Page MenuHomeVyOS Platform
Create Task
Maniphest T724

Opennhrp fail
Closed, ResolvedPublicBUG
Actions

Description

DMVPN is not working in 1.2
There is an error in NHRP output. It looks like script is using wrong syntax.

[email protected]:/home/ma# opennhrp -v
opennhrp[4359]: OpenNHRP debian/0.14.1-1+vyos2+current1-2-geb8d3d0 starting
opennhrp[4359]: Adding static 10.0.0.1/24 nbma 192.168.100.200 dev tun10
....
Create link from 10.0.0.2 (192.168.100.204) to 10.0.0.1 (192.168.100.200)
10.0.0.2/24
swanctl: invalid option -- 'S'
Error: invalid options
strongSwan 5.5.1 swanctl
usage:
swanctl --terminate --child <name> | --ike <name | --child-id <id> | --ike-id <id>
[--timeout <s>] [--raw|--pretty]
--help (-h) show usage information
--child (-c) terminate by CHILD_SA name
--ike (-i) terminate by IKE_SA name
--child-id (-C) terminate by CHILD_SA reqid
--ike-id (-I) terminate by IKE_SA unique identifier
--timeout (-t) timeout in seconds before detaching
--raw (-r) dump raw response message
--pretty (-P) dump raw response message in pretty print
--loglevel (-l) verbosity of redirected log
--debug (-v) set debug level, default: 1
--options (-+) read command line options from file
--uri (-u) service URI to connect to
swanctl: invalid option -- 'S'
Error: invalid options
strongSwan 5.5.1 swanctl
usage:
swanctl --initiate --child <name> [--timeout <s>] [--raw|--pretty]
--help (-h) show usage information
--child (-c) initate a CHILD_SA configuration
--timeout (-t) timeout in seconds before detaching
--raw (-r) dump raw response message
--pretty (-P) dump raw response message in pretty print
--loglevel (-l) verbosity of redirected log
--debug (-v) set debug level, default: 1
--options (-+) read command line options from file
--uri (-u) service URI to connect to

opennhrp[4359]: [10.0.0.1] Peer up script failed: exitstatus 1

[email protected]:/home/ma# cat /etc/opennhrp/opennhrp-script

!/bin/sh
_nhrp_config="/etc/opennhrp/opennhrp.conf"
_nhrp_ipsec="/etc/opennhrp/opennhrp.ipsec"
_strongswan_pid="/var/run/charon.pid"
_type="hub"

if ! grep "$NHRP_INTERFACE" $_nhrp_config | grep "hub"> /dev/null 2>&1; then
_type="spoke"
fi

case $1 in
interface-up)
ip route flush proto 42 dev $NHRP_INTERFACE
ip neigh flush dev $NHRP_INTERFACE
echo "int up"
;;
peer-register)
;;
peer-up)
if [ -n "$NHRP_DESTMTU" ]; then
ARGS=ip route get $NHRP_DESTNBMA from $NHRP_SRCNBMA | head -1
ip route add $ARGS proto 42 mtu $NHRP_DESTMTU
fi
echo "Create link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
if ( ${_type} == "spoke" ) && ( -e ${_strongswan_pid} ); then
if grep "${NHRP_SRCADDR}" "${_nhrp_ipsec}"; then
swanctl -t -S $NHRP_SRCNBMA -R $NHRP_DESTNBMA /dev/null 2>&1

  • PROBLEM IS HERE --------

-------WRONG SYNTAX-----------
swanctl -i -c dmvpn -S $NHRP_SRCNBMA -R $NHRP_DESTNBMA || exit 1

  • END PROBLEM IS HERE ---------

    echo "peer-up error" fi

fi
;;
peer-down)
echo "Delete link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
if ( ${_type} == "spoke" ) && ( -e ${_strongswan_pid} ); then
swanctl -t -S $NHRP_SRCNBMA -R $NHRP_DESTNBMA || exit 1
echo "peer-down error"
fi
ip route del $NHRP_DESTNBMA src $NHRP_SRCNBMA proto 42
;;
route-up)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is up"
ip route replace $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 via $NHRP_NEXTHOP dev $NHRP_INTERFACE
ip route flush cache
;;
route-down)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is down"
ip route del $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42
ip route flush cache
;;
esac

exit 0

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.2.0-rolling+201806260337
Why the issue appeared?
Will be filled on close

Event Timeline

oleksandr.mamenko triaged this task as Normal priority.Jun 29 2018, 9:13 PM
oleksandr.mamenko created this task.
oleksandr.mamenko created this object in space S1 VyOS Public.
syncer assigned this task to UnicronNL.Jun 30 2018, 4:07 PM
syncer added subscribers: Maintainers, Active contributors.
c-po added a subscriber: c-po.Jun 30 2018, 4:45 PM

I can confirm it was working with Version: VyOS 1.2.0-rolling+201806050337

c-po added a comment.Jun 30 2018, 4:49 PM

... and also working with latest rolling version VyOS 1.2.0-rolling+201806300337. Please note there was a time with a "bad" StrongSWAN version, maybe that's what you have.

c-po edited projects, added VyOS 1.2 Crux; removed VyOS 1.2 Crux (VyOS 1.2.0-rc1).Jun 30 2018, 4:50 PM
c-po moved this task from Need Triage to Finished on the VyOS 1.2 Crux board.
syncer moved this task from Finished to Backlog on the VyOS 1.2 Crux board.Jun 30 2018, 5:25 PM
syncer added a subscriber: syncer.

