DMVPN Interoperability – Part 2

Well it’s been longer than I’d hoped, but it’s time for another installment of DMVPN interoperability testing between VyOS and Cisco.  Last time, my testing was focussed on getting VyOS DMVPN Spokes to utilize a Cisco DMVPN Hub.

I was browsing the VyOS forums, and I came across this post:

Looking for some help on setting up DMVPN for VyOS and Cisco Router

I thought I was going to be able to just point him to my other Interoperability post, but it turned out he was trying to do the opposite.

So this time, we’re going the other way.  I have a VyOS DMVPN environment, with a Hub and three Spokes, and I’m going to add a Cisco CSR to the mix as a fourth spoke.  The environment:

VyOS DMVPN Interop 2
VyOS DMVPN Interop Environment

I’d intended to do this test a while back, but I’ve been going a million miles per hour at work, and didn’t have the spare time.  So thank you, Internet stranger, for giving me the necessary motivation.

We’ll start with the configurations from the original all VyOS DMVPN testing.

VyOS HUB:

set system host-name 'VyOS-Hub'
set interfaces ethernet eth0 address '10.0.255.1/24'
set interfaces ethernet eth0 description 'Outside'
set interfaces tunnel tun0 address '10.0.0.1/24'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 local-ip '10.0.255.1'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip key '1'
set protocols bgp 65000 neighbor 10.0.0.10 peer-group 'DMVPNPEERS'
set protocols bgp 65000 neighbor 10.0.0.11 peer-group 'DMVPNPEERS'
set protocols bgp 65000 neighbor 10.0.0.12 peer-group 'DMVPNPEERS'
set protocols bgp 65000 neighbor 10.0.0.13 peer-group 'DMVPNPEERS'
set protocols bgp 65000 parameters router-id '10.0.0.1'
set protocols bgp 65000 peer-group DMVPNPEERS 'passive'
set protocols bgp 65000 peer-group DMVPNPEERS remote-as '65000'
set protocols bgp 65000 peer-group DMVPNPEERS 'route-reflector-client'
set protocols bgp 65000 peer-group DMVPNPEERS soft-reconfiguration 'inbound'
set protocols bgp 65000 peer-group DMVPNPEERS update-source '10.0.0.1'
set protocols nhrp tunnel tun0 cisco-authentication 'SECRET'
set protocols nhrp tunnel tun0 holding-time '300'
set protocols nhrp tunnel tun0 multicast 'dynamic'
set protocols nhrp tunnel tun0 'redirect'
set vpn ipsec esp-group ESP-HUB1 compression 'disable'
set vpn ipsec esp-group ESP-HUB1 lifetime '1800'
set vpn ipsec esp-group ESP-HUB1 mode 'tunnel'
set vpn ipsec esp-group ESP-HUB1 pfs 'dh-group2'
set vpn ipsec esp-group ESP-HUB1 proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-HUB1 proposal 1 hash 'sha1'
set vpn ipsec esp-group ESP-HUB1 proposal 2 encryption '3des'
set vpn ipsec esp-group ESP-HUB1 proposal 2 hash 'md5'
set vpn ipsec ike-group IKE-HUB1 ikev2-reauth 'no'
set vpn ipsec ike-group IKE-HUB1 key-exchange 'ikev1'
set vpn ipsec ike-group IKE-HUB1 lifetime '3600'
set vpn ipsec ike-group IKE-HUB1 proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-HUB1 proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-HUB1 proposal 2 encryption 'aes128'
set vpn ipsec ike-group IKE-HUB1 proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'SECRET'
set vpn ipsec profile NHRPVPN bind tunnel 'tun0'
set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB1'
set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB1'

VyOS Spoke1:

