Hello,
I am trying to setup dmvpn between two routers (left and right). vyos-right has two ISP interfaces. I am using VRF for each ISP interface.
vyos-left (eth2) : vpn hub/server
vyos-right (eth2-vrf north): vpn spoke/client
The GRE is setup (only north ISP for the moment). But the NHRP process is not working as it should be:
Jul 04 15:25:02 charon[1929]: 05[NET] <dmvpn-NHRPVPN-tun100|1> sending packet: from 0.0.0.0[500] to 192.168.11.2[500] (380 bytes)
Jul 04 15:25:06 charon[1929]: 07[IKE] <dmvpn-NHRPVPN-tun100|1> retransmit 1 of request with message ID 0
Jul 04 15:25:06 charon[1929]: 07[NET] <dmvpn-NHRPVPN-tun100|1> sending packet: from 0.0.0.0[500] to 192.168.11.2[500] (380 bytes)
Jul 04 15:25:14 charon[1929]: 06[IKE] <dmvpn-NHRPVPN-tun100|1> retransmit 2 of request with message ID 0
Jul 04 15:25:14 charon[1929]: 06[NET] <dmvpn-NHRPVPN-tun100|1> sending packet: from 0.0.0.0[500] to 192.168.11.2[500] (380 bytes)
Jul 04 15:25:27 charon[1929]: 10[IKE] <dmvpn-NHRPVPN-tun100|1> retransmit 3 of request with message ID 0
Jul 04 15:25:27 charon[1929]: 10[NET] <dmvpn-NHRPVPN-tun100|1> sending packet: from 0.0.0.0[500] to 192.168.11.2[500] (380 bytes)
Jul 04 15:25:50 charon[1929]: 13[IKE] <dmvpn-NHRPVPN-tun100|1> retransmit 4 of request with message ID 0
Jul 04 15:25:50 charon[1929]: 13[NET] <dmvpn-NHRPVPN-tun100|1> sending packet: from 0.0.0.0[500] to 192.168.11.2[500] (380 bytes)
HUB config:
set interfaces ethernet eth2 address '192.168.11.2/24'
set interfaces ethernet eth2 description 'WAN'
set interfaces loopback lo
set interfaces tunnel tun100 address '192.168.0.1/30'
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 parameters ip key '1'
set interfaces tunnel tun100 source-interface 'eth2'
set protocols nhrp tunnel tun100 cisco-authentication 'secret'
set protocols nhrp tunnel tun100 holding-time '300'
set protocols nhrp tunnel tun100 multicast 'dynamic'
set protocols nhrp tunnel tun100 redirect
set protocols nhrp tunnel tun100 shortcut
set protocols static route 192.168.2.0/24 next-hop 192.168.11.1
set system host-name 'vyos-02-left-vrf'
set vpn ipsec esp-group ESP-HUB compression 'disable'
set vpn ipsec esp-group ESP-HUB lifetime '1800'
set vpn ipsec esp-group ESP-HUB mode 'transport'
set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
set vpn ipsec ike-group IKE-HUB key-exchange 'ikev2'
set vpn ipsec ike-group IKE-HUB lifetime '3600'
set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
set vpn ipsec interface 'eth2'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
SPOKE config:
set interfaces ethernet eth2 address '192.168.2.108/24'
set interfaces ethernet eth2 description 'ISP north'
set interfaces ethernet eth2 vrf 'north'
set interfaces ethernet eth3 address '192.168.5.108/24'
set interfaces ethernet eth3 description 'ISP south'
set interfaces ethernet eth3 vrf 'south'
set interfaces loopback lo
set interfaces tunnel tun100 address '192.168.0.2/30'
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 parameters ip key '1'
set interfaces tunnel tun100 source-interface 'eth2'
set interfaces tunnel tun100 vrf 'north'
set protocols nhrp tunnel tun100 cisco-authentication 'secret'
set protocols nhrp tunnel tun100 holding-time '300'
set protocols nhrp tunnel tun100 map 192.168.0.1/30 nbma-address '192.168.11.2'
set protocols nhrp tunnel tun100 map 192.168.0.1/30 register
set protocols nhrp tunnel tun100 multicast 'nhs'
set protocols nhrp tunnel tun100 redirect
set protocols nhrp tunnel tun100 shortcut
set system host-name 'vyos-03-right-vrf'
set vpn ipsec esp-group ESP-HUB compression 'disable'
set vpn ipsec esp-group ESP-HUB lifetime '1800'
set vpn ipsec esp-group ESP-HUB mode 'transport'
set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
set vpn ipsec ike-group IKE-HUB close-action 'none'
set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
set vpn ipsec ike-group IKE-HUB key-exchange 'ikev2'
set vpn ipsec ike-group IKE-HUB lifetime '3600'
set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
set vpn ipsec interface 'eth2'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
set vrf name north protocols static route 192.168.11.0/24 next-hop 192.168.2.254
set vrf name north table '2000'
set vrf name south protocols static route 192.168.11.0/24 next-hop 192.168.5.254
set vrf name south table '5000'
vyos@vyos-03-right-vrf:~$ show version
Version: VyOS 1.4-rolling-202207051035
Release train: sagitta
Is there a way to force NHRP to use the interface on the vrf instead of 0.0.0.0 ?