Could it be anything to do with NFLOG and the iptables rules?
Does this require any special kernel module that I may not have access to
in LXD?
Cheers,
Jon.
On Sun, 30 Jul 2017 at 18:26 M87tech [Jon] <m87t...@gmail.com> wrote:
> Hi Timo
>
> It's your version compiled from source, I assume that is the correct
> patched one?
>
> git clone -b tteras-release git://
> git.alpinelinux.org/user/tteras/strongswan
>
> ./configure --enable-systemd --enable-swanctl --with-systemd
> systemunitdir=/etc/systemd/system/multi-user.target.wants --prefix=/usr
> --sysconfdir=/etc
>
> make
> make install
>
> Ubuntu version is 17.04 but also tried with 16.04 and everything was the
> same.
>
> Unsure why there are no TX counters on GRE1 which is a bad sign.
>
> I'm about to test on a VM to see if there is any difference vs the above
> which was done in an privileged LXD container.
>
> And yeah can't se anything related to ipsec happening, nothing in "ipsec
> status" and no 500 or 4500 udp packets, just BGP tries to peer but sourcing
> from ETH0 and not GRE1 which is weird.
>
> Cheers,
> Jon.
>
>
>
>
> On Sun, 30 Jul 2017 at 15:56 Timo Teras <timo.te...@iki.fi> wrote:
>
>> On Sun, 30 Jul 2017 09:30:13 +0000
>> "M87tech [Jon]" <m87t...@gmail.com> wrote:
>>
>> > Hi,
>> >
>> > I'm trying to get a dmvpn testbed up and running using privileged LXD
>> > containers.
>> >
>> > So far I'm stuck with an error message that looks to be related to the
>> > interfaces some how, the logs show its resolved the hub then waiting
>> > for a link:
>> >
>> > 2017/07/30 09:17:22.84 NHRP: gre1: bound to eth0
>> > 2017/07/30 09:17:23.75 NHRP: VICI: Connected
>> > 2017/07/30 09:17:23.75 NHRP: VICI: Message 5, 1 bytes
>> > 2017/07/30 09:17:23.75 NHRP: VICI: Message 5, 1 bytes
>> > 2017/07/30 09:17:23.75 NHRP: VICI: Message 5, 1 bytes
>> > 2017/07/30 09:17:23.75 NHRP: VICI: Message 5, 1 bytes
>> > 2017/07/30 09:17:23.75 NHRP: VICI: Message 1, 1 bytes
>> > 2017/07/30 09:17:23.84 NHRP: [0x23e4f30] Resolving
>> > 'hub6.wizznet.co.uk' 2017/07/30 09:17:23.84 NHRP: Netlink: Received
>> > msg_type 28, msg_flags 0 2017/07/30 09:17:23.86 NHRP: [0x23e4f30]
>> > Resolved with 1 results 2017/07/30 09:17:23.91 NHRP: NHS: Waiting
>> > link for 51.15.49.245 2017/07/30 09:17:34.06 NHRP: Netlink-log:
>> > Received msg_type 2, msg_flags 0 2017/07/30 09:17:34.06 NHRP: NHS:
>> > Flush timer for 51.15.49.245 2017/07/30 09:17:34.08 NHRP: NHS:
>> > Waiting link for 51.15.49.245 2017/07/30 09:17:36.08 NHRP:
>> > vici_reconnect: failure connecting VICI socket: Connection refused
>>
>> VICI reconnect is unusual? Did you restart strongSwan? Is the
>> strongSwan you are running patched with the required changes?
>>
>> Details on the above patches should be in frr's nhrpd/README.nhrp
>>
>> > 2017/07/30 09:17:38.08 NHRP: VICI: Connected
>> > 2017/07/30 09:17:38.08 NHRP: VICI: Message 5, 1 bytes
>> > 2017/07/30 09:17:38.08 NHRP: VICI: Message 5, 1 bytes
>> > 2017/07/30 09:17:38.08 NHRP: VICI: Message 5, 1 bytes
>> > 2017/07/30 09:17:38.08 NHRP: VICI: Message 5, 1 bytes
>> > 2017/07/30 09:17:38.08 NHRP: VICI: Message 1, 1 bytes
>> > 2017/07/30 09:17:44.72 NHRP: Netlink: Received msg_type 28, msg_flags
>> > 0
>> >
>> > Particular message "msg_type 28" keeps repeating on and on.
>>
>> That is pretty normal.
>>
>> > I don't see any TX traffic counters on interface gre1
>> >
>> > after a tcpdump BGP packets are sourcing from eth0 which doesn't seem
>> > right at all so it looks like nhrp isn't using the gre1 interface.
>> >
>> > I'm wondering if this is an issue with the fact that it is in a
>> > container vs a normal machine or VM.
>> >
>> > the container is privileged and unconfined so has access to tunnel
>> > interfaces (in theory!)
>> > I don't see any ipsec packets on 500 or 4500 udp, not a peep. It
>> > looks like its not even attempting to use the gre1 interface and thus
>> > no ipsec? Just unencrypted bgp packets from eth0 with destination of
>> > the hub.
>>
>> First thing happening should be the IKE SA being established. So if you
>> don't see port 500/4500 traffic, then integration to strongSwan is not
>> working right.
>>
>> > Any help or pointers would be much appreciated!
>>
>> Which strongSwan you have?
>>
>> Timo
>>
> --
> M87 TECH
> Jon Clayton
>
> --
M87 TECH
Jon Clayton
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
opennhrp-devel mailing list
opennhrp-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opennhrp-devel
