From 0e7f0b6e099fb0bac9bab9343f7b5d08fee73dab Mon Sep 17 00:00:00 2001
From: aapostoliuk <a.apostoliuk@vyos.io>
Date: Thu, 16 Jan 2025 16:56:57 +0200
Subject: dmvpn: T2326: DMVPN Documentation for FRR NHRP implementation
DMVPN Documentation for FRR NHRP implementation.
---
docs/_static/images/blueprint-dmvpn.png | Bin 26830 -> 29626 bytes
docs/configuration/vpn/dmvpn.rst | 433 +++++++++++++++++++-------------
2 files changed, 260 insertions(+), 173 deletions(-)
diff --git a/docs/_static/images/blueprint-dmvpn.png b/docs/_static/images/blueprint-dmvpn.png
index b07c190d..85f189c1 100644
Binary files a/docs/_static/images/blueprint-dmvpn.png and b/docs/_static/images/blueprint-dmvpn.png differ
diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst
index 21df8cfd..e58eecbc 100644
--- a/docs/configuration/vpn/dmvpn.rst
+++ b/docs/configuration/vpn/dmvpn.rst
@@ -37,142 +37,175 @@ peers.
Configuration
*************
-* Please refer to the :ref:`tunnel-interface` documentation for the individual
- tunnel related options.
+Tunnel interface configuration
+==============================
-* Please refer to the :ref:`ipsec` documentation for the individual IPSec
- related options.
+NHRP never handles routing of prefixes itself. You need to run some real routing
+protocol (e.g. BGP) to advertise routes over the tunnels. What nhrpd does it
+establishes ‘shortcut routes’ that optimizes the routing protocol to avoid going
+through extra nodes in NBMA GRE mesh.
+
+NHRP does route NHRP domain addresses individually using per-host prefixes.
+This is similar to Cisco FlexVPN, but in contrast to opennhrp which uses
+a generic subnet route.
-.. cfgcmd:: set protocols nhrp tunnel <tunnel> cisco-authentication <secret>
+To create NBMA GRE tunnel you might use the following:
- Enables Cisco style authentication on NHRP packets. This embeds the secret
- plaintext password to the outgoing NHRP packets. Incoming NHRP packets on
- this interface are discarded unless the secret password is present. Maximum
- length of the secret is 8 characters.
+.. code-block:: none
-.. cfgcmd:: set protocols nhrp tunnel <tunnel> dynamic-map <address>
- nbma-domain-name <fqdn>
+ set interfaces tunnel tun100 address '10.0.0.1/32'
+ set interfaces tunnel tun100 enable-multicast
+ set interfaces tunnel tun100 encapsulation 'gre'
+ set interfaces tunnel tun100 ip adjust-mss '1360'
+ set interfaces tunnel tun100 mtu '1400'
+ set interfaces tunnel tun100 parameters ip key '42'
+ set interfaces tunnel tun100 source-interface 'eth0'
- Specifies that the :abbr:`NBMA (Non-broadcast multiple-access network)`
- addresses of the next hop servers are defined in the domain name
- nbma-domain-name. For each A record opennhrp creates a dynamic NHS entry.
+* Please refer to the :ref:`tunnel-interface` documentation for the individual
+ tunnel related options.
- Each dynamic NHS will get a peer entry with the configured network address
- and the discovered NBMA address.
+ .. note:: The IP-address is assigned as host prefix to tunnel interface.
+ NHRP will automatically create additional host routes pointing to tunnel interface
+ when a connection with these hosts is established.
- The first registration request is sent to the protocol broadcast address, and
- the server's real protocol address is dynamically detected from the first
- registration reply.
+The tunnel interface subnet prefix should be announced by routing protocol
+from the hub nodes (e.g. BGP ‘network’ announce). This allows the routing
+protocol to decide which is the closest hub and determine the relay hub on
+prefix basis when direct tunnel is not established.
-.. cfgcmd:: set protocols nhrp tunnel <tunnel> holding-time <timeout>
+NHRP protocol configuration
+==============================
- Specifies the holding time for NHRP Registration Requests and Resolution
- Replies sent from this interface or shortcut-target. The holdtime is specified
- in seconds and defaults to two hours.
+.. cfgcmd:: set protocols nhrp tunnel <tunnel> authentication <secret>
-.. cfgcmd:: set protocols nhrp tunnel <tunnel> map cisco
+ Enables Cisco style authentication on NHRP packets. This embeds the
+ plaintext password to the outgoing NHRP packets. Maximum length of
+ the password is 8 characters.
- If the statically mapped peer is running Cisco IOS, specify the cisco keyword.
- It is used to fix statically the Registration Request ID so that a matching
- Purge Request can be sent if NBMA address has changed. This is to work around
- broken IOS which requires Purge Request ID to match the original Registration
- Request ID.
+.. cfgcmd:: set protocols nhrp tunnel <tunnel> holdtime <timeout>
-.. cfgcmd:: set protocols nhrp tunnel <tunnel> map nbma-address <address>
+ Holdtime is the number of seconds that have to pass before stopping to
+ advertise an NHRP NBMA address as valid. It also controls how often NHRP
+ registration requests are sent. By default registrations are sent every
+ one third of the holdtime
- Creates static peer mapping of protocol-address to :abbr:`NBMA (Non-broadcast
- multiple-access network)` address.
+.. cfgcmd:: set protocols nhrp tunnel <tunnel> map tunnel-ip <tunnel-ip>
+ nbma <nbma-ip>
- If the IP prefix mask is present, it directs opennhrp to use this peer as a
- next hop server when sending Resolution Requests matching this subnet.
+ * **tunnel-ip** - Tunnel ip address in format **x.x.x.x**.
+ * **nbma-ip** - NBMA ip address in format **x.x.x.x** or **local**
- This is also known as the HUBs IP address or FQDN.
+ Map an IP address of a station to the station’s NBMA address.
-.. cfgcmd:: set protocols nhrp tunnel <tunnel> map register
+.. cfgcmd:: set protocols nhrp tunnel <tunnel> mtu <mtu>
- The optional parameter register specifies that Registration Request should be
- sent to this peer on startup.
+ Configure NHRP advertised MTU.
- This option is required when running a DMVPN spoke.
+.. cfgcmd:: set protocols nhrp tunnel <tunnel> multicast <nbma-ip>
-.. cfgcmd:: set protocols nhrp tunnel <tunnel> multicast <dynamic | nhs>
+ * **nbma-ip** - NBMA ip address in format **x.x.x.x** or **dynamic**
- Determines how opennhrp daemon should soft switch the multicast traffic.
- Currently, multicast traffic is captured by opennhrp daemon using a packet
- socket, and resent back to proper destinations. This means that multicast
- packet sending is CPU intensive.
+ Sends multicast packets to the specified NBMA address. If dynamic is specified
+ then destination NBMA address (or addresses) are learnt dynamically.
- Specfying nhs makes all multicast packets to be repeated to each statically
- configured next hop.
+.. cfgcmd:: set protocols nhrp tunnel <tunnel> network-id <network-id>
- Synamic instructs to forward to all peers which we have a direct connection
- with. Alternatively, you can specify the directive multiple times for each
- protocol-address the multicast traffic should be sent to.
+ * **network-id** - NHRP network id <1-4294967295>
- .. warning:: It is very easy to misconfigure multicast repeating if you have
- multiple NHSes.
+ Enable NHRP on this interface and set the interface’s network ID. The network ID
+ is used to allow creating multiple nhrp domains on a router when multiple interfaces
+ are configured on the router. Interfaces configured with the same ID are part of the
+ same logical NBMA network. The ID is a local only parameter and is not sent to other
+ NHRP nodes and so IDs on different nodes do not need to match. When NHRP packets are
+ received on an interface they are assigned to the local NHRP domain for that interface.
-.. cfgcmd:: set protocols nhrp tunnel <tunnel> non-caching
+.. cfgcmd:: set protocols nhrp tunnel <tunnel> nhs tunnel-ip <tunnel-ip> nbma <nbma-ip>
- Disables caching of peer information from forwarded NHRP Resolution Reply
- packets. This can be used to reduce memory consumption on big NBMA subnets.
+ * **tunnel-ip** - Tunnel ip address in format **x.x.x.x** or **dynamic**
+ * **nbma-ip** - NBMA ip address in format **x.x.x.x**
- .. note:: Currently does not do much as caching is not implemented.
