Page MenuHomeVyOS Platform
Create Task
Maniphest T787

DMVPN on 1.2.0
Closed, ResolvedPublicBUG
Actions

Description

I've been doing some debugging of dmvpn on vyos1.2

After compiling the vyos-stronswan repository patched by UnicronNL on 17Aug2018 the code seems to be going and a opennhrp is able to create and teardown ipsec sessions on peer-up/peer-down

but there is still some things thats missing before DMVPN is up and running.

There is a typo in /etc/opennhrp/opennhrp-script on line 27? . a missing > in front of /dev/null

to ease debugging of opennhrp bringup/teardown i've added debug info to opennhrp-script: https://pastebin.com/AiVTHzNH
all output from swanctl is not logged into /tmp/opennhrp

when strongswan is configured the swanctl connection profile is not loaded. this has to be done manually for now with : sudo swanctl --load-all

When all of this is done swanctl tries to load the connection profile when the opennhrp script tries to configure the neighbor bit failes with: no acceptable traffic selectors found .
(from /tmp/opennhrp:

Create link from 172.16.2.2 (xx.xx.xx.xx) to 172.16.2.254 (yy.yy.yy.yy)
swanctl -t -S xx.xx.xx.xx -R yy.yy.yy.yy
terminate failed: no matching SAs to terminate found
swanctl -i -c dmvpn -S xx.xx.xx.xx -R yy.yy.yy.yy
initiate failed: establishing CHILD_SA 'dmvpn' failed
[IKE] initiating Main Mode IKE_SA vpnprof-dmvpn-tun10[1] to yy.yy.yy.yy
[ENC] generating ID_PROT request 0 [ SA V V V V V ]
[NET] sending packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (180 bytes)
[NET] received packet: from yy.yy.yy.yy[500] to xx.xx.xx.xx[500] (176 bytes)
[ENC] parsed ID_PROT response 0 [ SA V V V V V ]
[IKE] received strongSwan vendor ID
[IKE] received Cisco Unity vendor ID
[IKE] received XAuth vendor ID
[IKE] received DPD vendor ID
[IKE] received NAT-T (RFC 3947) vendor ID
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[NET] sending packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (244 bytes)
[NET] received packet: from yy.yy.yy.yy[500] to xx.xx.xx.xx[500] (228 bytes)
[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
[ENC] generating ID_PROT request 0 [ ID HASH ]
[NET] sending packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (76 bytes)
[NET] received packet: from yy.yy.yy.yy[500] to xx.xx.xx.xx[500] (76 bytes)
[ENC] parsed ID_PROT response 0 [ ID HASH ]
[IKE] IKE_SA vpnprof-dmvpn-tun10[1] established between xx.xx.xx.xx[xx.xx.xx.xx]...yy.yy.yy.yy[yy.yy.yy.yy]
[IKE] scheduling rekeying in 3590s
[IKE] maximum IKE_SA lifetime 3950s
[ENC] generating QUICK_MODE request 1138715168 [ HASH SA No ID ID ]
[NET] sending packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (172 bytes)
[NET] received packet: from yy.yy.yy.yy[500] to xx.xx.xx.xx[500] (156 bytes)
[ENC] parsed QUICK_MODE response 1138715168 [ HASH SA No ID ID ]

[IKE] no acceptable traffic selectors found

Exited with returncode: 1, adding peer aborted

as far as i can se the traffic selector is loaded and all should be good.

$ sudo swanctl --list-conn
vpnprof-dmvpn-tun10: IKEv1, reauthentication every 3600s
  local:  %any
  remote: %any
  local pre-shared key authentication:
    id: xx.xx.xx.xx
  remote pre-shared key authentication:
  dmvpn: TUNNEL, rekeying every 1800s
    local:  dynamic[gre]
    remote: dynamic[gre]

could it be any more code in strongswan that need patching?