Problem exists, related to missing options

c-po added a comment.Jun 30 2018, 5:30 PM

@oleksandr.mamenko could you please provide a config snippet?

I`m using:

protocols {
    nhrp {
        tunnel tun100 {
            cisco-authentication **
            holding-time 300
            multicast dynamic
            redirect
            shortcut
        }
    }
}
vpn {
    ipsec {
        esp-group ESP-HUB {
            compression disable
            lifetime 1800
            mode tunnel
            pfs dh-group2
            proposal 1 {
                encryption aes256
                hash sha1
            }
            proposal 2 {
                encryption 3des
                hash md5
            }
        }
        ike-group IKE-HUB {
            ikev2-reauth no
            key-exchange ikev1
            lifetime 3600
            proposal 1 {
                dh-group 2
                encryption aes256
                hash sha1
            }
            proposal 2 {
                dh-group 2
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        logging {
            log-level 1
        }
        nat-networks {
            allowed-network xxx.xxx.0.0/8 {
            }
            allowed-network xxx.xxx.0.0/12 {
            }
            allowed-network xxx.xxx.0.0/16 {
            }
        }
        nat-traversal enable
        profile NHRPVPN {
            authentication {
                mode pre-shared-secret
                pre-shared-secret ****************
            }
            bind {
                tunnel tun100
            }
            esp-group ESP-HUB
            ike-group IKE-HUB
        }
    }
}

Please note this is also a L2TP/IPSec endpoint thus the nat traversal stuff.

oleksandr.mamenko added a comment.Jun 30 2018, 7:38 PM

@c-po problem exists on SPOKE node
1.I have updated to latest rolling
[email protected]:~$ sh ver
Version: VyOS 1.2.0-rolling+201806300337
Built by: [email protected]
Built on: Sat 30 Jun 2018 03:37 UTC
Build ID: b813533d-49f2-44fb-9b35-9a15e2821f35

Architecture: x86_64
Boot via: installed image
System type: VMware guest

Hardware vendor: VMware, Inc.
Hardware model: VMware Virtual Platform
Hardware S/N: Unknown
Hardware UUID: Unknown

Copyright: VyOS maintainers and contributors
2. Checking strongswan version
[email protected]:~$ sudo su
[email protected]:/home/ma# dpkg -l strongswan
Desired=Unknown/Install/Remove/Purge/Hold

Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
/ Name Version Architecture Description

+++-=============================================-===========================-===========================-===============================================================================================
ii strongswan 5.5.1-4+deb9u1 all IPsec VPN solution metapackage
3. Errors in log file
[email protected]:/home/ma# grep nhrp /var/log/messages
Jun 30 19:30:15 ipsec-dmvpn opennhrp.init[2717]: Preparing Next Hop Resolution Protocol: opennhrp.
Jun 30 19:30:18 ipsec-dmvpn opennhrp[2985]: OpenNHRP debian/0.14.1-1+vyos2+current1-2-geb8d3d0 starting
Jun 30 19:30:19 ipsec-dmvpn opennhrp[3057]: OpenNHRP debian/0.14.1-1+vyos2+current1-2-geb8d3d0 starting
Jun 30 19:30:24 ipsec-dmvpn opennhrp[3064]: [10.0.0.1] Peer up script failed: exitstatus 1
Jun 30 19:30:24 ipsec-dmvpn opennhrp[3064]: [10.0.0.1] Peer up script failed: exitstatus 1
4. Restarting opennhrp with VERBOSE to see errors in realtime.
Yo will find the same error output for wrong syntax.
[email protected]:/home/ma# pkill opennhrp
[email protected]:/home/ma# opennhrp -v
opennhrp[3563]: OpenNHRP debian/0.14.1-1+vyos2+current1-2-geb8d3d0 starting
opennhrp[3563]: Adding static 10.0.0.1/24 nbma 192.168.100.200 dev tun10
opennhrp[3563]: Interface lo: configured UP, mtu=0
opennhrp[3563]: Interface eth0: configured UP, mtu=1500
opennhrp[3563]: Interface eth1: configured UP, mtu=1500
opennhrp[3563]: Interface gre0: config change, mtu=1476
opennhrp[3563]: Interface gretap0: config change, mtu=1462
opennhrp[3563]: Interface erspan0: config change, mtu=1450
opennhrp[3563]: Interface tun10: configured UP, mtu=1472
opennhrp[3563]: Interface tun10: GRE configuration changed. Purged 1 peers.
opennhrp[3563]: Adding local 10.0.0.2/32 dev tun10
opennhrp[3563]: Adding local 10.0.0.255/32 alias 10.0.0.2 dev tun10
opennhrp[3563]: Filter code installed (21 opcodes)
Create link from 10.0.0.2 (192.168.100.204) to 10.0.0.1 (192.168.100.200)
10.0.0.2/24
swanctl: invalid option -- 'S'
Error: invalid options
strongSwan 5.5.1 swanctl
usage:

