diff options
| -rw-r--r-- | docs/_static/images/blueprint-dmvpn.png | bin | 26830 -> 29626 bytes | |||
| -rw-r--r-- | docs/configuration/vpn/dmvpn.rst | 433 |
2 files changed, 260 insertions, 173 deletions
diff --git a/docs/_static/images/blueprint-dmvpn.png b/docs/_static/images/blueprint-dmvpn.png Binary files differindex b07c190d..85f189c1 100644 --- a/docs/_static/images/blueprint-dmvpn.png +++ b/docs/_static/images/blueprint-dmvpn.png diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst index 21df8cfd..e58eecbc 100644 --- a/docs/configuration/vpn/dmvpn.rst +++ b/docs/configuration/vpn/dmvpn.rst @@ -37,142 +37,175 @@ peers. Configuration ************* -* Please refer to the :ref:`tunnel-interface` documentation for the individual - tunnel related options. +Tunnel interface configuration +============================== -* Please refer to the :ref:`ipsec` documentation for the individual IPSec - related options. +NHRP never handles routing of prefixes itself. You need to run some real routing +protocol (e.g. BGP) to advertise routes over the tunnels. What nhrpd does it +establishes ‘shortcut routes’ that optimizes the routing protocol to avoid going +through extra nodes in NBMA GRE mesh. + +NHRP does route NHRP domain addresses individually using per-host prefixes. +This is similar to Cisco FlexVPN, but in contrast to opennhrp which uses +a generic subnet route. -.. cfgcmd:: set protocols nhrp tunnel <tunnel> cisco-authentication <secret> +To create NBMA GRE tunnel you might use the following: - Enables Cisco style authentication on NHRP packets. This embeds the secret - plaintext password to the outgoing NHRP packets. Incoming NHRP packets on - this interface are discarded unless the secret password is present. Maximum - length of the secret is 8 characters. +.. code-block:: none -.. cfgcmd:: set protocols nhrp tunnel <tunnel> dynamic-map <address> - nbma-domain-name <fqdn> + set interfaces tunnel tun100 address '10.0.0.1/32' + set interfaces tunnel tun100 enable-multicast + set interfaces tunnel tun100 encapsulation 'gre' + set interfaces tunnel tun100 ip adjust-mss '1360' + set interfaces tunnel tun100 mtu '1400' + set interfaces tunnel tun100 parameters ip key '42' + set interfaces tunnel tun100 source-interface 'eth0' - Specifies that the :abbr:`NBMA (Non-broadcast multiple-access network)` - addresses of the next hop servers are defined in the domain name - nbma-domain-name. For each A record opennhrp creates a dynamic NHS entry. +* Please refer to the :ref:`tunnel-interface` documentation for the individual + tunnel related options. - Each dynamic NHS will get a peer entry with the configured network address - and the discovered NBMA address. + .. note:: The IP-address is assigned as host prefix to tunnel interface. + NHRP will automatically create additional host routes pointing to tunnel interface + when a connection with these hosts is established. - The first registration request is sent to the protocol broadcast address, and - the server's real protocol address is dynamically detected from the first - registration reply. +The tunnel interface subnet prefix should be announced by routing protocol +from the hub nodes (e.g. BGP ‘network’ announce). This allows the routing +protocol to decide which is the closest hub and determine the relay hub on +prefix basis when direct tunnel is not established. -.. cfgcmd:: set protocols nhrp tunnel <tunnel> holding-time <timeout> +NHRP protocol configuration +============================== - Specifies the holding time for NHRP Registration Requests and Resolution - Replies sent from this interface or shortcut-target. The holdtime is specified - in seconds and defaults to two hours. +.. cfgcmd:: set protocols nhrp tunnel <tunnel> authentication <secret> -.. cfgcmd:: set protocols nhrp tunnel <tunnel> map cisco + Enables Cisco style authentication on NHRP packets. This embeds the + plaintext password to the outgoing NHRP packets. Maximum length of + the password is 8 characters. - If the statically mapped peer is running Cisco IOS, specify the cisco keyword. - It is used to fix statically the Registration Request ID so that a matching - Purge Request can be sent if NBMA address has changed. This is to work around - broken IOS which requires Purge Request ID to match the original Registration - Request ID. +.. cfgcmd:: set protocols nhrp tunnel <tunnel> holdtime <timeout> -.. cfgcmd:: set protocols nhrp tunnel <tunnel> map nbma-address <address> + Holdtime is the number of seconds that have to pass before stopping to + advertise an NHRP NBMA address as valid. It also controls how often