0 encapsulation 'gre' set interfaces tunnel tun0 multicast 'enable' set interfaces tunnel tun0 parameters ip key '1' set interfaces tunnel tun0 source-address '192.168.122.100' set protocols nhrp tunnel tun0 cisco-authentication 'secret' set protocols nhrp tunnel tun0 holding-time '300' set protocols nhrp tunnel tun0 multicast 'dynamic' set protocols nhrp tunnel tun0 redirect set protocols nhrp tunnel tun0 shortcut set vpn ipsec esp-group ESP-DMVPN compression 'disable' set vpn ipsec esp-group ESP-DMVPN lifetime '1800' set vpn ipsec esp-group ESP-DMVPN mode 'transport' set vpn ipsec esp-group ESP-DMVPN pfs 'dh-group2' set vpn ipsec esp-group ESP-DMVPN proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-DMVPN proposal 1 hash 'sha1' set vpn ipsec ike-group IKE-DMVPN ikev2-reauth 'no' set vpn ipsec ike-group IKE-DMVPN key-exchange 'ikev1' set vpn ipsec ike-group IKE-DMVPN lifetime '3600' set vpn ipsec ike-group IKE-DMVPN proposal 1 dh-group '2' set vpn ipsec ike-group IKE-DMVPN proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-DMVPN proposal 1 hash 'sha1' set vpn ipsec interface 'eth0' set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' set vpn ipsec profile NHRPVPN bind tunnel 'tun0' set vpn ipsec profile NHRPVPN esp-group 'ESP-DMVPN' set vpn ipsec profile NHRPVPN ike-group 'IKE-DMVPN'
Cisco Spoke config:
crypto keyring DMVPN pre-shared-key address 192.168.122.100 key secret ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 crypto isakmp invalid-spi-recovery crypto isakmp keepalive 30 30 periodic crypto isakmp profile DMVPN keyring DMVPN match identity address 192.168.122.100 255.255.255.255 ! crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile DMVPN set security-association idle-time 720 set transform-set DMVPN-AES256 set pfs group2 set isakmp-profile DMVPN ! interface Tunnel10 ip address 10.0.0.3 255.255.255.248 no ip redirects ip nhrp authentication secret ip nhrp map 10.0.0.1 192.168.122.100 ip nhrp map multicast 192.168.122.100 ip nhrp network-id 1 ip nhrp holdtime 600 ip nhrp nhs 10.0.0.1 ip nhrp registration timeout 75 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 1 tunnel protection ipsec profile DMVPN ! interface FastEthernet0/0 ip address dhcp duplex full