OpenNHRP / DMVPN was working in HUB mode with a Cisco 2811 spoke in this version 1.2.0-rolling+201808230337
Logfiles show:
Sep 15 10:04:28 AC1 opennhrp[2773]: OpenNHRP debian/0.14.1-1+vyos2+current1-4-g41f0852 starting Sep 15 10:04:29 AC1 charon: 13[CFG] rereading secrets Sep 15 10:04:29 AC1 charon: 13[CFG] loading secrets from '/etc/ipsec.secrets' Sep 15 10:04:29 AC1 charon: 13[CFG] loaded IKE secret for 46.38.234.19 %any Sep 15 10:04:29 AC1 charon: 13[CFG] rereading ca certificates from '/etc/ipsec.d/cacerts' Sep 15 10:04:29 AC1 charon: 13[CFG] rereading aa certificates from '/etc/ipsec.d/aacerts' Sep 15 10:04:29 AC1 charon: 13[CFG] rereading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Sep 15 10:04:29 AC1 charon: 13[CFG] rereading attribute certificates from '/etc/ipsec.d/acerts' Sep 15 10:04:29 AC1 charon: 13[CFG] rereading crls from '/etc/ipsec.d/crls' Sep 15 10:04:29 AC1 ipsec_starter[2722]: # deprecated keyword 'nat_traversal' in config setup Sep 15 10:04:29 AC1 ipsec_starter[2722]: # deprecated keyword 'virtual_private' in config setup Sep 15 10:04:29 AC1 ipsec_starter[2722]: ### 2 parsing errors (0 fatal) ### Sep 15 10:04:29 AC1 charon: 15[CFG] received stroke: add connection 'remote-access' Sep 15 10:04:29 AC1 charon: 15[CFG] added configuration 'remote-access' Sep 15 10:04:29 AC1 charon: 05[CFG] rereading secrets Sep 15 10:04:29 AC1 charon: 05[CFG] loading secrets from '/etc/ipsec.secrets' Sep 15 10:04:29 AC1 charon: 05[CFG] loaded IKE secret for 46.38.234.19 %any Sep 15 10:04:29 AC1 charon: 05[CFG] rereading ca certificates from '/etc/ipsec.d/cacerts' Sep 15 10:04:29 AC1 charon: 05[CFG] rereading aa certificates from '/etc/ipsec.d/aacerts' Sep 15 10:04:29 AC1 charon: 05[CFG] rereading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Sep 15 10:04:29 AC1 charon: 05[CFG] rereading attribute certificates from '/etc/ipsec.d/acerts' Sep 15 10:04:29 AC1 charon: 05[CFG] rereading crls from '/etc/ipsec.d/crls' Sep 15 10:04:29 AC1 ipsec_starter[2722]: # deprecated keyword 'nat_traversal' in config setup Sep 15 10:04:29 AC1 ipsec_starter[2722]: # deprecated keyword 'virtual_private' in config setup Sep 15 10:04:29 AC1 ipsec_starter[2722]: ### 2 parsing errors (0 fatal) ### Sep 15 10:04:29 AC1 xl2tpd[2868]: Not looking for kernel SAref support. Sep 15 10:04:29 AC1 xl2tpd[2868]: This binary does not support kernel L2TP. Sep 15 10:04:29 AC1 systemd[1]: Started LSB: layer 2 tunelling protocol daemon. Sep 15 10:04:29 AC1 xl2tpd[2864]: Starting xl2tpd: xl2tpd. Sep 15 10:04:29 AC1 xl2tpd[2869]: xl2tpd version xl2tpd-1.3.6 started on AC1.cldII.mybll.net PID:2869 Sep 15 10:04:29 AC1 xl2tpd[2869]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. Sep 15 10:04:29 AC1 xl2tpd[2869]: Forked by Scott Balmos and David Stipp, (C) 2001 Sep 15 10:04:29 AC1 xl2tpd[2869]: Inherited by Jeff McAdams, (C) 2002 Sep 15 10:04:29 AC1 xl2tpd[2869]: Forked again by Xelerance (www.xelerance.com) (C) 2006 Sep 15 10:04:29 AC1 xl2tpd[2869]: Listening on IP address 46.38.234.19, port 1701 Sep 15 10:04:31 AC1 systemd[1]: Stopped LSB: SNMP agents. Sep 15 10:04:31 AC1 systemd[1]: Starting LSB: SNMP agents... Sep 15 10:04:31 AC1 systemd[1]: Started LSB: SNMP agents. Sep 15 10:04:31 AC1 snmpd[2928]: Starting SNMP services:: snmpd Sep 15 10:04:31 AC1 sudo: pam_unix(sudo:session): session closed for user root Sep 15 10:04:33 AC1 commit: Successful change to active configuration by user root on unknown Sep 15 10:04:33 AC1 vyatta-router[1629]: Starting VyOS router: migrate rl-system firewall configure. Sep 15 10:04:34 AC1 systemd[1]: Reloading. Sep 15 10:04:34 AC1 systemd[1]: Started VyOS Router. Sep 15 10:04:34 AC1 systemd[1]: Starting Getty on tty1... Sep 15 10:04:35 AC1 systemd[1]: Started Getty on tty1. Sep 15 10:04:35 AC1 systemd[1]: Starting Login Prompts. Sep 15 10:04:35 AC1 systemd[1]: Reached target Login Prompts. Sep 15 10:04:35 AC1 systemd[1]: Starting LSB: AWS EC2 instance init script to fetch and load ssh public key... Sep 15 10:04:36 AC1 systemd[1]: Started LSB: AWS EC2 instance init script to fetch and load ssh public key. Sep 15 10:04:36 AC1 systemd[1]: Starting Multi-User System. Sep 15 10:04:36 AC1 systemd[1]: Reached target Multi-User System. Sep 15 10:04:36 AC1 systemd[1]: Starting Graphical Interface. Sep 15 10:04:36 AC1 systemd[1]: Reached target Graphical Interface. Sep 15 10:04:36 AC1 systemd[1]: Starting Update UTMP about System Runlevel Changes... Sep 15 10:04:37 AC1 systemd[1]: Started Update UTMP about System Runlevel Changes. Sep 15 10:04:37 AC1 systemd[1]: Startup finished in 14.689s (kernel) + 1min 4.986s (userspace) = 1min 19.675s.
The following configuration is used (kept only DMVPN related stuff):
interfaces { tunnel tun100 { address xxx.xxx.253.134/29 encapsulation gre ip { ospf { dead-interval 40 hello-interval 10 network point-to-multipoint priority 2 retransmit-interval 5 transmit-delay 1 } } local-ip xxx.xxx.234.19 multicast enable parameters { ip { key xxxxxx } } } } protocols { nhrp { tunnel tun100 { cisco-authentication xxx holding-time 300 multicast dynamic redirect shortcut } } } vpn { ipsec { esp-group ESP-HUB { compression disable lifetime 1800 mode tunnel pfs dh-group2 proposal 1 { encryption aes256 hash sha1 } proposal 2 { encryption 3des hash md5 } } ike-group IKE-HUB { ikev2-reauth no key-exchange ikev1 lifetime 3600 proposal 1 { dh-group 2 encryption aes256 hash sha1 } proposal 2 { dh-group 2 encryption aes128 hash sha1 } } ipsec-interfaces { interface eth0 } logging { log-level 2 } nat-networks { allowed-network xxx.xxx.0.0/8 { } allowed-network xxx.xxx.0.0/12 { } allowed-network xxx.xxx.0.0/16 { } } nat-traversal enable profile NHRPVPN { authentication { mode pre-shared-secret pre-shared-secret **************** } bind { tunnel tun100 } esp-group ESP-HUB ike-group IKE-HUB } } l2tp { remote-access { authentication { mode radius radius-server xxx.xxx.100.10 { key xxxxxx } radius-server xxx.xxx.100.20 { key xxxxxx } } client-ip-pool { start xxx.xxx.222.1 stop xxx.xxx.222.14 } dns-servers { server-1 xxx.xxx.254.31 server-2 xxx.xxx.254.32 } idle 180 ipsec-settings { authentication { mode pre-shared-secret pre-shared-secret **************** } ike-lifetime 60 lifetime 600 } mtu 1400 outside-address xxx.xxx.234.19 outside-nexthop xxx.xxx.234.19 } } }