set system host-name 'VyOS-Spoke1'
set interfaces ethernet eth0 address '10.0.255.11/24'
set interfaces ethernet eth0 description 'Outside'
set interfaces ethernet eth1 address '10.0.1.1/24'
set interfaces ethernet eth1 description 'Inside'
set interfaces tunnel tun0 address '10.0.0.11/24'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 local-ip '10.0.255.11'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip key '1'
set protocols bgp 65000 neighbor 10.0.0.1 remote-as '65000'
set protocols bgp 65000 neighbor 10.0.0.1 update-source '10.0.0.11'
set protocols bgp 65000 network '10.0.1.0/24'
set protocols bgp 65000 parameters router-id '10.0.0.11'
set protocols nhrp tunnel tun0 cisco-authentication 'SECRET'
set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address '10.0.255.1'
set protocols nhrp tunnel tun0 map 10.0.0.1/24 'register'
set protocols nhrp tunnel tun0 multicast 'nhs'
set protocols nhrp tunnel tun0 'redirect'
set protocols nhrp tunnel tun0 'shortcut'
set vpn ipsec esp-group ESP-SPOKE1 compression 'disable'
set vpn ipsec esp-group ESP-SPOKE1 lifetime '1800'
set vpn ipsec esp-group ESP-SPOKE1 mode 'tunnel'
set vpn ipsec esp-group ESP-SPOKE1 pfs 'dh-group2'
set vpn ipsec esp-group ESP-SPOKE1 proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-SPOKE1 proposal 1 hash 'sha1'
set vpn ipsec esp-group ESP-SPOKE1 proposal 2 encryption '3des'
set vpn ipsec esp-group ESP-SPOKE1 proposal 2 hash 'md5'
set vpn ipsec ike-group IKE-SPOKE1 ikev2-reauth 'no'
set vpn ipsec ike-group IKE-SPOKE1 key-exchange 'ikev1'
set vpn ipsec ike-group IKE-SPOKE1 lifetime '3600'
set vpn ipsec ike-group IKE-SPOKE1 proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-SPOKE1 proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-SPOKE1 proposal 2 encryption 'aes128'
set vpn ipsec ike-group IKE-SPOKE1 proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'SECRET'
set vpn ipsec profile NHRPVPN bind tunnel 'tun0'
set vpn ipsec profile NHRPVPN esp-group 'ESP-SPOKE1'
set vpn ipsec profile NHRPVPN ike-group 'IKE-SPOKE1'

Spokes 2 & 3 use an identical configuration to Spoke 1.

Cisco Spoke:

crypto keyring DMVPN 
 pre-shared-key address 0.0.0.0 0.0.0.0 key SECRET
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp keepalive 60
crypto isakmp profile DMVPN
 keyring DMVPN
 match identity address 0.0.0.0 
!
crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac 
 mode transport
!
crypto ipsec profile DMVPN
 set security-association idle-time 720
 set transform-set DMVPN-AES256
!
interface Loopback10
 ip address 10.0.10.1 255.255.255.0
! 
interface Tunnel0
 ip address 10.0.0.10 255.255.255.0
 no ip redirects
 ip nhrp authentication SECRET
 ip nhrp map 10.0.0.1 10.0.255.1
 ip nhrp map multicast 10.0.0.1
 ip nhrp network-id 1
 ip nhrp holdtime 600
 ip nhrp nhs 10.0.0.1
 ip nhrp registration timeout 75
 tunnel source GigabitEthernet1
 tunnel mode gre multipoint
 tunnel key 1
 tunnel path-mtu-discovery
 tunnel protection ipsec profile DMVPN
!
interface GigabitEthernet1
 ip address 10.0.255.10 255.255.255.0
 negotiation auto
!
router bgp 65000
 bgp router-id 10.0.255.10
 bgp log-neighbor-changes
 network 10.0.10.0 mask 255.255.255.0
 neighbor DMVPN peer-group
 neighbor DMVPN remote-as 65000
 neighbor DMVPN timers 5 15
 neighbor 10.0.0.1 peer-group DMVPN

When I first got it all configured, it didn’t work.  On the VyOS side, I got error messages like this (cat /var/log/messages):