Details

Version
1.2.0

Event Timeline

runar created this task.Aug 18 2018, 9:16 AM
runar added a comment.Aug 18 2018, 10:52 AM

after intense searching i came across this:

https://wiki.strongswan.org/issues/1068 - strongswan 5.3.2 and IKEv1 in transport mode causes NO_PROPOSAL_CHOSEN error

I assume this is due to the unity plugin. Do you have that plugin loaded (the plugin list is cut off so we don't see that in the log)? If you don't need it otherwise, try disabling it (or disable charon.cisco_unity in strongswan.conf). What might work too is explicitly configuring left|rightsubnet.

after disabling the unity plugin traffic selectors are fond and ipsec is working!
/etc/strongswan.d/charon/unity.conf:

unity {

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = no

}

there is still some bugs and snags that needs to be nailed out, because after a while i see unencrypted gre traffic passing back and forth, and thats no good.. :/

is there any way to disable unencrypted traffic without disabling proto gre in in a firewall rule?

runar added a comment.Aug 19 2018, 7:20 AM

I got dmvpn up and running. here is the list of things to do:

  • add ability to disable cisco_unity plugin to fix wildcard gre traffic selector. (or disable it by default so the user needs to turn it on?)
pasik subscribed.Aug 19 2018, 8:08 AM
runar added a subscriber: dmbaturin.Aug 22 2018, 7:38 AM

after @dmbaturin rolled a new image with patched opennhrp script and swanctl code dmvpn works as expected when manually disabling the cisco_unity plugin in /etc/strongswan.d/charon/unity.conf .

we now have to options, disable the plugin globally, or make a "disable-cisco-unity" config option inside vpn ipsec options to disable it.

Any ideas?

c-po subscribed.Aug 22 2018, 11:37 AM

When cisco_unity plugin is disabled globally, can Cisco DMVPN clients still connect?

I‘m using Cisco DMVPN spoke with VyOS HUB, I can test the settings, too.

runar added a comment.Aug 22 2018, 1:27 PM

as far as i can see this should be possible. it looks like the cisco_unity plugin is used to automatically install routes and other things that is not needed when we are running inside a gre tunnel as is done in dmvpn. but i have not looked into the unity plugins code so i'm not completely sure.

runar added a comment.Aug 23 2018, 7:56 PM

@c-po did you manage to test disabling cisco-unity in a mixed vyos/cisco environment?

c-po added a comment.Aug 24 2018, 7:20 AM

Nope, It was an offer to test a pre-build image ;).

If you tell me the exact steps I can also patch my DMVPN HUB without an image before we adopt the CLI.

runar added a comment.Aug 24 2018, 12:50 PM

@c-po, Ahh! :)
You could compile the vyos/vyos-strongswan github repo, but a image is the best to test with.
i had issues with just apply'ing strongswan patches. (strongswan crashed and hung my device when restarting services)
The latest image created is http://dev.packages.vyos.net/tmp/vyos-dmvpn-0820.iso created by @dmbaturin on 21.aug ..
after that is installed change this:

/etc/strongswan.d/charon/unity.conf:

unity {

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = no

}

and DMVPN should come up

:)

c-po added a comment.Aug 24 2018, 6:11 PM

Working perfectly with VyOS acting as DMVPN HUB.

Using Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M9, RELEASE SOFTWARE (fc3)

runar added a comment.Aug 26 2018, 4:50 AM

nize @c-po!
a new image is created to hotfix frr not starting before vyatta-router: http://dev.packages.vyos.net/tmp/vyos-1.2.0-frr-20180825.iso

Maltahl subscribed.Aug 27 2018, 9:25 PM

trying to setup DMVPN HUB using the wiki as reference on 1.2.0-rolling+201808272007

results in the following errors when commiting:

Restarting Next Hop Resolution Protocol: opennhrpopennhrp[6637]: OpenNHRP debian/0.14.1-1+vyos2+current1-4-g41f0852 starting
.

[ vpn ]
WARNING: The pre-shared-secret will not be updated until the next re-keying interval
To force the key change use: 'reset vpn ipsec-peer'
Restarting Next Hop Resolution Protocol: opennhrpopennhrp[6708]: OpenNHRP debian/0.14.1-1+vyos2+current1-4-g41f0852 starting
.

Couldn't open /opt/vyatta/etc/config/archive/commits - Permission denied at /opt/vyatta/share/perl5/Vyatta/ConfigMgmt.pm line 108.
run-parts: /etc/commit/post-hooks.d/01vyatta-commit-revs.pl exited with return code 13

i don know if this is related but i think it might be.

setting up a spoke using the wiki config as reference work without any problems.

c-po added a comment.Aug 28 2018, 6:12 AM

@Maltahl can you share your hub/spoke configuration? This helps us to reproduce your issue.

