I know since i discovered the DM××× in 2004/5 this is a very intelligent combination of IPsec, GRE and NHRP. Many Thanks to the Guys at Cisco, Christoph, Frederick and all other.
This week i discovered “opennhrp” on sourceforge.
It took me a minute or two to have a VM with debian up and the needed tools installed.
I used VMWare with a bridged ethernet interface for testing, installed debian 4.0 netinstall iso and upgraded to sid / testing, so i got Kernel Version 2.6.26-1-686.
Then downloaded ipsec-tools-0.8-alpha20090126.tar.bz2 from the site. you have to install some libs and tools to build ipsec tools, like kernel headers and so on:-) and done some configure and make stuff.
I went to make opennhrp, well all done with out a problem to here.
Next i configured racoon and ipsec-tools and opennhrp like this:
/etc/ipsec-tools.conf #!/usr/sbin/setkey -f spdflush; spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require; spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;
/etc/racoon/racoon.conf path pre_shared_key "/etc/racoon/psk.txt"; remote anonymous { exchange_mode main,aggressive; lifetime time 24 hour; # nat_traversal on; script "/etc/opennhrp/racoon-ph1down.sh" phase1_down; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 5; } } sainfo anonymous { lifetime time 12 hour; encryption_algorithm 3des, blowfish 448, rijndael; authentication_algorithm hmac_sha1, hmac_md5; compression_algorithm deflate; }
/etc/racoon/psk.txt 10.2.0.90 1234
/etc/opennhrp/opennhrp.conf interface gre1 map 172.255.255.1/24 10.2.0.90 register cisco cisco-authentication 1234 shortcut
No get the Tunnel UP:
ip tunnel add gre1 mode gre key 1234 ttl 64 ip addr add 172.255.255.2/24 dev gre1 ip tunnel change gre1 local 10.0.81.115 ip link set gre1 up
Now its time to get on the other side.
We are using a Cisco 1812 with c181x-advsecurityk9-mz.124-15.T7.bin running.
crypto isakmp policy 10 encr 3des authentication pre-share group 5 ! crypto isakmp key 1234 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set TRANSFORMSET_3 esp-3des esp-sha-hmac mode transport ! crypto ipsec profile Profile3 set transform-set TRANSFORMSET_3 ! interface Tunnel888 ip address 172.255.255.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip mtu 1400 ip flow ingress ip nhrp authentication 1234 ip nhrp map multicast dynamic ip nhrp network-id 10064 ip nhrp holdtime 360 ip nhrp max-send 200 every 10 ip route-cache same-interface ip tcp adjust-mss 1350 load-interval 30 tunnel source 10.2.0.90 tunnel mode gre multipoint tunnel key 1234 tunnel protection ipsec profile Profile3
and viola
Router# sh dm*** interface tunnel 888 Load for five secs: 8%/3%; one minute: 9%; five minutes: 10% Time source is NTP, 22:14:22.148 CET Sat Feb 14 2009 Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer Tunnel888, Type:Hub, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 10.0.81.115 172.255.255.2 UP never D
Router# ping 172.255.255.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.255.255.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
this looks great:-)
Many thanks Timo for doing such a impressiv work. I like the cisco for they impressiv boxes and i also like opensource software.
— edit February 15, 2009 at 12:09 am —
I found after a while no packets traveling, the nhrp registration had gone on the cisco side may be holdtimers differ so added “holding-time 360″ to the opennhrp.conf , a opennhrpctl purge fixed the problem.