Mar 11 21:58:44 VyOS-Hub pluto[3024]: packet from 10.0.255.10:500: ignoring Vendor ID payload [RFC 3947]
Mar 11 21:58:44 VyOS-Hub pluto[3024]: packet from 10.0.255.10:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Mar 11 21:58:44 VyOS-Hub pluto[3024]: packet from 10.0.255.10:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Mar 11 21:58:44 VyOS-Hub pluto[3024]: packet from 10.0.255.10:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Mar 11 21:58:44 VyOS-Hub pluto[3024]: "vpnprof-tunnel-tun0"[45] 10.0.255.10 #91: responding to Main Mode from unknown peer 10.0.255.10
Mar 11 21:58:44 VyOS-Hub pluto[3024]: "vpnprof-tunnel-tun0"[45] 10.0.255.10 #91: received Vendor ID payload [Dead Peer Detection]
Mar 11 21:58:44 VyOS-Hub pluto[3024]: "vpnprof-tunnel-tun0"[45] 10.0.255.10 #91: ignoring Vendor ID payload [c209efb2067a97043814ed207b9c40d7]
Mar 11 21:58:44 VyOS-Hub pluto[3024]: "vpnprof-tunnel-tun0"[45] 10.0.255.10 #91: received Vendor ID payload [XAUTH]
Mar 11 21:58:44 VyOS-Hub pluto[3024]: "vpnprof-tunnel-tun0"[45] 10.0.255.10 #91: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Mar 11 21:58:44 VyOS-Hub pluto[3024]: "vpnprof-tunnel-tun0"[45] 10.0.255.10 #91: Peer ID is ID_IPV4_ADDR: '10.0.255.10'
Mar 11 21:58:44 VyOS-Hub pluto[3024]: "vpnprof-tunnel-tun0"[45] 10.0.255.10 #91: sent MR3, ISAKMP SA established
Mar 11 21:58:44 VyOS-Hub pluto[3024]: "vpnprof-tunnel-tun0"[45] 10.0.255.10 #92: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION
Mar 11 21:58:44 VyOS-Hub pluto[3024]: "vpnprof-tunnel-tun0"[45] 10.0.255.10 #92: sending encrypted notification NO_PROPOSAL_CHOSEN to 10.0.255.10:500
Mar 11 21:58:44 VyOS-Hub pluto[3024]: "vpnprof-tunnel-tun0"[45] 10.0.255.10 #91: received Delete SA payload: deleting ISAKMP State #91
Mar 11 21:58:44 VyOS-Hub pluto[3024]: "vpnprof-tunnel-tun0"[45] 10.0.255.10: deleting connection "vpnprof-tunnel-tun0" instance with peer 10.0.255.10 {isakmp=#0/ipsec=#0}

Ok, so the VyOS hub was expecting some Perfect Forward Secrecy, and the Cisco wasn’t providing it.  So I added the following to the existing crypto profile on the Cisco side:

crypto ipsec profile DMVPN
 set security-association idle-time 720
 set transform-set DMVPN-AES256 
 set pfs group1

Now I was seeing this in the VyOS logs:

Mar 11 22:00:12 VyOS-Hub pluto[3024]: packet from 10.0.255.10:500: ignoring Vendor ID payload [RFC 3947]
Mar 11 22:00:12 VyOS-Hub pluto[3024]: packet from 10.0.255.10:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Mar 11 22:00:12 VyOS-Hub pluto[3024]: packet from 10.0.255.10:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Mar 11 22:00:12 VyOS-Hub pluto[3024]: packet from 10.0.255.10:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Mar 11 22:00:12 VyOS-Hub pluto[3024]: "vpnprof-tunnel-tun0"[47] 10.0.255.10 #95: responding to Main Mode from unknown peer 10.0.100.10
Mar 11 22:00:12 VyOS-Hub pluto[3024]: "vpnprof-tunnel-tun0"[47] 10.0.255.10 #95: received Vendor ID payload [Dead Peer Detection]
Mar 11 22:00:12 VyOS-Hub pluto[3024]: "vpnprof-tunnel-tun0"[47] 10.0.255.10 #95: ignoring Vendor ID payload [c209efb289e996c8e928925fd1b06248]
Mar 11 22:00:12 VyOS-Hub pluto[3024]: "vpnprof-tunnel-tun0"[47] 10.0.255.10 #95: received Vendor ID payload [XAUTH]
Mar 11 22:00:12 VyOS-Hub pluto[3024]: "vpnprof-tunnel-tun0"[47] 10.0.255.10 #95: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Mar 11 22:00:12 VyOS-Hub pluto[3024]: "vpnprof-tunnel-tun0"[47] 10.0.255.10 #95: Peer ID is ID_IPV4_ADDR: '10.0.255.10'
Mar 11 22:00:12 VyOS-Hub pluto[3024]: "vpnprof-tunnel-tun0"[47] 10.0.255.10 #95: sent MR3, ISAKMP SA established
Mar 11 22:00:12 VyOS-Hub pluto[3024]: "vpnprof-tunnel-tun0"[47] 10.0.255.10 #96: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported for PFS
Mar 11 22:00:12 VyOS-Hub pluto[3024]: "vpnprof-tunnel-tun0"[47] 10.0.255.10 #96: sending encrypted notification BAD_PROPOSAL_SYNTAX to 10.0.255.10:500
Mar 11 22:00:12 VyOS-Hub pluto[3024]: "vpnprof-tunnel-tun0"[47] 10.0.255.10 #95: received Delete SA payload: deleting ISAKMP State #95
Mar 11 22:00:12 VyOS-Hub pluto[3024]: "vpnprof-tunnel-tun0"[47] 10.0.255.10: deleting connection "vpnprof-tunnel-tun0" instance with peer 10.0.255.10 {isakmp=#0/ipsec=#0}