Maltahl added a comment.Aug 28 2018, 7:42 AM

@c-po i have redacted the parts of the config i dont want leaked and i will just change the passphase :)

#SPOKE

set interfaces tunnel tun0 address 10.0.100.2/24
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 85.204.XXX.XXX
set interfaces tunnel tun0 multicast enable
set interfaces tunnel tun0 parameters ip key 1

set protocols nhrp tunnel tun0 cisco-authentication 'hkK8ffeu5wphrrqCgTgZPEQq8SfIdIHb'
set protocols nhrp tunnel tun0 map 10.0.100.1/24 nbma-address 83.151.XXX.XXX
set protocols nhrp tunnel tun0 map 10.0.100.1/24 'register'
set protocols nhrp tunnel tun0 multicast 'nhs'
set protocols nhrp tunnel tun0 'redirect'
set protocols nhrp tunnel tun0 'shortcut'

set vpn ipsec ipsec-interfaces interface eth0 
set vpn ipsec ike-group IKE-SPOKE proposal 1
set vpn ipsec ike-group IKE-SPOKE proposal 1 encryption aes256
set vpn ipsec ike-group IKE-SPOKE proposal 1 hash sha1 
set vpn ipsec ike-group IKE-SPOKE proposal 2 encryption aes128 
set vpn ipsec ike-group IKE-SPOKE proposal 2 hash sha1 
set vpn ipsec ike-group IKE-SPOKE lifetime 3600
set vpn ipsec esp-group ESP-SPOKE proposal 1 encryption aes256 
set vpn ipsec esp-group ESP-SPOKE proposal 1 hash sha1 
set vpn ipsec esp-group ESP-SPOKE proposal 2 encryption 3des 
set vpn ipsec esp-group ESP-SPOKE proposal 2 hash md5 
set vpn ipsec esp-group ESP-SPOKE lifetime 1800
set vpn ipsec esp-group ESP-SPOKE pfs dh-group2

set vpn ipsec profile NHRPVPN
set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret
set vpn ipsec profile NHRPVPN authentication pre-shared-secret hkK8ffeu5wphrrqCgTgZPEQq8SfIdIHb
set vpn ipsec profile NHRPVPN bind tunnel tun0 
set vpn ipsec profile NHRPVPN esp-group ESP-SPOKE
set vpn ipsec profile NHRPVPN ike-group IKE-SPOKE

set protocols static route 10.20.30.0/24 next-hop 10.0.100.1
#HUB

set interfaces tunnel tun0 address 10.0.100.1/24
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 83.151.XXX.XXX
set interfaces tunnel tun0 multicast enable
set interfaces tunnel tun0 parameters ip key 1

set protocols nhrp tunnel tun0 cisco-authentication hkK8ffeu5wphrrqCgTgZPEQq8SfIdIHb
set protocols nhrp tunnel tun0 holding-time  300
set protocols nhrp tunnel tun0 multicast dynamic
set protocols nhrp tunnel tun0 redirect

set vpn ipsec ipsec-interfaces interface eth0 
set vpn ipsec ike-group IKE-HUB proposal 1
set vpn ipsec ike-group IKE-HUB proposal 1 encryption aes256
set vpn ipsec ike-group IKE-HUB proposal 1 hash sha1 
set vpn ipsec ike-group IKE-HUB proposal 2 encryption aes128 
set vpn ipsec ike-group IKE-HUB proposal 2 hash sha1 
set vpn ipsec ike-group IKE-HUB lifetime 3600
set vpn ipsec esp-group ESP-HUB proposal 1 encryption aes256 
set vpn ipsec esp-group ESP-HUB proposal 1 hash sha1 
set vpn ipsec esp-group ESP-HUB proposal 2 encryption 3des 
set vpn ipsec esp-group ESP-HUB proposal 2 hash md5 
set vpn ipsec esp-group ESP-HUB lifetime 1800
set vpn ipsec esp-group ESP-HUB pfs dh-group2

set vpn ipsec profile NHRPVPN
set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret
set vpn ipsec profile NHRPVPN authentication pre-shared-secret hkK8ffeu5wphrrqCgTgZPEQq8SfIdIHb
set vpn ipsec profile NHRPVPN bind tunnel tun0 
set vpn ipsec profile NHRPVPN esp-group ESP-HUB
set vpn ipsec profile NHRPVPN ike-group IKE-HUB

set protocols static route 10.0.1.0/24 next-hop 10.0.100.2
c-po added a comment.Sep 1 2018, 2:42 PM

Just tried your configuration and adopted it to my LAB. I can't reproduce your issue.

