Convert a Cisco DMVPN into VyOS

root99 · July 19, 2022, 3:13pm

Hi guys.
Sorry for bothering and make this noob question.
I have a Cisco DM VPN config that I want to implement on VyOS.
Can anyone help to convert this cisco dmvpn into VyOS ?

Config :

crypto isakmp policy 300
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 s@@@12cm address 192.169.4.166
!
!
crypto ipsec transform-set DM-SET esp-3des esp-sha-hmac
!
crypto ipsec profile DM
set security-association lifetime seconds 120
set transform-set DM-SET
!
interface Tunnel306
bandwidth 2048
ip address 10.50.4.121 255.255.255.0
ip nhrp map 10.50.4.1 192.169.4.166
ip nhrp map multicast 192.169.4.166
ip nhrp holdtime 300
ip nhrp nhs 10.50.4.1
ip nhrp registration timeout 300
delay 1000
tunnel source “your wan ip address”
tunnel destination 192.169.4.166
tunnel key 1979
tunnel protection ipsec profile DM
!
ip route 192.168.12.0 255.255.255.240 10.50.4.1 name DMVPN
ip route 192.168.25.0 255.255.255.0 10.50.4.1 name DMVPN

LAN-IP
192.168.24.128/28

RyVolodya · July 20, 2022, 6:59am

Hello @root99
VyOS is spoke or hub?

root99 · July 20, 2022, 7:06am

I don’t know exactly what’s different .
This VyOS will be a device that work as a client to a Cisco router.
VyOS <----[DMVPN]----> Cisco Router

RyVolodya · July 20, 2022, 7:22am

Try this configuration:

set interfaces tunnel tun0 address '10.50.4.122/24' ---your tunnel ip-address (10.50.4.122 for example)
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip key '1979'
set interfaces tunnel tun0 source-address '0.0.0.0'
set protocols nhrp tunnel tun0 holding-time '300'
set protocols nhrp tunnel tun0 map 10.50.4.1 nbma-address '192.169.4.166'
set protocols nhrp tunnel tun0 map 10.50.4.1 register
set protocols nhrp tunnel tun0 multicast 'nhs'
set protocols nhrp tunnel tun0 redirect
set protocols nhrp tunnel tun0 shortcut
set vpn ipsec esp-group ESP-DMVPN compression 'disable'
set vpn ipsec esp-group ESP-DMVPN lifetime '1800'
set vpn ipsec esp-group ESP-DMVPN mode 'transport'
set vpn ipsec esp-group ESP-DMVPN pfs 'dh-group2'
set vpn ipsec esp-group ESP-DMVPN proposal 1 encryption '3des'
set vpn ipsec esp-group ESP-DMVPN proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-DMVPN ikev2-reauth 'no'
set vpn ipsec ike-group IKE-DMVPN key-exchange 'ikev1'
set vpn ipsec ike-group IKE-DMVPN lifetime '3600'
set vpn ipsec ike-group IKE-DMVPN proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-DMVPN proposal 1 encryption '3des'
set vpn ipsec ike-group IKE-DMVPN proposal 1 hash 'sha1'
set vpn ipsec interface 'eth0' --- your outbound interface
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 's@@@12cm' --- your pre-shared-key
set vpn ipsec profile NHRPVPN bind tunnel 'tun0'
set vpn ipsec profile NHRPVPN esp-group 'ESP-DMVPN'
set vpn ipsec profile NHRPVPN ike-group 'IKE-DMVPN'

root99 · July 20, 2022, 10:01am

Thanks you for response.
I’ve set the configuration, after VPN connected I must able to ping IP address of : 10.50.4.1, but I got time out .
I’ve call the other site person (Cisco side) and they said the connection is not connected.

Here is the debug commands I used to find the problem, Can you check where is the problem? (is it any other command to debug that I need?)

