DMVPN


#1

Hi all!
I have a modification for use cli opennhrp.
I wrote it about the example documentation vyatta.
To date, the tunnel is created, the configuration for opennhrp.
To work opennhrp requires ipsec-tools (racoon) and compiled opennhrp.
Question in the following configuration racoon.conf. I use certificate authentication, and just copy the same file.
Should it make to the configuration? And who will help)
PS. sorry for google translate)
Example (Work conf)
Spoke:

vyos@spoke-vyos# show interfaces tunnel tunnel tun0 { address 192.168.1.2/24 encapsulation gre-multipoint ip { ospf { dead-interval 40 hello-interval 10 network point-to-multipoint priority 255 retransmit-interval 5 transmit-delay 1 } } mtu 1400 multicast enable nhrp { cisco-authentication secret holding-time 7201 map 10.10.11.8 { protocol-address 192.168.1.1/24 register } multicast nhs non-caching redirect shortcut } parameters { ip { key 9182 ttl 64 } } }

Hub:

vyos@hub-vyos# show interfaces tunnel tunnel tun0 { address 192.168.1.1/24 encapsulation gre-multipoint ip { ospf { dead-interval 40 hello-interval 10 mtu-ignore network point-to-multipoint priority 0 retransmit-interval 5 transmit-delay 1 } } mtu 1400 multicast enable nhrp { cisco-authentication secret holding-time 7200 multicast dynamic non-caching redirect } parameters { ip { key 9182 ttl 64 } } }
racoon.conf:

[code]log debug2;
path pre_shared_key “/etc/racoon/psk.txt”;
path certificate “/etc/racoon/cert”;

#listen {

adminsock “/var/run/racoon.socked” “root” “operator” 0660;

#}
#padding {

maximum_length 20;

randomize off;

strict_check off;

exclusive_tail off;

#}
#timer {

natt_keepalive 10 sec;

#}
remote anonymous {
exchange_mode main,base;
doi ipsec_doi;
verify_cert on;
proposal_check obey;
my_identifier asn1dn;
peers_identifier asn1dn;
verify_identifier on;
lifetime time 24 hour;
nat_traversal on;
dpd_delay 10;
script “/etc/opennhrp/racoon-ph1dead.sh” phase1_dead;
ca_type x509 “ca.pem”;
certificate_type x509 “vyatta_sign.pem” “vyatta_priv.pem”;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}
sainfo anonymous {
pfs_group 2;
lifetime time 24 hour;

encryption_algorithm 3des,blowfish,des, rijndael;

    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;

}[/code]
ipsec-tools.conf:

[code]#!/usr/sbin/setkey -f

NOTE: Do not use this file if you use racoon with racoon-tool

utility. racoon-tool will setup SAs and SPDs automatically using

/etc/racoon/racoon-tool.conf configuration.

Flush the SAD and SPD

flush;

spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;[/code]


#2

Example in attach.
Racoon work with only cert auth.
All scripts req chmod +x


#3

Thank you!!!


#4

Thanks for putting this together; I’ll give it a try.


#5

Excellent.
This is a test case, the need of having all settings racoon or even any questions. Certificate files must be in the / config / auth

Racoon example vyos@spoke-vyos# show vpn racoon log info remote anonymous { ca-type { x509 ca-nhrp.pem } certificate-type { x509 { cert nhrp-cert.pem privkey nhrp-key.pem } } doi { ipsec-doi } dpd-delay 10 dpd-maxfail 5 dpd-retry 5 exchange-mode main exchange-mode base lifetime 86400 my-identifier asn1dn nat-traversal on peers-identifier asn1dn proposal { authentication-method rsasig dh-group 2 encryption-algorithm 3des hash-algorithm sha1 } proposal-check obey rekey on script-phase1-dead /etc/opennhrp/racoon-ph1dead.sh verify-cert on verify-identifier on } sainfo anonymous { authentication-algorithm hmac_sha1 compression-algorithm { deflate } encryption-algorithm 3des lifetime 86400 pfs-group 2 } timer { counter 5 interval 10 natt-keepalive 20 persend 1 phase1 20 phase2 15 }


#6

How to put current.zip into my boys?


#7

unpack to /
install *deb