NHRP #7696
Comments
|
NHRP is in alpha at this time and we are looking for someone to maintain it. Can't make any guarantees about it working or not. I'll leave the issue open in case someone wants it. |
|
Did you try without nhrp authentication of cisco ? |
|
Do you know reason why some configuration items are missing in FRR/NHRP implementation (in comparison with opennrhp)? I am newbie in DMVPN and I have another question regarding NHRP flags (U, T, A) and DMVPN flags meaning in NHPR/DMVPN status (see bellow). So far I do not find any explanation what these flags exactly mean. However, DMVPN (Cisco - FRR) works with this configuration: Cisco: FRR/NHRP.conf: Router# show ip nhrp Router# show ipv6 nhrp Router# show dmvpn |
|
=> https://tools.ietf.org/html/rfc2332 => with opennhrp, you can use ospf, but not with frr. => I recomend you to look at current issues and pull requests using keyword nhrp, as there is some activity. for isntance, I think someone is looking at how to implement multicast traffic with frr over dmvpn. |
|
@pguibert6WIND , Does opennhrp support mullticast ? how did they get ospf to work ? |
|
I looked into RFC for flags and I found But flags T is not mentioned there. Yes, I noticed that FRR/NHRP does not support multicast so OSPF does not work. |
Opennhrp uses a userplan patch, that is to say that they interrupt all multicast packets and do a processing per multicast packet for each nhrp peer. I think this is not very perf, and I would prefer a kernel support for that. |
T stands for timeout. |
|
Is there any plan for adding support of cisco-authentication to nhrpd? |
|
Bump. |
|
Bump. "Nice to have" feature. |
|
For your information, the cisco-authentication password was added in #16172 |
I would like to use the NHRP / FRR implementation, but when I test the NHRP / FRR implementation, then the DMVPN does not work with Cisco (the openhrp implementation works in this configuration).
I noticed that some commands are not supported by NHRP / FRR, but by openhrp they are supported.
i.e. cisco-authentication.
https://sourceforge.net/p/opennhrp/code/ci/613277fda0f3a54e670e3e4b521adb82a6a5ed46/tree/nhrp/opennhrp.c#l257
This may be the reason why NHRP registration fails. See log below.
Or I missed something in nhrp configuration?
Some packets are sent via GRE/IPSEC but there is no answer from cisco:
gre1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.234.4 Mask:255.255.255.255
UP RUNNING MULTICAST MTU:1472 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:7360 (7.1 KB)
IPsec:
ipsec1: #32, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-256
installed 84s ago, rekeying in 2487s, expires in 3516s
in c8cbc95d, 0 bytes, 0 packets
out 4c892df5, 240 bytes, 2 packets, 52s ago
local 192.168.7.232/32[gre]
remote 85.xx.xx.xx/32[gre]
Cisco configuration:
interface Tunnel11
ip address 192.168.234.1 255.255.255.0
no ip redirects
ip nhrp authentication 1234
ip nhrp map multicast dynamic
ip nhrp network-id 1234
no ip nhrp record
no ip nhrp cache non-authoritative
tunnel source GigabitEthernet0
tunnel mode gre multipoint
tunnel key 1234
tunnel protection ipsec profile ikev2
!
opennhrp configuration (works):
interface gre1
map 192.168.234.1/24 85.xx.xx.xx register
holding-time 60
cisco-authentication 1234
shortcut
redirect
non-caching
NHRP/FRR configuration:
frr version 7.5
frr defaults traditional
!
hostname Router
password test
enable password test
!
line vty
!
interface gre1
description DMVPN Tunnel Interface
ip nhrp network-id 1234
ip nhrp map 192.168.234.1/24 85.xx.xx.xx register
ip nhrp nhs dynamic nbma 85.xx.xx.xx
ip nhrp redirect
ip nhrp registration no-unique
ip nhrp shortcut
no ip nhrp record
no ip nhrp cache non-authoritative
tunnel protection vici profile ipsec1
tunnel source eth1
!