swanctl --terminate --child <name> | --ike <name | --child-id <id> | --ike-id <id>
               [--timeout <s>] [--raw|--pretty]
         --help            (-h)  show usage information
         --child           (-c)  terminate by CHILD_SA name
         --ike             (-i)  terminate by IKE_SA name
         --child-id        (-C)  terminate by CHILD_SA reqid
         --ike-id          (-I)  terminate by IKE_SA unique identifier
         --timeout         (-t)  timeout in seconds before detaching
         --raw             (-r)  dump raw response message
         --pretty          (-P)  dump raw response message in pretty print
         --loglevel        (-l)  verbosity of redirected log
         --debug           (-v)  set debug level, default: 1
         --options         (-+)  read command line options from file
         --uri             (-u)  service URI to connect to

swanctl: invalid option -- 'S'
Error: invalid options
strongSwan 5.5.1 swanctl
usage:

swanctl --initiate --child <name> [--timeout <s>] [--raw|--pretty]
         --help            (-h)  show usage information
         --child           (-c)  initate a CHILD_SA configuration
         --timeout         (-t)  timeout in seconds before detaching
         --raw             (-r)  dump raw response message
         --pretty          (-P)  dump raw response message in pretty print
         --loglevel        (-l)  verbosity of redirected log
         --debug           (-v)  set debug level, default: 1
         --options         (-+)  read command line options from file
         --uri             (-u)  service URI to connect to

opennhrp[3563]: [10.0.0.1] Peer up script failed: exitstatus 1
opennhrp[3563]: Multicast from 10.0.0.2 to 224.0.0.5
^Copennhrp[3563]: Removing local 10.0.0.255/32 alias 10.0.0.2 dev tun10 up
opennhrp[3563]: Removing local 10.0.0.2/32 dev tun10 up
opennhrp[3563]: Removing static 10.0.0.1/24 nbma 192.168.100.200 dev tun10
opennhrp[3563]: NL-ARP(tun10) 10.0.0.1 not-reachable
[email protected]:/home/ma#

5. Config file
[email protected]# show protocols nhrp
tunnel tun10 {

cisco-authentication SECRET
holding-time 10
map 10.0.0.1/24 {
    nbma-address 192.168.100.200
    register
}
multicast nhs
redirect
shortcut

}
[edit]
[email protected]# sh vpn
ipsec {

esp-group ESP-SPOKE {
    compression disable
    lifetime 1800
    mode tunnel
    pfs dh-group2
    proposal 1 {
        encryption aes256
        hash sha1
    }
    proposal 2 {
        encryption 3des
        hash md5
    }
}
ike-group IKE-SPOKE {
    ikev2-reauth no
    key-exchange ikev1
    lifetime 3600
    proposal 1 {
        dh-group 2
        encryption aes256
        hash sha1
    }
    proposal 2 {
        dh-group 2
        encryption aes128
        hash sha1
    }
}
ipsec-interfaces {
    interface eth0
}
profile NHRPVPN {
    authentication {
        mode pre-shared-secret
        pre-shared-secret SECRET
    }
    bind {
        tunnel tun10
    }
    esp-group ESP-SPOKE
    ike-group IKE-SPOKE
}

}
[edit]

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc4); removed VyOS 1.2 Crux.Oct 13 2018, 10:09 AM
syncer moved this task from Needs Triage to Backlog on the VyOS 1.2 Crux (VyOS 1.2.0-rc4) board.
syncer changed the subtype of this task from "Task" to "Bug".Oct 18 2018, 5:40 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc5); removed VyOS 1.2 Crux (VyOS 1.2.0-rc4).Oct 24 2018, 4:40 PM
syncer moved this task from Needs Triage to Backlog on the VyOS 1.2 Crux (VyOS 1.2.0-rc5) board.
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc6); removed VyOS 1.2 Crux (VyOS 1.2.0-rc5).Oct 29 2018, 6:16 PM
syncer moved this task from Needs Triage to Backlog on the VyOS 1.2 Crux (VyOS 1.2.0-rc6) board.
UnicronNL closed this task as Resolved.Nov 5 2018, 9:52 AM

This was fixed some time ago.
https://github.com/vyos/vyos-strongswan/commit/2cfa2c5f85babbfae11898888d6e8c7ca99cdeb5#diff-ab17f7fac35ebad14feb31b720eba1b0R173

syncer moved this task from Backlog to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc6) board.Nov 5 2018, 10:08 AM
syncer added a project: VyOS-1.2.0-GA.
syncer changed the visibility from "Subscribers" to "Public (No Login Required)".Nov 5 2018, 10:11 AM