ok only worked when i hardcoded the IP's into the script.
3.3.3.254 hub >>>> 5.5.5.254 spoke
When I put the vars back it screws up :(
It seems to being pulling the wrong IP's maybe into those vars and stopping
the script working? Not sure why though!
Any ideas? :)
Cheers,
Jon.
auto eth0
iface eth0 inet static
address 3.3.3.254
netmask 255.255.255.0
gateway 3.3.3.1
dns-nameservers 8.8.8.8
auto gre1
iface gre1 inet static
pre-up ip tunnel add $IFACE mode gre ttl 64 tos inherit key 12.34.56.78 ||
true
address 172.16.1.1
netmask 255.255.0.0
post-down ip tunnel del $IFACE || true
#up ip rule add lookup nhrp_shortcut pref 11000
#up ip rule add lookup quagga pref 11001
#up ip rule add lookup nhrp_mtu pref 11999
AlpineHUB:/etc/opennhrp#
AlpineHUB:/etc/opennhrp# cat /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 3.3.3.254
netmask 255.255.255.0
gateway 3.3.3.1
dns-nameservers 8.8.8.8
auto gre1
iface gre1 inet static
pre-up ip tunnel add $IFACE mode gre ttl 64 tos inherit key
12.34.56.78 || true
address 172.16.1.1
netmask 255.255.0.0
post-down ip tunnel del $IFACE || true
#up ip rule add lookup nhrp_shortcut pref 11000
#up ip rule add lookup quagga pref 11001
#up ip rule add lookup nhrp_mtu pref 11999
AlpineHUB:/etc/opennhrp#
Hub opennhrp.conf
interface gre1
route-table 44
shortcut
redirect
non-caching
interface lo
shortcut-destination
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 5.5.5.254
netmask 255.255.255.0
gateway 5.5.5.1
dns-nameservers 8.8.8.8
auto eth1
iface eth1 inet static
address 10.10.10.1
netmask 255.255.255.0
auto gre1
iface gre1 inet static
pre-up ip tunnel add $IFACE mode gre ttl 64 tos inherit key
12.34.56.78 || true
address 172.16.1.10
netmask 255.255.0.0
post-down ip tunnel del $IFACE || true
On Fri, 3 Feb 2017 at 19:31 Jon Clayton <supert...@gmail.com> wrote:
> Ok sort of got it working now, wangled the script a bit, I've pinged the
> spoke finally!
>
>
> On Fri, 3 Feb 2017 at 15:32 Jon Clayton <supert...@gmail.com> wrote:
>
> Public IP of Spoke: *5.5.5.254 *
> Public IP of Hub: *3.3.3.254*
>
> echo `racoonctl get-cert inet *5.5.5.254* *3.3.3.254* | openssl x509
> -inform der -text -noout | awk "/CN=/{i++}i==2" | egrep -o "CN=[^/]
> *(/[0-9]+)?" | cut -b 4- | grep "^GRE=172.16.1"`
> ^^ returns null
>
> echo `racoonctl get-cert inet *3.3.3.254 5.5.5.254* | openssl x509
> -inform der -text -noout | awk "/CN=/{i++}i==2" | egrep -o "CN=[^/]
> *(/[0-9]+)?" | cut -b 4- | grep "^GRE=172.16.1"`
> ^^^ returns a string
> *GRE=172.16.1.10 AS=50001*
>
> On Fri, 3 Feb 2017 at 15:13 Jon Clayton <supert...@gmail.com> wrote:
>
> Hi again,
>
> Is there a way I can view what it's pulling into these variables?
> *$NHRP_SRCNBMA
> $NHRP_DESTNBMA*
>
> I think its rejecting as its not getting a match on the string, but when
> i manually run the command with what I think should be correct IP's it *does
> *return a match, also i had to modify the script to match my cert fields
> I put the information in CN=.
>
> CERT=`racoonctl get-cert inet* $NHRP_SRCNBMA $NHRP_DESTNBMA *| openssl
> x509 -inform der -text -noout | awk "/CN=/{i++}i==2" | egrep -o
> "CN=[^/]*(/[0-9]+)?" | cut
>
> Cheers!