But infact, I cant ping my tunnel interfaces either.

HUB

cpo@LR1# commit
[ interfaces tunnel tun0 ]
No remote-ip configured for tun0, tunnel can only be used for mGRE.

[ protocols nhrp ]
Restarting Next Hop Resolution Protocol: opennhrpopennhrp[14176]: OpenNHRP debian/0.14.1-1+vyos2+current1-4-g41f0852 starting
[ vpn ]
Restarting Next Hop Resolution Protocol: opennhrpopennhrp[14294]: OpenNHRP debian/0.14.1-1+vyos2+current1-4-g41f0852 starting
set interfaces loopback lo address '172.16.254.35/32'
set interfaces tunnel tun0 address '10.0.100.1/24'
set interfaces tunnel tun0 description 'HUB'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 local-ip '172.16.254.35'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip key '1'
set protocols nhrp tunnel tun0 cisco-authentication 'hkK8ffeu5wphrrqCgTgZPEQq8SfIdIHb'
set protocols nhrp tunnel tun0 holding-time '300'
set protocols nhrp tunnel tun0 multicast 'dynamic'
set protocols nhrp tunnel tun0 redirect
set vpn ipsec esp-group ESP-HUB lifetime '1800'
set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
set vpn ipsec ike-group IKE-HUB lifetime '3600'
set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'hkK8ffeu5wphrrqCgTgZPEQq8SfIdIHb'
set vpn ipsec profile NHRPVPN bind tunnel 'tun0'
set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
cpo@LR1# ping 172.16.254.36
PING 172.16.254.36 (172.16.254.36) 56(84) bytes of data.
64 bytes from 172.16.254.36: icmp_seq=1 ttl=62 time=0.637 ms

HUB logfile

Sep  1 16:31:43 LR1 opennhrp.init[14088]: Preparing Next Hop Resolution Protocol: opennhrp.
Sep  1 16:31:43 LR1 systemd[1]: Started LSB: RFC 2332 2333 daemon.
Sep  1 16:31:43 LR1 systemd-sysctl[14119]: Overwriting earlier assignment of net/core/rmem_max in file '/etc/sysctl.d/99-sysctl.conf'.
Sep  1 16:31:43 LR1 systemd-sysctl[14117]: Overwriting earlier assignment of net/core/rmem_max in file '/etc/sysctl.d/99-sysctl.conf'.
Sep  1 16:31:43 LR1 systemd-sysctl[14121]: Overwriting earlier assignment of net/core/rmem_max in file '/etc/sysctl.d/99-sysctl.conf'.
Sep  1 16:31:43 LR1 systemd-sysctl[14123]: Overwriting earlier assignment of net/core/rmem_max in file '/etc/sysctl.d/99-sysctl.conf'.
Sep  1 16:31:43 LR1 charon: 07[KNL] interface tun0 activated
Sep  1 16:31:43 LR1 charon: 09[KNL] fe80::5efe:ac10:fe23 appeared on tun0
Sep  1 16:31:43 LR1 charon: 12[KNL] 10.0.100.1 appeared on tun0
Sep  1 16:31:44 LR1 opennhrp[14176]: OpenNHRP debian/0.14.1-1+vyos2+current1-4-g41f0852 starting
Sep  1 16:31:45 LR1 charon: 00[DMN] signal of type SIGINT received. Shutting down
Sep  1 16:31:45 LR1 ipsec[2110]: charon stopped after 200 ms
Sep  1 16:31:45 LR1 ipsec[2110]: ipsec starter stopped
Sep  1 16:31:47 LR1 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.18.4-amd64-vyos, x86_64)
Sep  1 16:31:47 LR1 charon: 00[CFG] PKCS11 module '<name>' lacks library path
Sep  1 16:31:47 LR1 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sep  1 16:31:47 LR1 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sep  1 16:31:47 LR1 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sep  1 16:31:47 LR1 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sep  1 16:31:47 LR1 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sep  1 16:31:47 LR1 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sep  1 16:31:47 LR1 charon: 00[CFG] loaded 0 RADIUS server configurations
Sep  1 16:31:47 LR1 charon: 00[CFG] HA config misses local/remote address
Sep  1 16:31:47 LR1 charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Sep  1 16:31:47 LR1 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Sep  1 16:31:47 LR1 charon: 00[JOB] spawning 16 worker threads
Sep  1 16:31:47 LR1 charon: 05[CFG] rereading secrets
Sep  1 16:31:47 LR1 charon: 05[CFG] loading secrets from '/etc/ipsec.secrets'
Sep  1 16:31:47 LR1 charon: 05[CFG] rereading ca certificates from '/etc/ipsec.d/cacerts'
Sep  1 16:31:47 LR1 charon: 05[CFG] rereading aa certificates from '/etc/ipsec.d/aacerts'
Sep  1 16:31:47 LR1 charon: 05[CFG] rereading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sep  1 16:31:47 LR1 charon: 05[CFG] rereading attribute certificates from '/etc/ipsec.d/acerts'
Sep  1 16:31:47 LR1 charon: 05[CFG] rereading crls from '/etc/ipsec.d/crls'
Sep  1 16:31:47 LR1 charon: 15[CFG] loaded IKE shared key with id 'ike-dmvpn-tun0' for: '%any'
Sep  1 16:31:47 LR1 charon: 08[CFG] added vici connection: vpnprof-dmvpn-tun0
Sep  1 16:31:48 LR1 opennhrp[14294]: OpenNHRP debian/0.14.1-1+vyos2+current1-4-g41f0852 starting