+ Configure the Next Hop Server address and its NBMA address. If dynamic is specified
+ then Next Hop Server can have dynamic address which maps to its NBMA address.
.. cfgcmd:: set protocols nhrp tunnel <tunnel> redirect
- Enable sending of Cisco style NHRP Traffic Indication packets. If this is
- enabled and opennhrp detects a forwarded packet, it will send a message to
- the original sender of the packet instructing it to create a direct connection
- with the destination. This is basically a protocol independent equivalent of
- ICMP redirect.
+ This enable redirect replies on the NHS similar to ICMP redirects except this is
+ managed by the nhrp protocol. This setting allows spokes to communicate with each
+ others directly.
+
+.. cfgcmd:: set protocols nhrp tunnel <tunnel> registration-no-unique
+
+ Allow the client to not set the unique flag in the NHRP packets. This is useful when
+ a station has a dynamic IP address that could change over time.
.. cfgcmd:: set protocols nhrp tunnel <tunnel> shortcut
- Enable creation of shortcut routes.
+ Enable shortcut (spoke-to-spoke) tunnels to allow NHC to talk to each others directly
+ after establishing a connection without going through the hub.
+
+IPSEC configuration
+==============================
+
+* Please refer to the :ref:`ipsec` documentation for the individual IPSec
+ related options.
+
+.. note:: NHRP daemon based on FRR nhrpd. It controls IPSEC. That's why 'close-action'
+ parameter in IKE configuration always is set to 'close' and 'dead-peer-detection action'
+ always is set to 'clear'.
+
+.. cfgcmd:: set vpn ipsec profile <profile-name> authentication mode pre-shared-secret
+
+ Set preshared secret mode authentication
+
+.. cfgcmd:: set vpn ipsec profile <profile-name> authentication pre-shared-secret <secret>
+
+ Set preshared secret
+
+.. cfgcmd:: set vpn ipsec profile <profile-name> bind tunnel <tunnel name>
+
+ Bind IPSEC profile to the specific tunnel interface.
+
+.. cfgcmd:: set vpn ipsec profile <profile-name> esp-group 'ESP-HUB'
- A received NHRP Traffic Indication will trigger the resolution and
- establishment of a shortcut route.
+ Map ESP group to IPSEC profile
-.. cfgcmd:: set protocols nhrp tunnel <tunnel> shortcut-destination
+.. cfgcmd:: set vpn ipsec profile <profile-name> ike-group 'IKE-HUB'
- This instructs opennhrp to reply with authorative answers on NHRP Resolution
- Requests destinied to addresses in this interface (instead of forwarding the
- packets). This effectively allows the creation of shortcut routes to subnets
- located on the interface.
+ Map IKE group to IPSEC profile
- When specified, this should be the only keyword for the interface.
+**********
+Monitoring
+**********
+.. opcmd:: show ip nhrp cache
-.. cfgcmd:: set protocols nhrp tunnel <tunnel> shortcut-target <address>
+ Forwarding cache information.
- Defines an off-NBMA network prefix for which the GRE interface will act as a
- gateway. This an alternative to defining local interfaces with
- shortcut-destination flag.
+.. opcmd:: show ip nhrp nhs
-.. cfgcmd:: set protocols nhrp tunnel <tunnel> shortcut-target <address>
- holding-time <timeout>
+ Next hop server information.
- Specifies the holding time for NHRP Registration Requests and Resolution
- Replies sent from this interface or shortcut-target. The holdtime is specified
- in seconds and defaults to two hours.
+.. opcmd:: show ip nhrp shortcut
+
+ Shortcut information.
*******
Example
*******
-
-This blueprint uses VyOS as the DMVPN Hub and Cisco (7206VXR) and VyOS as
-multiple spoke sites. The lab was built using :abbr:`EVE-NG (Emulated Virtual
-Environment NG)`.
+This blueprint uses VyOS as the DMVPN Hub and Cisco IOSv 15.5(3)M and VyOS as
+multiple spoke sites.
.. figure:: /_static/images/blueprint-dmvpn.png
- :alt: DMVPN network
+ :width: 70%
+ :align: center
+ :alt: DMVPN Network Topology Diagram
+
- DMVPN example network
+ DMVPN Network Topology Diagram
-Each node (Hub and Spoke) uses an IP address from the network 172.16.253.128/29.
