Hi, On Tue, 24 Jun 2014 08:41:36 +0500 masoom alam <masoom.a...@gmail.com> wrote:
> Most of the Howtos on DMVPN configuration through OpenNHRP configure > the ipsec.conf as follows: > > spdflush; > spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require; > spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require; Yes, these are match all policies that trigger creation of point-to-point transport mode SAs for each connection. > My question is that if we are not specifying any specific ip address > here for HUB <--> Spoke1 and similarly HUB <----> Spoke2, what about > the dynamic ipsec tunnel that will be made between Spoke1 <---> > Spoke2 on demand. I am uisng preshared secrets for tunnel formation. > If Spoke1 is sharing the same secret with HUB, and similarly Spoke2 > is also sharing the same secret, Spoke1 and Spoke2 can also form the > tunnel without OpenNHRP or?. I am not understanding how phase 2 or 3 > of the DMVPN is achieved with preshared secrets.... You would need to patch ipsec-tools to support "*" wildcard shared secrets. Though, this is highly deprecated by IPsec folks since it allows anyone knowing the preshared secret to fake a hub. If you control all nodes, then the major draw back is that you should redo everything in case a participating router gets compromised. That's why cert based authentication is highly recommendable. One thread about the wildcard preshared key patch is at: http://marc.info/?t=128146457300004&r=1&w=2 But I believe it has been discussed multiple times. > A spoke will specify the following configuration in its opennhrp.conf: > > interface gre1 dynamic-map 172.16.0.0/16 hub.example.com shortcut > redirect non-caching > > where hub.example.com will resolve to ip address of the hub. > > What about the HUB opennhrp.conf? If no other HUB exist in the > topology, whether the following file is ok? > > interface gre1 shortcut redirect non-caching Yes, that should be sufficient. No extra directives needed for hub. > Finally, the scripts given on the Alpine linux web site for OpenNHRP > are only for alpine linux? , for example if we are testing in a lab > environment with three Ubuntu VMs, do we need to run those scripts? > because they also involve checking zebra running.... They are mostly ok. But as observed, you need to tune them to suit your specific setup - e.g. remove the BGP integration part. /Timo ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ opennhrp-devel mailing list opennhrp-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/opennhrp-devel