SPOKE

cpo@LR2# commit
[ interfaces tunnel tun0 ]
No remote-ip configured for tun0, tunnel can only be used for mGRE.

[ protocols nhrp ]
Restarting Next Hop Resolution Protocol: opennhrpopennhrp[5693]: OpenNHRP debian/0.14.1-1+vyos2+current1-4-g41f0852 starting
[ vpn ]
Restarting Next Hop Resolution Protocol: opennhrpopennhrp[5811]: OpenNHRP debian/0.14.1-1+vyos2+current1-4-g41f0852 starting
set interfaces loopback lo address '172.16.254.36/32'
set interfaces tunnel tun0 description SPOKE
set interfaces tunnel tun0 address '10.0.100.2/24'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 local-ip '172.16.254.36'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip key '1'
set protocols nhrp tunnel tun0 cisco-authentication 'hkK8ffeu5wphrrqCgTgZPEQq8SfIdIHb'
set protocols nhrp tunnel tun0 map 10.0.100.1/24 nbma-address '172.16.254.35'
set protocols nhrp tunnel tun0 map 10.0.100.1/24 register
set protocols nhrp tunnel tun0 multicast 'nhs'
set protocols nhrp tunnel tun0 redirect
set protocols nhrp tunnel tun0 shortcut
set vpn ipsec esp-group ESP-SPOKE lifetime '1800'
set vpn ipsec esp-group ESP-SPOKE pfs 'dh-group2'
set vpn ipsec esp-group ESP-SPOKE proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-SPOKE proposal 1 hash 'sha1'
set vpn ipsec esp-group ESP-SPOKE proposal 2 encryption '3des'
set vpn ipsec esp-group ESP-SPOKE proposal 2 hash 'md5'
set vpn ipsec ike-group IKE-SPOKE lifetime '3600'
set vpn ipsec ike-group IKE-SPOKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-SPOKE proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-SPOKE proposal 2 encryption 'aes128'
set vpn ipsec ike-group IKE-SPOKE proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'hkK8ffeu5wphrrqCgTgZPEQq8SfIdIHb'
set vpn ipsec profile NHRPVPN bind tunnel 'tun0'
set vpn ipsec profile NHRPVPN esp-group 'ESP-SPOKE'
set vpn ipsec profile NHRPVPN ike-group 'IKE-SPOKE'
cpo@LR2# ping 172.16.254.35
PING 172.16.254.35 (172.16.254.35) 56(84) bytes of data.
64 bytes from 172.16.254.35: icmp_seq=1 ttl=62 time=0.603 ms