debug nhrp all
NHRP log:
2020-12-09 13:37:10 charon: 10[IKE] CHILD_SA ipsec1{28} established with SPIs c66b7ce6_i c08def2f_o and TS 192.168.7.232/32[gre] === 85.xx.xx.xx/32[gre]
2020-12-09 13:37:10 nhrpd[2683]: VICI: Message 7, 2686 bytes
2020-12-09 13:37:10 nhrpd[2683]: VICI: Event 'child-state-installed'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Section start 'ipsec1'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'uniqueid'='14'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'version'='2'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'state'='ESTABLISHED'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'local-host'='192.168.7.232'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'local-port'='4500'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'local-id'='client3@router'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'local-cert-data'='0‚^CČ0‚^B° ^C^B^A^B^B^T)ľřŔľ“wő…äÉçĺi´±ţ¨TM0^M^F^I*†H†÷^M^A^A^K^E'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'remote-host'='85.xx.xx.xx'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'remote-port'='4500'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'remote-id'='server.cisco'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'remote-cert-data'='0‚^CÂ0‚^BŞ ^C^B^A^B^B^T)ľřŔľ“wő…äÉçĺi´±ţ¨TJ0^M^F^I*†H†÷^M^A^A^K^E'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'initiator'='yes'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'initiator-spi'='fba7706e5ada98c9'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'responder-spi'='3f09d4b20002b451'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'nat-local'='yes'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'nat-any'='yes'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'encr-alg'='AES_CBC'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'encr-keysize'='256'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'integ-alg'='HMAC_SHA2_256_128'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'prf-alg'='PRF_HMAC_SHA2_256'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'dh-group'='MODP_2048'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'established'='0'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'reauth-time'='2706'
2020-12-09 13:37:10 nhrpd[2683]: VICI: List start 'tasks-active'
2020-12-09 13:37:10 nhrpd[2683]: VICI: List item: 'CHILD_CREATE'
2020-12-09 13:37:10 nhrpd[2683]: VICI: List item: 'IKE_AUTH_LIFETIME'
2020-12-09 13:37:10 nhrpd[2683]: VICI: List item: 'IKE_MOBIKE'
2020-12-09 13:37:10 nhrpd[2683]: VICI: List end
2020-12-09 13:37:10 nhrpd[2683]: VICI: Section start 'child-sas'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Section start 'ipsec1'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'name'='ipsec1'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'uniqueid'='28'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'reqid'='1'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'state'='INSTALLING'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'mode'='TUNNEL'
2020-12-09 13:37:10 nhrpd[2683]: VICI: List start 'local-ts'
2020-12-09 13:37:10 nhrpd[2683]: VICI: List item: '192.168.7.232/32[gre]'
2020-12-09 13:37:10 nhrpd[2683]: VICI: List end
2020-12-09 13:37:10 nhrpd[2683]: VICI: List start 'remote-ts'
2020-12-09 13:37:10 nhrpd[2683]: VICI: List item: '85.xx.xx.xx/32[gre]'
2020-12-09 13:37:10 nhrpd[2683]: VICI: List end
2020-12-09 13:37:10 nhrpd[2683]: VICI: Section end
2020-12-09 13:37:10 last message repeated 2 times
2020-12-09 13:37:11 nhrpd[2683]: NHS: Flush timer for 85.xx.xx.xx
2020-12-09 13:37:11 nhrpd[2683]: NHS: Register 192.168.234.4 - 192.168.234.4 (timeout 16)
2020-12-09 13:37:11 nhrpd[2683]: Send Registration-Request(3) 192.168.234.4 - 192.168.234.4
2020-12-09 13:37:11 nhrpd[2683]: PACKET: Send 192.168.7.232 - 85.xx.xx.xx
2020-12-09 13:37:14 nhrpd[2683]: Netlink: Received msg_type 28, msg_flags 0
2020-12-09 13:37:14 zebra[1485]: netlink_parse_info: netlink-listen (NS 0) type RTM_NEWNEIGH(28), len=76, seq=0, pid=0
2020-12-09 13:37:14 zebra[1485]: ^INeighbor Entry received is not on a VLAN or a BRIDGE, ignoring
The text was updated successfully, but these errors were encountered: