DMVPN base nhrp already up, but no network flow

bjtangseng · July 11, 2020, 5:17am

I config dmvpn base on 1.2.5. when I finished config, that vpn status is up. however I want to ping another site IP, I received “Destination Host Unreachable”.

I want to check nat and exclude another site ip zone. but I find Vyos 1.2.5 must have translation.

bjtangseng · July 11, 2020, 5:26am

``vyos@vyos:~$ show vpn ipsec sa’`

Connection        State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
----------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------
dmvpn-VPN-tun1  up       N/A       N/A             N/A               N/A               N/A          N/A`


vyos@vyos:~$ show vpn ipsec sa verbose 
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.128-amd64-vyos, x86_64):
  uptime: 16 minutes, since Jul 11 05:08:04 2020
  malloc: sbrk 2945024, mmap 0, used 1148112, free 1796912
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 19
  loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
  100.64.230.115
Connections:
dmvpn-BJVPN-tun1:  %any...%any  IKEv1
dmvpn-BJVPN-tun1:   local:  [100.64.230.115] uses pre-shared key authentication
dmvpn-BJVPN-tun1:   remote: uses pre-shared key authentication
       dmvpn:   child:  dynamic[gre] === dynamic[gre] TUNNEL
Security Associations (1 up, 0 connecting):
dmvpn-BJVPN-tun1[9]: ESTABLISHED 25 seconds ago, 100.64.230.115[100.64.230.115]...116.90.86.xxx[116.90.86.xxx]
dmvpn-BJVPN-tun1[9]: IKEv1 SPIs: b8787356cc21e170_i* c67e25f0086e7249_r, rekeying in 53 minutes
dmvpn-BJVPN-tun1[9]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

bjtangseng · July 11, 2020, 5:29am

I think nat exclude maybe have something wrong.

     rule 10 {
         outbound-interface pppoe1
         source {
             address 192.168.101.0/24
         }
         translation {
             address masquerade
         }
     }

bjtangseng · July 20, 2020, 5:34am

That issue need edit snwan.conf file, change remote from dynamic to 0.0.0.0/0 fix it.

this bug hope vyos fix it.

thanks