SPOKE logfile

Sep  1 14:31:40 LR2 opennhrp.init[5605]: Preparing Next Hop Resolution Protocol: opennhrp.
Sep  1 14:31:40 LR2 systemd[1]: Started LSB: RFC 2332 2333 daemon.
Sep  1 14:31:40 LR2 systemd-sysctl[5633]: Overwriting earlier assignment of net/core/rmem_max in file '/etc/sysctl.d/99-sysctl.conf'.
Sep  1 14:31:40 LR2 systemd-sysctl[5634]: Overwriting earlier assignment of net/core/rmem_max in file '/etc/sysctl.d/99-sysctl.conf'.
Sep  1 14:31:40 LR2 charon: 11[KNL] interface tun0 activated
Sep  1 14:31:40 LR2 charon: 15[KNL] fe80::5efe:ac10:fe24 appeared on tun0
Sep  1 14:31:40 LR2 systemd-sysctl[5637]: Overwriting earlier assignment of net/core/rmem_max in file '/etc/sysctl.d/99-sysctl.conf'.
Sep  1 14:31:40 LR2 systemd-sysctl[5646]: Overwriting earlier assignment of net/core/rmem_max in file '/etc/sysctl.d/99-sysctl.conf'.
Sep  1 14:31:40 LR2 charon: 06[KNL] 10.0.100.2 appeared on tun0
Sep  1 14:31:42 LR2 opennhrp[5693]: OpenNHRP debian/0.14.1-1+vyos2+current1-4-g41f0852 starting
Sep  1 14:31:42 LR2 charon: 00[DMN] signal of type SIGINT received. Shutting down
Sep  1 14:31:42 LR2 ipsec[2139]: charon stopped after 200 ms
Sep  1 14:31:42 LR2 ipsec[2139]: ipsec starter stopped
Sep  1 14:31:44 LR2 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.18.4-amd64-vyos, x86_64)
Sep  1 14:31:44 LR2 charon: 00[CFG] PKCS11 module '<name>' lacks library path
Sep  1 14:31:44 LR2 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sep  1 14:31:44 LR2 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sep  1 14:31:44 LR2 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sep  1 14:31:44 LR2 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sep  1 14:31:44 LR2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sep  1 14:31:44 LR2 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sep  1 14:31:44 LR2 charon: 00[CFG] loaded 0 RADIUS server configurations
Sep  1 14:31:44 LR2 charon: 00[CFG] HA config misses local/remote address
Sep  1 14:31:44 LR2 charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Sep  1 14:31:44 LR2 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Sep  1 14:31:44 LR2 charon: 00[JOB] spawning 16 worker threads
Sep  1 14:31:45 LR2 charon: 05[CFG] rereading secrets
Sep  1 14:31:45 LR2 charon: 05[CFG] loading secrets from '/etc/ipsec.secrets'
Sep  1 14:31:45 LR2 charon: 05[CFG] rereading ca certificates from '/etc/ipsec.d/cacerts'
Sep  1 14:31:45 LR2 charon: 05[CFG] rereading aa certificates from '/etc/ipsec.d/aacerts'
Sep  1 14:31:45 LR2 charon: 05[CFG] rereading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sep  1 14:31:45 LR2 charon: 05[CFG] rereading attribute certificates from '/etc/ipsec.d/acerts'
Sep  1 14:31:45 LR2 charon: 05[CFG] rereading crls from '/etc/ipsec.d/crls'
Sep  1 14:31:45 LR2 charon: 05[CFG] loaded IKE shared key with id 'ike-dmvpn-tun0' for: '%any'
Sep  1 14:31:45 LR2 charon: 09[CFG] added vici connection: vpnprof-dmvpn-tun0
Sep  1 14:31:46 LR2 opennhrp[5811]: OpenNHRP debian/0.14.1-1+vyos2+current1-4-g41f0852 starting
Sep  1 14:31:51 LR2 charon: 09[CFG] vici terminate with source me 172.16.254.36 and other 172.16.254.35
Sep  1 14:31:51 LR2 charon: 09[CFG] vici initiate 'dmvpn', me 172.16.254.36, other 172.16.254.35, limits 0
Sep  1 14:31:51 LR2 charon: 10[IKE] initiating Main Mode IKE_SA vpnprof-dmvpn-tun0[1] to 172.16.254.35
Sep  1 14:31:51 LR2 charon: 10[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Sep  1 14:31:51 LR2 charon: 10[NET] sending packet: from 172.16.254.36[500] to 172.16.254.35[500] (216 bytes)
Sep  1 14:31:55 LR2 charon: 06[IKE] sending retransmit 1 of request message ID 0, seq 1
Sep  1 14:31:55 LR2 charon: 06[NET] sending packet: from 172.16.254.36[500] to 172.16.254.35[500] (216 bytes)
Sep  1 14:32:02 LR2 charon: 11[IKE] sending retransmit 2 of request message ID 0, seq 1
Sep  1 14:32:02 LR2 charon: 11[NET] sending packet: from 172.16.254.36[500] to 172.16.254.35[500] (216 bytes)
Sep  1 14:32:15 LR2 charon: 15[IKE] sending retransmit 3 of request message ID 0, seq 1
Sep  1 14:32:15 LR2 charon: 15[NET] sending packet: from 172.16.254.36[500] to 172.16.254.35[500] (216 bytes)
Sep  1 14:32:38 LR2 charon: 07[IKE] sending retransmit 4 of request message ID 0, seq 1
Sep  1 14:32:38 LR2 charon: 07[NET] sending packet: from 172.16.254.36[500] to 172.16.254.35[500] (216 bytes)
Sep  1 14:33:20 LR2 charon: 13[IKE] sending retransmit 5 of request message ID 0, seq 1
Sep  1 14:33:20 LR2 charon: 13[NET] sending packet: from 172.16.254.36[500] to 172.16.254.35[500] (216 bytes)
