Page MenuHomeVyOS Platform
Create Task
Maniphest T4546

Does not connect Cisco spoke to VyOS hub.
Closed, ResolvedPublicBUG
Actions

Description

Does not connect Cisco spoke (10.0.0.3) to VyOS hub (10.0.0.1).

vyos@vyos# run show nhrp tunnel 
Status: ok

Interface: tun0
Type: local
Protocol-Address: 10.0.0.7/32
Alias-Address: 10.0.0.1
Flags: up

Interface: tun0
Type: local
Protocol-Address: 10.0.0.1/32
Flags: up

Interface: tun0
Type: negative
Protocol-Address: 10.0.0.3/32
NBMA-Address: 192.168.122.91
Expires-In: 2:49

journalctl:

Jul 19 18:36:16 vyos sudo[3501]:     root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/ip route get 192.168.122.91 from 192.168.122.100
Jul 19 18:36:16 vyos sudo[3501]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 19 18:36:16 vyos sudo[3501]: pam_unix(sudo:session): session closed for user root
Jul 19 18:36:16 vyos sudo[3504]:     root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/ip route add 192.168.122.91 from 192.168.122.100 dev eth0 uid 0
Jul 19 18:36:16 vyos sudo[3504]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 19 18:36:16 vyos sudo[3504]: pam_unix(sudo:session): session closed for user root
Jul 19 18:36:16 vyos opennhrp[3284]: [10.0.0.3] Peer up script failed: exitstatus 1

Check route:

vyos@vyos# ip route get 192.168.122.91 from 192.168.122.100
192.168.122.91 from 192.168.122.100 dev eth0 uid 1002 
    cache 
[edit]
vyos@vyos#

The script uses the wrong ip route commands:

COMMAND=/usr/sbin/ip route add 192.168.122.91 from 192.168.122.100 dev eth0 uid 0

VyOS Hub config:

set interfaces ethernet eth0 address '192.168.122.100/24'
set interfaces tunnel tun0 address '10.0.0.1/29'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip key '1'
set interfaces tunnel tun0 source-address '192.168.122.100'
set protocols nhrp tunnel tun0 cisco-authentication 'secret'
set protocols nhrp tunnel tun0 holding-time '300'
set protocols nhrp tunnel tun0 multicast 'dynamic'
set protocols nhrp tunnel tun0 redirect
set protocols nhrp tunnel tun0 shortcut
set vpn ipsec esp-group ESP-DMVPN compression 'disable'
set vpn ipsec esp-group ESP-DMVPN lifetime '1800'
set vpn ipsec esp-group ESP-DMVPN mode 'transport'
set vpn ipsec esp-group ESP-DMVPN pfs 'dh-group2'
set vpn ipsec esp-group ESP-DMVPN proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-DMVPN proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-DMVPN ikev2-reauth 'no'
set vpn ipsec ike-group IKE-DMVPN key-exchange 'ikev1'
set vpn ipsec ike-group IKE-DMVPN lifetime '3600'
set vpn ipsec ike-group IKE-DMVPN proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-DMVPN proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-DMVPN proposal 1 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
set vpn ipsec profile NHRPVPN bind tunnel 'tun0'
set vpn ipsec profile NHRPVPN esp-group 'ESP-DMVPN'
set vpn ipsec profile NHRPVPN ike-group 'IKE-DMVPN'

Cisco Spoke config:

crypto keyring DMVPN  
  pre-shared-key address 192.168.122.100 key secret
!         
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2  
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 30 periodic
crypto isakmp profile DMVPN
   keyring DMVPN
   match identity address 192.168.122.100 255.255.255.255     
!         
crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac 
 mode transport
!         
crypto ipsec profile DMVPN
 set security-association idle-time 720
 set transform-set DMVPN-AES256 
 set pfs group2
 set isakmp-profile DMVPN
!                
interface Tunnel10
 ip address 10.0.0.3 255.255.255.248
 no ip redirects
 ip nhrp authentication secret
 ip nhrp map 10.0.0.1 192.168.122.100
 ip nhrp map multicast 192.168.122.100
 ip nhrp network-id 1
 ip nhrp holdtime 600
 ip nhrp nhs 10.0.0.1
 ip nhrp registration timeout 75
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile DMVPN
!         
interface FastEthernet0/0
 ip address dhcp
 duplex full

Details

Difficulty level
Easy (less than an hour)
Version
VyOS 1.4-rolling-202206301146
Why the issue appeared?
Implementation mistake
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

RyVolodya created this task.Jul 19 2022, 6:58 PM
zsdc changed the task status from Open to Confirmed.Jul 19 2022, 7:01 PM
zsdc claimed this task.
zsdc triaged this task as Normal priority.
zsdc changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
zsdc changed Why the issue appeared? from Will be filled on close to Implementation mistake.
zsdc changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
zsdc changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).
zsdc changed the task status from Confirmed to In progress.Jul 19 2022, 7:16 PM

PR for 1.4: https://github.com/vyos/vyos-1x/pull/1418

Viacheslav changed the task status from In progress to Needs testing.Jul 22 2022, 11:15 PM
pasik added a subscriber: pasik.Jul 23 2022, 8:41 AM
Viacheslav closed this task as Resolved.Aug 29 2022, 10:51 AM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.