> Jon.
>
>
> On Fri, 3 Feb 2017 at 09:30 Jon Clayton <supert...@gmail.com> wrote:
>
> Hi Timo,
>
> Thanks for that. So I will re-do my certs with the relevant information
> embedded in them (GRE IP and AS number), and see where I get up to.
>
> Cheers!
>
> Jon.
>
>
> On Fri, 3 Feb 2017 at 06:18 Timo Teras <timo.te...@iki.fi> wrote:
>
> On Thu, 02 Feb 2017 23:23:05 +0000
> Jon Clayton <supert...@gmail.com> wrote:
>
> > I followed the instructions here :
> > https://wiki.alpinelinux.org/wiki/Dynamic_Multipoint_VPN_(DMVPN)
> >
> > I'm firstly getting error messages when its trying to register
> >
> > opennhrp[1917]: Sending Registration Request to 172.16.0.0 (my mtu=0)*
> > *Feb 2 23:06:51 SpokeWest daemon.info <http://daemon.info>
> > opennhrp[1917]: Received Registration Reply from 172.16.1.1
> > <http://172.16.1.1>: administratively prohibited*
>
> The hub rejected the registration. Due to opennhrp-script.
>
> > On hub:
> >
> > Feb 2 23:06:51 AlpineHUB daemon.info opennhrp[2029]: Received
> > Registration Request from proto src 172.16.1.10 to 172.16.1.1
> > Feb 2 23:06:51 AlpineHUB auth.err opennhrp-script: GRE registration
> > of 172.16.1.10 to 5.5.5.254 DENIED
>
> Pretty clear, opennhrp-script denied it.
>
> > The hub is 172.16.1.1 gre address and the spoke is 172.16.1.10 ...
> > subnet is /16
> >
> > The public "internet" facing address of hub is *3.3.3.254*
> > the public facing address of spoke is *5.5.5.254*
> >
> >
> > I'm using some certs that I generated with PFsense which i have used
> > for openvpn and the tunnel seems to be coming up as far as I can tell
> > with racoon as I can see what looks like an SA.
> >
> > When I look at the hub opennhrp-script, it seems to be running
> > through a check for OU= and AS= embedded within the certificate? If
> > this is the case, then I'm pretty sure the Certs will not have this
> > info in them as I just generated bog standard x509 certs with the
> > usual info in them (location ,department...)? ... Doesn't mention it
> > on the instructions re: embedding some kind of ID in the cert?
>
> Correct. The script has:
>
> CERT=`racoonctl get-cert inet $NHRP_SRCNBMA $NHRP_DESTNBMA |
> openssl x509 -inform der -text -noout | egrep -o "/OU=[^/]*(/[0-9]+)?" |
> cut -b 5-`
> if [ -z "`echo "$CERT" | grep "^GRE=$NHRP_DESTADDR"`" ]; then
> logger -t opennhrp-script -p auth.err "GRE registration of
> $NHRP_DESTADDR to $NHRP_DESTNBMA DENIED"
> exit 1
> fi
>
> Which expects that there's in subject name a field like
> "OU=GRE=172.16.x.x". The intention is that there's an GRE address
> binding in the certificate, making it sure that no other hub 'steals'
> GRE addresses it's not supposed to have.
>
> You can comment these lines if you don't want to have this enforcement.
>
> The script also assumes other fields in the certificate to do automatic
> BGP configuration. You may need to adjust those parts too.
>
> > Also if I delete/comment that section, it gets a bit further but then
> > says failed exitstatus 2
> >
> > I'm pretty confused it has done this in two setups as I started from
> > scratch but still not getting anywhere with it :(
> >
> > Is anyone able to help? I'm probably doing something daft, but I've
> > spent ages on it now and I'm going round in circles.
>
> Cheers,
> Timo
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
opennhrp-devel mailing list
opennhrp-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opennhrp-devel