-- The `10.139.1.2` IP Address is my WAN address.
-- The `192.169.4.166` is the Cisco Device IP address (Cisco VPN Server) :
-- The `10.50.4.1` I must able to ping after VPN connected <-- PROBLEM IS HERE

vyos@vyos:~$ ping 192.169.4.166
PING 192.169.4.166 (192.169.4.166) 56(84) bytes of data.
64 bytes from 192.169.4.166: icmp_seq=1 ttl=251 time=21.6 ms
64 bytes from 192.169.4.166: icmp_seq=2 ttl=251 time=21.4 ms
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
vyos@vyos:~$ 
vyos@vyos:~$ 
vyos@vyos:~$ 
vyos@vyos:~$ sh vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------
vyos@vyos:~$

vyos@vyos:~$ sh vpn ike sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
192.169.4.166 192.169.4.166             10.139.1.2 10.139.1.2                  

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv1   3DES_CBC     HMAC_SHA1_96  MODP_1024      no     183     0      

vyos@vyos:~$ 
vyos@vyos:~$ 
vyos@vyos:~$ 
vyos@vyos:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.1, Linux 5.10.131-amd64-vyos, x86_64):
  uptime: 16 minutes, since Mar 20 21:20:38 2022
  malloc: sbrk 3096576, mmap 0, used 1069936, free 2026640
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
  192.168.180.2
  10.139.1.2
Connections:
dmvpn-NHRPVPN-tun0:  %any...%any  IKEv1
dmvpn-NHRPVPN-tun0:   local:  uses pre-shared key authentication
dmvpn-NHRPVPN-tun0:   remote: uses pre-shared key authentication
       dmvpn:   child:  dynamic[gre] === dynamic[gre] TRANSPORT
Security Associations (1 up, 0 connecting):
dmvpn-NHRPVPN-tun0[2]: ESTABLISHED 3 minutes ago, 10.139.1.2[10.139.1.2]...192.169.4.166[192.169.4.166]
dmvpn-NHRPVPN-tun0[2]: IKEv1 SPIs: 9788b98e7caa0636_i* 04b9118b21cec767_r, rekeying in 55 minutes
dmvpn-NHRPVPN-tun0[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
vyos@vyos:~$ 
vyos@vyos:~$ 



-- The device IP address that I must able to ping after tunnel/VPN is connected :
vyos@vyos:~$ ping 10.50.4.1
PING 10.50.4.1 (10.50.4.1) 56(84) bytes of data.
From 10.50.4.121 icmp_seq=7 Destination Host Unreachable
From 10.50.4.121 icmp_seq=8 Destination Host Unreachable
^C
--- 10.50.4.1 ping statistics ---
9 packets transmitted, 0 received, +2 errors, 100% packet loss, time 8231ms
pipe 2
vyos@vyos:~$ traceroute 10.50.4.1
traceroute to 10.50.4.1 (10.50.4.1), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * * ^C
vyos@vyos:~$

RyVolodya · July 20, 2022, 11:15am

Try change:
set vpn ipsec esp-group ESP-DMVPN pfs 'dh-group1'
set vpn ipsec esp-group ESP-DMVPN lifetime '120'

root99 · July 20, 2022, 4:13pm

Thank you for your response , but it same as before .
I’ve change the configs , commit, save then reboot. here is the debugs :

-- The `10.139.1.2` IP Address is my WAN address.
-- The `192.169.4.166` is the Cisco Device IP address (Cisco VPN Server) :
-- The `10.50.4.1` I must able to ping after VPN connected <-- PROBLEM IS HERE

vyos@vyos# show vpn ipsec esp-group 
 esp-group ESP-DMVPN {
     compression disable
     lifetime 120
     mode transport
     pfs dh-group1
     proposal 1 {
         encryption 3des
         hash sha1
     }
 }

vyos@vyos:~$ traceroute 10.50.4.1
traceroute to 10.50.4.1 (10.50.4.1), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
vyos@vyos:~$ 
vyos@vyos:~$ 
vyos@vyos:~$ sh vpn ike sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
192.169.4.166 192.169.4.166             10.139.1.2 10.139.1.2                  

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv1   3DES_CBC     HMAC_SHA1_96  MODP_1024      no     282     0      

vyos@vyos:~$ 
vyos@vyos:~$ 
vyos@vyos:~$ sh vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------
vyos@vyos:~$ 
vyos@vyos:~$ 
vyos@vyos:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.1, Linux 5.10.131-amd64-vyos, x86_64):
  uptime: 6 minutes, since Mar 20 19:56:00 2022
  malloc: sbrk 3096576, mmap 0, used 998528, free 2098048
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
  192.168.180.2
  10.139.1.2
Connections:
dmvpn-NHRPVPN-tun0:  %any...%any  IKEv1
dmvpn-NHRPVPN-tun0:   local:  uses pre-shared key authentication
dmvpn-NHRPVPN-tun0:   remote: uses pre-shared key authentication
       dmvpn:   child:  dynamic[gre] === dynamic[gre] TRANSPORT
Security Associations (1 up, 0 connecting):
dmvpn-NHRPVPN-tun0[1]: ESTABLISHED 5 minutes ago, 10.139.1.2[10.139.1.2]...192.169.4.166[192.169.4.166]
dmvpn-NHRPVPN-tun0[1]: IKEv1 SPIs: 03a05c464e616114_i* 04b9118b0773a9ef_r, rekeying in 51 minutes
dmvpn-NHRPVPN-tun0[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
vyos@vyos:~$ 
vyos@vyos:~$ 