NHRP + registration requests are sent. By default registrations are sent every + one third of the holdtime - Creates static peer mapping of protocol-address to :abbr:`NBMA (Non-broadcast - multiple-access network)` address. +.. cfgcmd:: set protocols nhrp tunnel <tunnel> map tunnel-ip <tunnel-ip> + nbma <nbma-ip> - If the IP prefix mask is present, it directs opennhrp to use this peer as a - next hop server when sending Resolution Requests matching this subnet. + * **tunnel-ip** - Tunnel ip address in format **x.x.x.x**. + * **nbma-ip** - NBMA ip address in format **x.x.x.x** or **local** - This is also known as the HUBs IP address or FQDN. + Map an IP address of a station to the station’s NBMA address. -.. cfgcmd:: set protocols nhrp tunnel <tunnel> map register +.. cfgcmd:: set protocols nhrp tunnel <tunnel> mtu <mtu> - The optional parameter register specifies that Registration Request should be - sent to this peer on startup. + Configure NHRP advertised MTU. - This option is required when running a DMVPN spoke. +.. cfgcmd:: set protocols nhrp tunnel <tunnel> multicast <nbma-ip> -.. cfgcmd:: set protocols nhrp tunnel <tunnel> multicast <dynamic | nhs> + * **nbma-ip** - NBMA ip address in format **x.x.x.x** or **dynamic** - Determines how opennhrp daemon should soft switch the multicast traffic. - Currently, multicast traffic is captured by opennhrp daemon using a packet - socket, and resent back to proper destinations. This means that multicast - packet sending is CPU intensive. + Sends multicast packets to the specified NBMA address. If dynamic is specified + then destination NBMA address (or addresses) are learnt dynamically. - Specfying nhs makes all multicast packets to be repeated to each statically - configured next hop. +.. cfgcmd:: set protocols nhrp tunnel <tunnel> network-id <network-id> - Synamic instructs to forward to all peers which we have a direct connection - with. Alternatively, you can specify the directive multiple times for each - protocol-address the multicast traffic should be sent to. + * **network-id** - NHRP network id <1-4294967295> - .. warning:: It is very easy to misconfigure multicast repeating if you have - multiple NHSes. + Enable NHRP on this interface and set the interface’s network ID. The network ID + is used to allow creating multiple nhrp domains on a router when multiple interfaces + are configured on the router. Interfaces configured with the same ID are part of the + same logical NBMA network. The ID is a local only parameter and is not sent to other + NHRP nodes and so IDs on different nodes do not need to match. When NHRP packets are + received on an interface they are assigned to the local NHRP domain for that interface. -.. cfgcmd:: set protocols nhrp tunnel <tunnel> non-caching +.. cfgcmd:: set protocols nhrp tunnel <tunnel> nhs tunnel-ip <tunnel-ip> nbma <nbma-ip> - Disables caching of peer information from forwarded NHRP Resolution Reply - packets. This can be used to reduce memory consumption on big NBMA subnets. + * **tunnel-ip** - Tunnel ip address in format **x.x.x.x** or **dynamic** + * **nbma-ip** - NBMA ip address in format **x.x.x.x** - .. note:: Currently does not do much as caching is not implemented. + Configure the Next Hop Server address and its NBMA address. If dynamic is specified + then Next Hop Server can have dynamic address which maps to its NBMA address. .. cfgcmd:: set protocols nhrp tunnel <tunnel> redirect - Enable sending of Cisco style NHRP Traffic Indication packets. If this is - enabled and opennhrp detects a forwarded packet, it will send a message to - the original sender of the packet instructing it to create a direct connection - with the destination. This is basically a protocol independent equivalent of - ICMP redirect. + This enable redirect replies on the NHS similar to ICMP redirects except this is + managed by the nhrp protocol. This setting allows spokes to communicate with each + others directly. + +.. cfgcmd:: set protocols nhrp tunnel <tunnel> registration-no-unique + + Allow the client to not set the unique flag in the NHRP packets. This is useful when + a station has a dynamic IP address that could change over time. .. cfgcmd:: set protocols nhrp tunnel <tunnel> shortcut - Enable creation of shortcut routes. + Enable shortcut (spoke-to-spoke) tunnels to allow NHC to talk to each others directly + after establishing a connection without going through the hub. + +IPSEC configuration +============================== + +* Please refer to the :ref:`ipsec` documentation for the individual IPSec + related options. + +.. note:: NHRP daemon based on FRR