Hi Timo,
Thanks for that. So I will re-do my certs with the relevant information
embedded in them (GRE IP and AS number), and see where I get up to.
Cheers!
Jon.
On Fri, 3 Feb 2017 at 06:18 Timo Teras <timo.te...@iki.fi> wrote:
> On Thu, 02 Feb 2017 23:23:05 +0000
> Jon Clayton <supert...@gmail.com> wrote:
>
> > I followed the instructions here :
> > https://wiki.alpinelinux.org/wiki/Dynamic_Multipoint_VPN_(DMVPN)
> >
> > I'm firstly getting error messages when its trying to register
> >
> > opennhrp[1917]: Sending Registration Request to 172.16.0.0 (my mtu=0)*
> > *Feb 2 23:06:51 SpokeWest daemon.info <http://daemon.info>
> > opennhrp[1917]: Received Registration Reply from 172.16.1.1
> > <http://172.16.1.1>: administratively prohibited*
>
> The hub rejected the registration. Due to opennhrp-script.
>
> > On hub:
> >
> > Feb 2 23:06:51 AlpineHUB daemon.info opennhrp[2029]: Received
> > Registration Request from proto src 172.16.1.10 to 172.16.1.1
> > Feb 2 23:06:51 AlpineHUB auth.err opennhrp-script: GRE registration
> > of 172.16.1.10 to 5.5.5.254 DENIED
>
> Pretty clear, opennhrp-script denied it.
>
> > The hub is 172.16.1.1 gre address and the spoke is 172.16.1.10 ...
> > subnet is /16
> >
> > The public "internet" facing address of hub is *3.3.3.254*
> > the public facing address of spoke is *5.5.5.254*
> >
> >
> > I'm using some certs that I generated with PFsense which i have used
> > for openvpn and the tunnel seems to be coming up as far as I can tell
> > with racoon as I can see what looks like an SA.
> >
> > When I look at the hub opennhrp-script, it seems to be running
> > through a check for OU= and AS= embedded within the certificate? If
> > this is the case, then I'm pretty sure the Certs will not have this
> > info in them as I just generated bog standard x509 certs with the
> > usual info in them (location ,department...)? ... Doesn't mention it
> > on the instructions re: embedding some kind of ID in the cert?
>
> Correct. The script has:
>
> CERT=`racoonctl get-cert inet $NHRP_SRCNBMA $NHRP_DESTNBMA |
> openssl x509 -inform der -text -noout | egrep -o "/OU=[^/]*(/[0-9]+)?" |
> cut -b 5-`
> if [ -z "`echo "$CERT" | grep "^GRE=$NHRP_DESTADDR"`" ]; then
> logger -t opennhrp-script -p auth.err "GRE registration of
> $NHRP_DESTADDR to $NHRP_DESTNBMA DENIED"
> exit 1
> fi
>
> Which expects that there's in subject name a field like
> "OU=GRE=172.16.x.x". The intention is that there's an GRE address
> binding in the certificate, making it sure that no other hub 'steals'
> GRE addresses it's not supposed to have.
>
> You can comment these lines if you don't want to have this enforcement.
>
> The script also assumes other fields in the certificate to do automatic
> BGP configuration. You may need to adjust those parts too.
>
> > Also if I delete/comment that section, it gets a bit further but then
> > says failed exitstatus 2
> >
> > I'm pretty confused it has done this in two setups as I started from
> > scratch but still not getting anywhere with it :(
> >
> > Is anyone able to help? I'm probably doing something daft, but I've
> > spent ages on it now and I'm going round in circles.
>
> Cheers,
> Timo
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
opennhrp-devel mailing list
opennhrp-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opennhrp-devel