Ok, PFS group 1 not good enough…  So what choices are available on the Cisco side:

csr1000v(config)#crypto ipsec profile DMVPN
csr1000v(ipsec-profile)#set pfs ?
  group1   D-H Group1 (768-bit modp)
  group14  D-H Group14 (2048-bit modp)
  group15  D-H Group15 (3072-bit modp)
  group16  D-H Group16 (4096-bit modp)
  group19  D-H Group19 (256-bit ecp)
  group2   D-H Group2 (1024-bit modp)
  group20  D-H Group20 (384-bit ecp)
  group21  D-H Group21 (521-bit ecp)
  group24  D-H Group24 (2048-bit modp, 256 bit subgroup)
  group5   D-H Group5 (1536-bit modp)
  <cr>

So I switched to PFS Group 5:

crypto ipsec profile DMVPN
 set security-association idle-time 720
 set transform-set DMVPN-AES256 
 set pfs group5

Huzzah!

csr1000v#sh ip nhrp
10.0.0.1/32 via 10.0.0.1
 Tunnel0 created 01:06:42, never expire 
 Type: static, Flags: used 
 NBMA address: 10.0.100.140 

csr1000v#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.0.255.1 10.0.255.10 QM_IDLE 1051 ACTIVE

csr1000v#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/9/23 ms

csr1000v#sh ip bgp sum
BGP router identifier 10.0.255.10, local AS number 65000
BGP table version is 5, main routing table version 5
4 network entries using 992 bytes of memory
4 path entries using 480 bytes of memory
2/2 BGP path/bestpath attribute entries using 496 bytes of memory
3 BGP rrinfo entries using 120 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 2088 total bytes of memory
BGP activity 4/0 prefixes, 4/0 paths, scan interval 60 secs

Neighbor   V   AS      MsgRcvd MsgSent TblVer InQ OutQ Up/Down  State/PfxRcd
10.0.0.1   4   65000   804     784     5      0   0    01:06:30 3

csr1000v#sh ip bgp
BGP table version is 5, local router ID is 10.0.100.147
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
 r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
 x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
 *>i 10.0.1.0/24 10.0.0.11 1 100 0 i
 *>i 10.0.2.0/24 10.0.0.12 1 100 0 i
 *>i 10.0.3.0/24 10.0.0.13 1 100 0 i
 *> 10.0.10.0/24 0.0.0.0 0 32768 i

csr1000v#ping 10.0.1.1 source loopback 10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.10.1 
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/16/31 ms

csr1000v#ping 10.0.2.1 source loopback 10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.10.1 
.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 2/14/33 ms
csr1000v#ping 10.0.3.1 source loopback 10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.3.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.10.1 
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 2/20/34 ms

csr1000v#sh ip nhrp 
10.0.0.1/32 via 10.0.0.1
 Tunnel0 created 01:11:04, never expire 
 Type: static, Flags: used 
 NBMA address: 10.0.255.11 
10.0.0.10/32 via 10.0.0.10
 Tunnel0 created 00:00:12, expire 00:09:55
 Type: dynamic, Flags: router unique local 
 NBMA address: 10.0.255.10 
 (no-socket) 
10.0.0.11/32 via 10.0.0.11
 Tunnel0 created 00:16:58, expire 01:43:06
 Type: dynamic, Flags: router used nhop 
 NBMA address: 10.0.255.11 
10.0.0.12/32 via 10.0.0.12
 Tunnel0 created 00:16:51, expire 01:43:16
 Type: dynamic, Flags: router used nhop 
 NBMA address: 10.0.255.12 
10.0.0.13/32 via 10.0.0.13
 Tunnel0 created 00:16:44, expire 01:43:25
 Type: dynamic, Flags: router used nhop 
 NBMA address: 10.0.255.13 

Share this post:
Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail
war Written by:

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *