Azure-based DMVPN Issues

steveb · September 16, 2021, 1:32am

I’m trying to configure a DMVPN where the hub is the Sentrium VyOS 1.2 VM on Azure and the spokes will be mobile servers running vyos-1.3-beta-202109150342. I was successful at modeling a very similar config in GNS3, but in my real-world deployment, the first spoke won’t associate with the hub.

Some more background:

I wanted to get NHRP working before adding IPSEC
I’m a little new to the Azure platform - my network security group is wide open to facilitate development and test (I’ll obviously lock it down when the network goes operational)
The VM is able to accept incoming SSH connections through the Azure security group and 1:1 NAT setup - this is evidence to me that the public IP interface is accepting incoming connections

My Azure hub config (edited for brevity and privacy):

set interfaces ethernet eth0 address '10.1.0.4/24'       #this private address is mapped 1:1 to the public IP
set interfaces ethernet eth0 description 'WAN Link'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'

set interfaces ethernet eth1 address '10.0.0.10/24'    #private network connecting to other VMs
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 smp-affinity 'auto'
set interfaces ethernet eth1 speed 'auto'

set interfaces tunnel tun0 address '172.16.128.1/24'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 local-ip '10.1.0.4'
set interfaces tunnel tun0 mtu '1476'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip key '###'
set interfaces tunnel tun0 policy route 'change-mss'

set policy route change-mss rule 1 protocol 'tcp'
set policy route change-mss rule 1 set tcp-mss '1360'
set policy route change-mss rule 1 tcp flags 'SYN'

set protocols nhrp tunnel tun0 cisco-authentication 'my_passphrase'
set protocols nhrp tunnel tun0 holding-time '300'
set protocols nhrp tunnel tun0 multicast 'dynamic'
set protocols static route 0.0.0.0/0 next-hop 10.1.0.1

set service ssh client-keepalive-interval '180'
set service ssh port '22'

set system host-name 'hub'

set vpn ipsec

The spoke is currently on my home network, connecting from inside my firewall and NAT gateway. The VyOS instance is able to ping the hub’s public IP and establish SSH connectivity to it.

Spoke config (edited for brevity and privacy):

set interfaces ethernet eth0 address '192.168.1.1/24'          #connection to a user device
set interfaces ethernet eth0 description 'User LAN'

set interfaces loopback lo

set interfaces tunnel tun0 address '172.16.128.12/24'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 mtu '1476'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip key '###'
set interfaces tunnel tun0 policy route 'change-mss'
set interfaces tunnel tun0 source-address '0.0.0.0'

set interfaces wireless wlan0 address 'dhcp'                   #the Internet/outgoing DMVPN connection
set interfaces wireless wlan0 description 'Link to Internet'
set interfaces wireless wlan0 mode 'ac'
set interfaces wireless wlan0 physical-device 'phy0'
set interfaces wireless wlan0 security wpa mode 'wpa'
set interfaces wireless wlan0 security wpa passphrase 'my_lab_WPA_key'
set interfaces wireless wlan0 ssid 'my_lab_SSID'
set interfaces wireless wlan0 type 'station'
set nat source rule 100 outbound-interface 'wlan0'
set nat source rule 100 source address '192.168.1.0/24'
set nat source rule 100 translation address 'masquerade'
set policy route change-mss rule 1 protocol 'tcp'
set policy route change-mss rule 1 set tcp-mss '1360'
set policy route change-mss rule 1 tcp flags 'SYN'
set protocols nhrp tunnel tun0 cisco-authentication 'my_passphrase'
set protocols nhrp tunnel tun0 holding-time '60'
set protocols nhrp tunnel tun0 map 172.16.128.1/24 cisco
set protocols nhrp tunnel tun0 map 172.16.128.1/24 nbma-address '[hostname].[region].cloudapp.azure.com'
set protocols nhrp tunnel tun0 map 172.16.128.1/24 register
set protocols nhrp tunnel tun0 multicast 'dynamic'
set protocols static route 0.0.0.0/0 dhcp-interface 'wlan0'

set service dns forwarding allow-from '0.0.0.0/0'
set service dns forwarding listen-address '192.168.1.1'
set service ssh port '22'

set system host-name 'toc'

set system name-server '1.1.1.1'

set vpn ipsec

From the spoke:

vyos@toc:~$ sho nhrp tunnel
Status: ok

Interface: tun0
Type: local
Protocol-Address: 172.16.128.255/32
Alias-Address: 172.16.128.12
Flags: up

Interface: tun0
Type: local
Protocol-Address: 172.16.128.12/32
Flags: up

Interface: tun0
Type: static
Protocol-Address: 172.16.128.1/24
NBMA-Address: 13.68.235.202
Hostname: vyos.eastus.cloudapp.azure.com
Flags: lower-up

vyos@toc:~$

steveb · September 16, 2021, 4:28am

Further investigation revealed that Azure disallows GRE connections by policy. I enabled IPSEC in tunnel mode, and NHRP registered immediately.

Also, this appears to be an illegal command:

set protocols nhrp tunnel tun0 map 172.16.128.1/24 nbma-address '[hostname].[region].cloudapp.azure.com'

The nmba-address variant of the map command is for IP addresses. I had to change the format of the command for it to work:

set protocols nhrp tunnel tun0 dynamic-map  172.16.128.1/24 nbma-domain-name  '[hostname].[region].cloudapp.azure.com'

I’m not sure why the command validation engine didn’t catch it.

system · September 18, 2021, 4:29am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.