+Each node (Hub and Spoke) uses an IP address from the network 10.0.0.0/24.
-The below referenced IP address `192.0.2.1` is used as example address
+The below referenced IP address `192.168.0.2` is used as example address
representing a global unicast address under which the HUB can be contacted by
each and every individual spoke.
@@ -183,47 +216,46 @@ Configuration
Hub
---
+VyOS-HUB-1
+^^^^^^^^^^
.. code-block:: none
- set interfaces ethernet eth0 address 192.0.2.1/24
+ set interfaces ethernet eth0 address '192.168.0.2/30'
- set interfaces tunnel tun100 address '172.16.253.134/29'
- set interfaces tunnel tun100 encapsulation 'gre'
- set interfaces tunnel tun100 source-address '192.0.2.1'
+ set interfaces tunnel tun100 address '10.0.0.100/32'
set interfaces tunnel tun100 enable-multicast
- set interfaces tunnel tun100 parameters ip key '1'
+ set interfaces tunnel tun100 encapsulation 'gre'
+ set interfaces tunnel tun100 parameters ip key '42'
+ set interfaces tunnel tun100 source-interface 'eth0'
- set protocols nhrp tunnel tun100 cisco-authentication 'secret'
- set protocols nhrp tunnel tun100 holding-time '300'
+ set protocols nhrp tunnel tun100 authentication 'test123'
+ set protocols nhrp tunnel tun100 holdtime '300'
set protocols nhrp tunnel tun100 multicast 'dynamic'
+ set protocols nhrp tunnel tun100 network-id '1'
set protocols nhrp tunnel tun100 redirect
- set protocols nhrp tunnel tun100 shortcut
+ set protocols nhrp tunnel tun100 registration-no-unique
+
+ set protocols static route 0.0.0.0/0 next-hop 192.168.0.1
set vpn ipsec esp-group ESP-HUB lifetime '1800'
set vpn ipsec esp-group ESP-HUB mode 'transport'
set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
- set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
- set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
set vpn ipsec ike-group IKE-HUB lifetime '3600'
set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
- set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
- set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
- set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
-
set vpn ipsec interface 'eth0'
-
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
+
.. note:: Setting this up on AWS will require a "Custom Protocol Rule" for
protocol number "47" (GRE) Allow Rule in TWO places. Firstly on the VPC
Network ACL, and secondly on the security group network ACL attached to the
@@ -231,105 +263,160 @@ Hub
the AWS Marketplace. (Locate the correct VPC and security group by navigating
through the details pane below your EC2 instance in the AWS console).
-Spoke
------
+Spokes
+------
-The individual spoke configurations only differ in the local IP address on the
-``tun10`` interface. See the above diagram for the individual IP addresses.
+ The individual spoke configurations only differ in interface IP addresses.
-spoke01-spoke04
-^^^^^^^^^^^^^^^
+VyOS-Spoke-1 and VyOS-Spoke-2
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. code-block:: none
+
+ set interfaces ethernet eth0 address '192.168.1.2/30'
+
+ set interfaces tunnel tun100 address '10.0.0.1/32'
+ set interfaces tunnel tun100 enable-multicast
+ set interfaces tunnel tun100 encapsulation 'gre'
+ set interfaces tunnel tun100 parameters ip key '42'
+ set interfaces tunnel tun100 source-interface 'eth0'
+
+ set protocols nhrp tunnel tun100 authentication 'test123'
+ set protocols nhrp tunnel tun100 holdtime '300'
+ set protocols nhrp tunnel tun100 multicast 'dynamic'
+ set protocols nhrp tunnel tun100 network-id '1'
+ set protocols nhrp tunnel tun100 nhs tunnel-ip dynamic nbma '192.168.0.2'
+ set protocols nhrp tunnel tun100 registration-no-unique
+ set protocols nhrp tunnel tun100 shortcut
+
+ set protocols static route 0.0.0.0/0 next-hop 192.168.1.1
+ set protocols static route 10.0.0.0/24 next-hop 10.0.0.100
+
+ set vpn ipsec esp-group ESP-HUB lifetime '1800'
+ set vpn ipsec esp-group ESP-HUB mode 'transport'
+ set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
+ set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
+ set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
+ set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
+ set vpn ipsec ike-group IKE-HUB lifetime '3600'
+ set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
+ set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
+ set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
+ set vpn ipsec interface 'eth0'
+ set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
+ set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
+ set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
+ set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
+ set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
+
+Cisco-Spoke-3
+^^^^^^^^^^^^^
.. code-block:: none
- crypto keyring DMVPN
- pre-shared-key address 192.0.2.1 key secret
- !
