Hi, Looked in more details the logs now. Somehow it seems that strongSwan is negotiating but not able to successfully to establish IPsec SA between the spokes.
Can you set strongSwan in debug mode, and get the logs from it as well when trying to establish the shortcut tunnel? This could be something to do with the 'psk' auth mode. I never tested it (using certs only), though the config looks ok. Please confirm also which strongSwan version and patches are applied? Timo On Sun, 29 Oct 2017 16:28:40 -0400 Lee Cardona <lee.card...@gmail.com> wrote: > Hi Timo, > > I've apply the changes but still does not perform spoke-to-spoke > phase 3 for back-end nets. Basically the same dmvpn behavior. > > The prefix filter works preventing /32 coming in via bgp. And the > gre subnet is announced from hub. > > Any specific action I can perform to see why the cache entry being > entered when doing net-to-net loads as "Invalid" and with an "A" > flag? > > Do you think this could be a bug? > > Sent from my iPhone > > > On Oct 26, 2017, at 12:53 AM, Timo Teras <timo.te...@iki.fi> wrote: > > > > On Wed, 25 Oct 2017 12:16:21 -0400 > > Lee Cardona <lee.card...@gmail.com> wrote: > > > >> Timo, > >> > >> When you say, > >> > >> "The hub should be announcing the GRE subnet via BGP explicitly, so > >> you'll need also for Hub's BGP config: > >> network 10.10.10.0/24" > >> > >> Do you mean the gre subnet for nmba addresses or the tunnel > >> addresses? Just looking to confirm because in my setup the > >> 10.10.10.0/24 subnet is used for the nmba interfaces on eth0's. > >> While the 192.168.0.0/16 is used on the inner tunnel gre > >> interfaces. > >> > >> Did you mean 192.168.0.0/16? > > > > Sorry. Yes, I meant the subnet covering gre1 addreses. Or > > 192.168.0.0/16. I misread the diagram. > > > > Timo ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ opennhrp-devel mailing list opennhrp-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/opennhrp-devel