Sep  1 14:33:51 LR2 opennhrp[5819]: [10.0.100.1] Peer up script failed: timeout
Sep  1 14:34:36 LR2 charon: 05[IKE] giving up after 5 retransmits
Sep  1 14:34:36 LR2 charon: 05[IKE] peer not responding, trying again (2/0)
Sep  1 14:34:36 LR2 charon: 05[IKE] initiating Main Mode IKE_SA vpnprof-dmvpn-tun0[1] to 172.16.254.35
Sep  1 14:34:36 LR2 charon: 05[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Sep  1 14:34:36 LR2 charon: 05[NET] sending packet: from 0.0.0.0[500] to 172.16.254.35[500] (216 bytes)
Sep  1 14:34:40 LR2 charon: 07[IKE] sending retransmit 1 of request message ID 0, seq 1
Sep  1 14:34:40 LR2 charon: 07[NET] sending packet: from 0.0.0.0[500] to 172.16.254.35[500] (216 bytes)
Sep  1 14:34:47 LR2 charon: 11[IKE] sending retransmit 2 of request message ID 0, seq 1
Sep  1 14:34:47 LR2 charon: 11[NET] sending packet: from 0.0.0.0[500] to 172.16.254.35[500] (216 bytes)
Sep  1 14:35:00 LR2 charon: 16[IKE] sending retransmit 3 of request message ID 0, seq 1
Sep  1 14:35:00 LR2 charon: 16[NET] sending packet: from 0.0.0.0[500] to 172.16.254.35[500] (216 bytes)
Sep  1 14:35:16 LR2 charon: 13[CFG] vici terminate with source me 172.16.254.36 and other 172.16.254.35
Sep  1 14:35:16 LR2 charon: 05[IKE] destroying IKE_SA in state CONNECTING without notification
Sep  1 14:35:16 LR2 charon: 08[CFG] vici initiate 'dmvpn', me 172.16.254.36, other 172.16.254.35, limits 0
Sep  1 14:35:16 LR2 charon: 14[IKE] initiating Main Mode IKE_SA vpnprof-dmvpn-tun0[2] to 172.16.254.35
Sep  1 14:35:16 LR2 charon: 14[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Sep  1 14:35:16 LR2 charon: 14[NET] sending packet: from 172.16.254.36[500] to 172.16.254.35[500] (216 bytes)
Sep  1 14:35:20 LR2 charon: 09[IKE] sending retransmit 1 of request message ID 0, seq 1
Sep  1 14:35:20 LR2 charon: 09[NET] sending packet: from 172.16.254.36[500] to 172.16.254.35[500] (216 bytes)
Sep  1 14:35:27 LR2 charon: 11[IKE] sending retransmit 2 of request message ID 0, seq 1
Sep  1 14:35:27 LR2 charon: 11[NET] sending packet: from 172.16.254.36[500] to 172.16.254.35[500] (216 bytes)
Sep  1 14:35:40 LR2 charon: 14[IKE] sending retransmit 3 of request message ID 0, seq 1
Sep  1 14:35:40 LR2 charon: 14[NET] sending packet: from 172.16.254.36[500] to 172.16.254.35[500] (216 bytes)
Sep  1 14:36:03 LR2 charon: 16[IKE] sending retransmit 4 of request message ID 0, seq 1
Sep  1 14:36:03 LR2 charon: 16[NET] sending packet: from 172.16.254.36[500] to 172.16.254.35[500] (216 bytes)
Sep  1 14:36:45 LR2 charon: 11[IKE] sending retransmit 5 of request message ID 0, seq 1
Sep  1 14:36:45 LR2 charon: 11[NET] sending packet: from 172.16.254.36[500] to 172.16.254.35[500] (216 bytes)
Sep  1 14:37:16 LR2 opennhrp[5819]: [10.0.100.1] Peer up script failed: timeout
Sep  1 14:38:01 LR2 charon: 13[IKE] giving up after 5 retransmits
Sep  1 14:38:01 LR2 charon: 13[IKE] peer not responding, trying again (2/0)
Sep  1 14:38:01 LR2 charon: 13[IKE] initiating Main Mode IKE_SA vpnprof-dmvpn-tun0[2] to 172.16.254.35
Sep  1 14:38:01 LR2 charon: 13[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Sep  1 14:38:01 LR2 charon: 13[NET] sending packet: from 0.0.0.0[500] to 172.16.254.35[500] (216 bytes)
Sep  1 14:38:05 LR2 charon: 14[IKE] sending retransmit 1 of request message ID 0, seq 1
Sep  1 14:38:05 LR2 charon: 14[NET] sending packet: from 0.0.0.0[500] to 172.16.254.35[500] (216 bytes)
Sep  1 14:38:12 LR2 charon: 11[IKE] sending retransmit 2 of request message ID 0, seq 1
Sep  1 14:38:12 LR2 charon: 11[NET] sending packet: from 0.0.0.0[500] to 172.16.254.35[500] (216 bytes)
c-po moved this task from Need Triage to In Progress on the VyOS 1.2 Crux board.Sep 1 2018, 2:43 PM
syncer changed the task status from Open to In progress.Sep 1 2018, 2:46 PM
syncer triaged this task as Normal priority.
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc1); removed VyOS 1.2 Crux.
syncer moved this task from Needs Triage to In Progress on the VyOS 1.2 Crux (VyOS 1.2.0-rc1) board.
dmbaturin moved this task from In Progress to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc1) board.Sep 2 2018, 9:10 PM
syncer edited projects, added VyOS 1.2 Crux; removed VyOS 1.2 Crux (VyOS 1.2.0-rc1).Oct 13 2018, 9:26 AM
syncer moved this task from VyOS 1.2.0-rc1 to Finished on the VyOS 1.2 Crux board.
syncer closed this task as Resolved.Oct 15 2018, 11:47 PM
syncer claimed this task.
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc1), VyOS-1.2.0-GA; removed VyOS 1.2 Crux.
hammerstud subscribed.Apr 23 2020, 4:25 PM

