Greetings,
I am trying to set up a seemingly simple (unencrypted) tunnel between a
Cisco router with a dynamic IP address and a Linux/OpenNHRP machine with a
static IP address. So far, I have not been able to bring the tunnel or NHS
session up. It seems like I am probably making some simple mistake, but I
have not been able to determine what it is.
My setup:
Cisco router:
ios c3725-adventerprisek9-m 12.4(15)T14
public (dynamic) ip address: 24.247.x.x
public ip device: fastethernet0/0
private (gre) ip address: 10.1.1.10/30
private (gre) device: tunnel0
Tunnel0 interface configuration:
ip address 10.1.1.10 255.255.255.252
no ip redirects
ip mtu 1472
ip nhrp authentication test
ip nhrp map multicast 75.144.x.x
ip nhrp map 10.1.1.9 75.144.x.x
ip nhrp network-id 123456
ip nhrp holdtime 360
ip nhrp nhs 75.144.x.x
ip nhrp registration no-unique
cdp enable
tunnel source FastEthernet0/0
tunnel destination 75.144.x.x
tunnel key 123456
Linux machine:
kernel 3.13.0-24 from ubuntu 14.04
opennhrp-0.14.1 from source
public ip address: 75.144.x.x
public ip device: eth0.4
private (gre) ip address: 10.1.1.9/30
private (gre) device: gre1
opennhrp.conf:
interface gre1
cisco-authentication test
multicast dynamic
holding-time 360
Steps to set up interface gre1:
ip tunnel add gre1 mode gre key 123456 ttl 64 local 75.144.x.x
ip addr add 10.1.1.9/30 dev gre1
ip link set gre 1 up
---
With the Cisco tunnel interface in 'shutdown' state, i run opennhrp -v on
the Linux machine and get the following output:
opennhrp[4121]: OpenNHRP 0.14.1 starting
opennhrp[4121]: Interface lo: configured UP, mtu=0
opennhrp[4121]: Interface eth0: configured UP, mtu=1500
opennhrp[4121]: Interface tun0: configured UP, mtu=1500
opennhrp[4121]: Interface eth0.2: configured UP, mtu=1500
opennhrp[4121]: Interface eth0.4: configured UP, mtu=1500
opennhrp[4121]: Interface gre0: config change, mtu=1476
opennhrp[4121]: Interface gretap0: config change, mtu=1476
opennhrp[4121]: Interface kew-c2500-1: configured UP, mtu=1476
opennhrp[4121]: Interface sit0: config change, mtu=1480
opennhrp[4121]: Interface he-ipv6: configured UP, mtu=1480
opennhrp[4121]: Interface hc1-ipv6: configured UP, mtu=1480
opennhrp[4121]: Interface gre1: configured UP, mtu=1472
opennhrp[4121]: Interface gre1: GRE configuration changed. Purged 0 peers.
opennhrp[4121]: Adding local 10.1.1.9/32 dev gre1
opennhrp[4121]: Adding local 10.1.1.11/32 alias 10.1.1.9 dev gre1
opennhrp[4121]: Filter code installed (20 opcodes)
I then type 'no shutdown' on the Cisco tunnel interface and receive the
following output on the opennhrp console:
opennhrp[3866]: Forwarding packet from nbma src 24.247.x.x, proto src
10.1.1.10 to proto dst 75.144.x.x, hop count 255
opennhrp[3866]: No peer entry for protocol address 75.144.x.x
opennhrp[3866]: No peer entry for protocol address 10.1.1.10
opennhrp[3866]: Multicast from 10.1.1.9 to 224.0.0.5
At this point, if I try to ping the Cisco end of the tunnel (10.1.1.10)
from the Linux machine, I see the following message on the opennhrp console
for each icmp packet sent: "opennhrp[4393]: NL-ARP(gre1) who-has
10.1.1.10". If I use tcpdump to monitor the 75.144.x.x interface during
this time, I see no traffic being sent to the Cisco' 24.247.x.x interface.
If I try to ping the Linux end of the tunnel (10.1.1.9) from the Cisco
router, I still get a "opennhrp[4393]: NL-ARP(gre1) who-has 10.1.1.10" on
the opennhrp console for each icmp packet sent. Using tcpdump on the Linux
machine to monitor its 75.144.x.x interface reveals GRE-encapsulated ICMP
packets coming from the Cisco router as follows:
15:45:42.719449 IP 24.247.x.x > 75.144.x.x: GREv0, key=0x1e240, length 108:
IP 10.1.1.10 > 10.1.1.9: ICMP echo request, id 47, seq 0, length 80
15:45:44.713027 IP 24.247.x.x > 75.144.x.x: GREv0, key=0x1e240, length 108:
IP 10.1.1.10 > 10.1.1.9: ICMP echo request, id 47, seq 1, length 80
15:45:46.713106 IP 24.247.x.x > 75.144.x.x: GREv0, key=0x1e240, length 108:
IP 10.1.1.10 > 10.1.1.9: ICMP echo request, id 47, seq 2, length 80
---
I thought that between the matching GRE key, the matching
cisco-authentication strings, and the 'multicast dynamic' line under
interface gre1 in opennhrp.conf, OpenNHRP would recognize GRE packets
coming from the Cisco router as coming from an acceptable peer, but it
seems that perhaps this is not happening?
I realize that to actually have the unencrypted link work, I would need to
remove the racoonctl lines from opennhrp-script, but it appears that the
peer-up section of that script is not even being called (judging from the
lack of error messages, and the fact that when I ran opennhrp under strace
in an attempt to troubleshoot, I didn't see it open the opennhrp-script
file).
It occurred to me that there was no matching line in the OpenNHRP config to
the "ip nhrp network-id 123456" line on the Cisco side, so I tried removing
that line from the Cisco config. This gives the same result, except that I
no longer see the:
"opennhrp[3866]: Forwarding packet from nbma src 24.247.x.x, proto src
10.1.1.10 to proto dst 75.144.x.x, hop count 255
opennhrp[3866]: No peer entry for protocol address 75.144.x.x
opennhrp[3866]: No peer entry for protocol address 10.1.1.10"
lines on the OpenNHRP console. I looked at the opennhrp.conf manual page
and some of the source code but did not find anywhere to configure a
network ID. Could I be missing something here which might be part of the
problem?
If anyone can point me in the right direction or suggest something for me
to try, I would certainly appreciate it.
Thanks,
Rusty Dekema
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
opennhrp-devel mailing list
opennhrp-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opennhrp-devel