vyos@vyos:~$ ping 192.169.4.166
PING 192.169.4.166 (192.169.4.166) 56(84) bytes of data.
64 bytes from 192.169.4.166: icmp_seq=1 ttl=251 time=21.3 ms
64 bytes from 192.169.4.166: icmp_seq=2 ttl=251 time=21.4 ms
64 bytes from 192.169.4.166: icmp_seq=3 ttl=251 time=21.3 ms
^C
--- 192.169.4.166 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 21.285/21.333/21.376/0.037 ms
vyos@vyos:~$

RyVolodya · July 21, 2022, 6:30pm

Hello @root99
For the correct setting, you need to check the IPSec settings used on VyOS and the main Cisco (hub). Maybe the IPSec settings don’t match.

root99 · July 23, 2022, 7:39am

Thank you for your help, the connecting problem solve after changing the esp-group mode into tunnel.

set vpn ipsec esp-group ESP-DMVPN mode 'tunnel'

now I can able ping 10.50.4.1 but have a new problem.

What is the new problem ?
Tunnel will disconnect after 10 minutes (~600 souncds).

-- Here is the debugs after tunnel disconnect (10.50.4.1 not pingable)
-- Empty IPSEC list !!?
vyos@vyos:~$ sh vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------
-- Empty IKE list !!?
vyos@vyos:~$ sh vpn ike sa
vyos@vyos:~$

What I tried?
I’ve enabled dead-peer-detection also but the problem not resolve , dead peer config :

set vpn ipsec ike-group IKE-DMVPN dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-DMVPN dead-peer-detection interval 20
set vpn ipsec ike-group IKE-DMVPN dead-peer-detection timeout 60

How it will reconnect?
If I call reset nhrp purge , tunnel will be connect exactly for 60 seconds.

.
Is any suspicious found?
Another Thing is that my IPsec connection list is as below , is it normal?
(I have a session that ping trough tunnel constantly)

vyos@vyos:~$ sh vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID      Proposal
------------  -------  --------  --------------  ----------------  ----------------  -------------  -------------------------------
dmvpn         down     1m37s     112B/112B       1B/1B             192.169.4.166     192.169.4.166  3DES_CBC/HMAC_SHA1_96/MODP_1024
dmvpn         down     21s       112B/112B       1B/1B             192.169.4.166     192.169.4.166  3DES_CBC/HMAC_SHA1_96/MODP_1024
dmvpn         down     22s       112B/112B       1B/1B             192.169.4.166     192.169.4.166  3DES_CBC/HMAC_SHA1_96/MODP_1024
dmvpn         down     23s       112B/112B       1B/1B             192.169.4.166     192.169.4.166  3DES_CBC/HMAC_SHA1_96/MODP_1024
dmvpn         down     24s       112B/112B       1B/1B             192.169.4.166     192.169.4.166  3DES_CBC/HMAC_SHA1_96/MODP_1024
dmvpn         down     26s       112B/112B       1B/1B             192.169.4.166     192.169.4.166  3DES_CBC/HMAC_SHA1_96/MODP_1024
dmvpn         down     27s       112B/112B       1B/1B             192.169.4.166     192.169.4.166  3DES_CBC/HMAC_SHA1_96/MODP_1024
dmvpn         down     28s       112B/112B       1B/1B             192.169.4.166     192.169.4.166  3DES_CBC/HMAC_SHA1_96/MODP_1024
dmvpn         down     29s       112B/112B       1B/1B             192.169.4.166     192.169.4.166  3DES_CBC/HMAC_SHA1_96/MODP_1024
dmvpn         up       20s       2K/2K           20B/20B           192.169.4.166     192.169.4.166  3DES_CBC/HMAC_SHA1_96/MODP_1024
vyos@vyos:~$

RyVolodya · July 25, 2022, 11:09am

Hello @root99
Can you provide the current configuration of dmvpn vyos and central cisco ?