I'm still seeing this in VyOS 1.3-rolling-202004170117

Changing the ts values to 0.0.0.0/0 is the only way to get vpn to come up. On my side, I'm still not able to get the full dmvpn established.

Without setting ts vaules:

Apr 23 08:34:18 ch-dc-vyos01 charon: 08[IKE] scheduling rekeying in 3378s
Apr 23 08:34:18 ch-dc-vyos01 charon: 08[IKE] maximum IKE_SA lifetime 3738s
Apr 23 08:34:18 ch-dc-vyos01 charon: 08[ENC] generating ID_PROT response 0 [ ID HASH ]
Apr 23 08:34:18 ch-dc-vyos01 charon: 08[NET] sending packet: from 10.126.99.50[4500] to XXXXX[32821] (76 bytes)
Apr 23 08:34:18 ch-dc-vyos01 charon: 09[NET] received packet: from XXXXX[32821] to 10.126.99.50[4500] (332 bytes)
Apr 23 08:34:18 ch-dc-vyos01 charon: 09[ENC] parsed QUICK_MODE request 3516024024 [ HASH SA No KE ID ID ]
Apr 23 08:34:18 ch-dc-vyos01 charon: 09[IKE] no matching CHILD_SA config found for 10.128.99.20/32[gre] === XXXXXX[gre]
Apr 23 08:34:18 ch-dc-vyos01 charon: 09[ENC] generating INFORMATIONAL_V1 request 1463531903 [ HASH N(INVAL_ID) ]