nhrpd. It controls IPSEC. That's why 'close-action' + parameter in IKE configuration always is set to 'close' and 'dead-peer-detection action' + always is set to 'clear'. + +.. cfgcmd:: set vpn ipsec profile <profile-name> authentication mode pre-shared-secret + + Set preshared secret mode authentication + +.. cfgcmd:: set vpn ipsec profile <profile-name> authentication pre-shared-secret <secret> + + Set preshared secret + +.. cfgcmd:: set vpn ipsec profile <profile-name> bind tunnel <tunnel name> + + Bind IPSEC profile to the specific tunnel interface. + +.. cfgcmd:: set vpn ipsec profile <profile-name> esp-group 'ESP-HUB' - A received NHRP Traffic Indication will trigger the resolution and - establishment of a shortcut route. + Map ESP group to IPSEC profile -.. cfgcmd:: set protocols nhrp tunnel <tunnel> shortcut-destination +.. cfgcmd:: set vpn ipsec profile <profile-name> ike-group 'IKE-HUB' - This instructs opennhrp to reply with authorative answers on NHRP Resolution - Requests destinied to addresses in this interface (instead of forwarding the - packets). This effectively allows the creation of shortcut routes to subnets - located on the interface. + Map IKE group to IPSEC profile - When specified, this should be the only keyword for the interface. +********** +Monitoring +********** +.. opcmd:: show ip nhrp cache -.. cfgcmd:: set protocols nhrp tunnel <tunnel> shortcut-target <address> + Forwarding cache information. - Defines an off-NBMA network prefix for which the GRE interface will act as a - gateway. This an alternative to defining local interfaces with - shortcut-destination flag. +.. opcmd:: show ip nhrp nhs -.. cfgcmd:: set protocols nhrp tunnel <tunnel> shortcut-target <address> - holding-time <timeout> + Next hop server information. - Specifies the holding time for NHRP Registration Requests and Resolution - Replies sent from this interface or shortcut-target. The holdtime is specified - in seconds and defaults to two hours. +.. opcmd:: show ip nhrp shortcut + + Shortcut information. ******* Example ******* - -This blueprint uses VyOS as the DMVPN Hub and Cisco (7206VXR) and VyOS as -multiple spoke sites. The lab was built using :abbr:`EVE-NG (Emulated Virtual -Environment NG)`. +This blueprint uses VyOS as the DMVPN Hub and Cisco IOSv 15.5(3)M and VyOS as +multiple spoke sites. .. figure:: /_static/images/blueprint-dmvpn.png - :alt: DMVPN network + :width: 70% + :align: center + :alt: DMVPN Network Topology Diagram + - DMVPN example network + DMVPN Network Topology Diagram -Each node (Hub and Spoke) uses an IP address from the network 172.16.253.128/29. +Each node (Hub and Spoke) uses an IP address from the network 10.0.0.0/24. -The below referenced IP address `192.0.2.1` is used as example address +The below referenced IP address `192.168.0.2` is used as example address representing a global unicast address under which the HUB can be contacted by each and every individual spoke. @@ -183,47 +216,46 @@ Configuration Hub --- +VyOS-HUB-1 +^^^^^^^^^^ .. code-block:: none - set interfaces ethernet eth0 address 192.0.2.1/24 + set interfaces ethernet eth0 address '192.168.0.2/30' - set interfaces tunnel tun100 address '172.16.253.134/29' - set interfaces tunnel tun100 encapsulation 'gre' - set interfaces tunnel tun100 source-address '192.0.2.1' + set interfaces tunnel tun100 address '10.0.0.100/32' set interfaces tunnel tun100 enable-multicast - set interfaces tunnel tun100 parameters ip key '1' + set interfaces tunnel tun100 encapsulation 'gre' + set interfaces tunnel tun100 parameters ip key '42' + set interfaces tunnel tun100 source-interface 'eth0' - set protocols nhrp tunnel tun100 cisco-authentication 'secret' - set protocols nhrp tunnel tun100 holding-time '300' + set protocols nhrp tunnel tun100 authentication 'test123' + set protocols nhrp tunnel tun100 holdtime '300' set protocols nhrp tunnel tun100 multicast 'dynamic' + set protocols nhrp tunnel tun100 network-id '1' set protocols nhrp tunnel tun100 redirect - set protocols nhrp tunnel tun100 shortcut + set protocols nhrp tunnel tun100 registration-no-unique + + set protocols static route 0.0.0.0/0 next-hop 192.168.0.1 set vpn ipsec esp-group ESP-HUB lifetime '1800' set vpn ipsec esp-group ESP-HUB mode 'transport' set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' - set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des' - set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5' set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' set vpn ipsec ike-group IKE-HUB lifetime '3600' set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' - set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2' - set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128' - set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1' - set vpn ipsec interface 'eth0' - set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' set vpn ipsec profile NHRPVPN bind tunnel 'tun100' set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' + .. note:: Setting this up on AWS will require a "Custom Protocol Rule" for protocol number "47" (GRE) Allow Rule in TWO places. Firstly on the VPC Network ACL, and secondly on the security group network ACL attached to the @@ -231,105 +263,160 @@ Hub the AWS Marketplace. (Locate the correct VPC and security group by navigating through the details pane below your EC2 instance in the AWS console). -Spoke ------ +Spokes +------ -The individual spoke configurations only differ in the local IP address on the -``tun10`` interface. See the above diagram for the individual IP addresses. + The individual spoke configurations only differ in interface IP addresses. -spoke01-spoke04 -^^^^^^^^^^^^^^^ +VyOS-Spoke-1 and VyOS-Spoke-2 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. code-block:: none + + set interfaces ethernet eth0 address '192.168.1.2/30' + + set interfaces tunnel tun100 address '10.0.0.1/32' + set interfaces tunnel tun100 enable-multicast + set interfaces tunnel tun100 encapsulation 'gre' + set interfaces tunnel tun100 parameters ip key '42' + set interfaces tunnel tun100 source-interface 'eth0' + + set protocols nhrp tunnel tun100 authentication 'test123' + set protocols nhrp tunnel tun100 holdtime '300' + set protocols nhrp tunnel tun100 multicast 'dynamic' + set protocols nhrp tunnel tun100 network-id '1' + set protocols nhrp tunnel tun100 nhs tunnel-ip dynamic nbma '192.168.0.2' + set protocols nhrp tunnel tun100 registration-no-unique + set protocols nhrp tunnel tun100 shortcut + + set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 + set protocols static route 10.0.0.0/24 next-hop 10.0.0.100 + + set vpn ipsec esp-group ESP-HUB lifetime '1800' + set vpn ipsec esp-group ESP-HUB mode 'transport' + set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' + set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' + set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' + set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' + set vpn ipsec ike-group IKE-HUB lifetime '3600' + set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' + set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' + set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' + set vpn ipsec interface 'eth0' + set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' + set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' + set vpn ipsec profile NHRPVPN bind tunnel 'tun100' + set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' + set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' + +Cisco-Spoke-3 +^^^^^^^^^^^^^ .. code-block:: none - crypto keyring DMVPN - pre-shared-key address 192.0.2.1 key secret - ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 - crypto isakmp invalid-spi-recovery - crypto isakmp keepalive 30 30 periodic - crypto isakmp profile DMVPN - keyring DMVPN - match identity address 192.0.2.1 255.255.255.255 + lifetime 3600 + crypto isakmp key secret address 0.0.0.0 + ! ! - crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac + crypto ipsec transform-set DMVPNESP esp-aes 256 esp-sha-hmac mode transport ! - crypto ipsec profile DMVPN - set security-association idle-time 720 - set transform-set DMVPN-AES256 - set isakmp-profile DMVPN + crypto ipsec profile DMVPNPROFILE + set security-association lifetime seconds 1800 + set transform-set DMVPNESP + set pfs group2 + ! ! - interface Tunnel10 - ! individual spoke tunnel IP must change - ip address 172.16.253.129 255.255.255.248 + ! + ! + ! + ! + ! + interface Tunnel100 + ip address 10.0.0.3 255.255.255.0 no ip redirects - ip nhrp authentication secret - ip nhrp map 172.16.253.134 192.0.2.1 - ip nhrp map multicast 192.0.2.1 + ip nhrp authentication test123 + ip nhrp map multicast dynamic ip nhrp network-id 1 - ip nhrp holdtime 600 - ip nhrp nhs 172.16.253.134 - ip nhrp registration timeout 75 - tunnel source FastEthernet0/0 + ip nhrp holdtime 300 + ip nhrp nhs 10.0.0.100 nbma 192.168.0.2 + ip nhrp registration no-unique + ip nhrp redirect + tunnel source GigabitEthernet0/0 tunnel mode gre multipoint - tunnel protection ipsec profile DMVPN - tunnel key 1 + tunnel key 42 + tunnel protection ipsec profile DMVPNPROFILE + ! + interface GigabitEthernet0/0 + ip address 192.168.3.2 255.255.255.252 + duplex auto + speed auto + media-type rj45 ! - interface FastEthernet0/0 - ip address dhcp - duplex half + ip route 0.0.0.0 0.0.0.0 192.168.3.1 -spoke05 -^^^^^^^ +Monitoring DMVPN Network +^^^^^^^^^^^^^^^^^^^^^^^^ -VyOS can also run in DMVPN spoke mode. +Let send ICMP packets from VyOS-SPOKE-1 to Cisco-SPOKE-3 .. code-block:: none - set interfaces ethernet eth0 address 'dhcp' + vyos@vyos:~$ ping 10.0.0.3 + PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data. + 64 bytes from 10.0.0.3: icmp_seq=1 ttl=255 time=3.44 ms + 64 bytes from 10.0.0.3: icmp_seq=2 ttl=255 time=3.07 ms + ^C + --- 10.0.0.3 ping statistics --- + 2 packets transmitted, 2 received, 0% packet loss, time 1002ms + rtt min/avg/max/mdev = 3.072/3.257/3.442/0.185 ms - set interfaces tunnel tun100 address '172.16.253.133/29' - set interfaces tunnel tun100 source-address 0.0.0.0 - set interfaces tunnel tun100 encapsulation 'gre' - set interfaces tunnel tun100 enable-multicast - set interfaces tunnel tun100 parameters ip key '1' +Monitoring on HUB +^^^^^^^^^^^^^^^^^ - set protocols nhrp tunnel tun100 cisco-authentication 'secret' - set protocols nhrp tunnel tun100 holding-time '300' - set protocols nhrp tunnel tun100 map 172.16.253.134/29 nbma-address '192.0.2.1' - set protocols nhrp tunnel tun100 map 172.16.253.134/29 register - set protocols nhrp tunnel tun100 multicast 'nhs' - set protocols nhrp tunnel tun100 redirect - set protocols nhrp tunnel tun100 shortcut +.. code-block:: none - set vpn ipsec esp-group ESP-HUB lifetime '1800' - set vpn ipsec esp-group ESP-HUB mode 'transport' - set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' - set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' - set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' - set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des' - set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5' - set vpn ipsec ike-group IKE-HUB close-action 'none' - set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' - set vpn ipsec ike-group IKE-HUB lifetime '3600' - set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' - set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' - set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' - set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2' - set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128' - set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1' + vyos@vyos:~$ show ip nhrp cache + Iface Type Protocol NBMA Claimed NBMA Flags Identity + tun100 dynamic 10.0.0.1 192.168.1.2 192.168.1.2 T 192.168.1.2 + tun100 dynamic 10.0.0.3 192.168.3.2 192.168.3.2 T 192.168.3.2 + tun100 dynamic 10.0.0.2 192.168.2.2 192.168.2.2 T 192.168.2.2 + tun100 local 10.0.0.100 192.168.0.2 192.168.0.2 - - set vpn ipsec interface 'eth0' + vyos@vyos:~$ show vpn ipsec sa + Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal + -------------------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------- + dmvpn-NHRPVPN-tun100-child up 3m46s 230B/270B 2/2 192.168.1.2 192.168.1.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024 + dmvpn-NHRPVPN-tun100-child up 5m48s 460B/540B 4/4 192.168.2.2 192.168.2.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024 + dmvpn-NHRPVPN-tun100-child up 16m26s 1K/1K 13/12 192.168.3.2 192.168.3.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024 - set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' - set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' - set vpn ipsec profile NHRPVPN bind tunnel 'tun100' - set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' - set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' +Monitoring on Spokes +^^^^^^^^^^^^^^^^^^^^ + +.. code-block:: none + vyos@vyos:~$ show ip nhrp cache + Iface Type Protocol NBMA Claimed NBMA Flags Identity + tun100 local 10.0.0.1 192.168.1.2 192.168.1.2 - + tun100 dynamic 10.0.0.3 192.168.3.2 192.168.3.2 T 192.168.3.2 + tun100 nhs 10.0.0.100 192.168.0.2 192.168.0.2 T 192.168.0.2 + + vyos@vyos:~$ show ip nhrp nhs + Iface FQDN NBMA Protocol + tun100 192.168.0.2 192.168.0.2 10.0.0.100 + + vyos@vyos:~$ show ip nhrp shortcut + Type Prefix Via Identity + dynamic 10.0.0.3/32 10.0.0.3 192.168.3.2 + + vyos@vyos:~$ show vpn ipsec sa + Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal + -------------------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------- + dmvpn-NHRPVPN-tun100-child up 6m43s 898B/695B 7/6 192.168.0.2 192.168.0.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024 + dmvpn-NHRPVPN-tun100-child up 49s 215B/187B 2/2 192.168.3.2 192.168.3.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024 |