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
- crypto isakmp invalid-spi-recovery
- crypto isakmp keepalive 30 30 periodic
- crypto isakmp profile DMVPN
- keyring DMVPN
- match identity address 192.0.2.1 255.255.255.255
+ lifetime 3600
+ crypto isakmp key secret address 0.0.0.0
+ !
!
- crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac
+ crypto ipsec transform-set DMVPNESP esp-aes 256 esp-sha-hmac
mode transport
!
- crypto ipsec profile DMVPN
- set security-association idle-time 720
- set transform-set DMVPN-AES256
- set isakmp-profile DMVPN
+ crypto ipsec profile DMVPNPROFILE
+ set security-association lifetime seconds 1800
+ set transform-set DMVPNESP
+ set pfs group2
+ !
!
- interface Tunnel10
- ! individual spoke tunnel IP must change
- ip address 172.16.253.129 255.255.255.248
+ !
+ !
+ !
+ !
+ !
+ interface Tunnel100
+ ip address 10.0.0.3 255.255.255.0
no ip redirects
- ip nhrp authentication secret
- ip nhrp map 172.16.253.134 192.0.2.1
- ip nhrp map multicast 192.0.2.1
+ ip nhrp authentication test123
+ ip nhrp map multicast dynamic
ip nhrp network-id 1
- ip nhrp holdtime 600
- ip nhrp nhs 172.16.253.134
- ip nhrp registration timeout 75
- tunnel source FastEthernet0/0
+ ip nhrp holdtime 300
+ ip nhrp nhs 10.0.0.100 nbma 192.168.0.2
+ ip nhrp registration no-unique
+ ip nhrp redirect
+ tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
- tunnel protection ipsec profile DMVPN
- tunnel key 1
+ tunnel key 42
+ tunnel protection ipsec profile DMVPNPROFILE
+ !
+ interface GigabitEthernet0/0
+ ip address 192.168.3.2 255.255.255.252
+ duplex auto
+ speed auto
+ media-type rj45
!
- interface FastEthernet0/0
- ip address dhcp
- duplex half
+ ip route 0.0.0.0 0.0.0.0 192.168.3.1
-spoke05
-^^^^^^^
+Monitoring DMVPN Network
+^^^^^^^^^^^^^^^^^^^^^^^^
-VyOS can also run in DMVPN spoke mode.
+Let send ICMP packets from VyOS-SPOKE-1 to Cisco-SPOKE-3
.. code-block:: none
- set interfaces ethernet eth0 address 'dhcp'
+ vyos@vyos:~$ ping 10.0.0.3
+ PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.
+ 64 bytes from 10.0.0.3: icmp_seq=1 ttl=255 time=3.44 ms
+ 64 bytes from 10.0.0.3: icmp_seq=2 ttl=255 time=3.07 ms
+ ^C
+ --- 10.0.0.3 ping statistics ---
+ 2 packets transmitted, 2 received, 0% packet loss, time 1002ms
+ rtt min/avg/max/mdev = 3.072/3.257/3.442/0.185 ms
- set interfaces tunnel tun100 address '172.16.253.133/29'
- set interfaces tunnel tun100 source-address 0.0.0.0
- set interfaces tunnel tun100 encapsulation 'gre'
- set interfaces tunnel tun100 enable-multicast
- set interfaces tunnel tun100 parameters ip key '1'
+Monitoring on HUB
+^^^^^^^^^^^^^^^^^
- set protocols nhrp tunnel tun100 cisco-authentication 'secret'
- set protocols nhrp tunnel tun100 holding-time '300'
- set protocols nhrp tunnel tun100 map 172.16.253.134/29 nbma-address '192.0.2.1'
- set protocols nhrp tunnel tun100 map 172.16.253.134/29 register
- set protocols nhrp tunnel tun100 multicast 'nhs'
- set protocols nhrp tunnel tun100 redirect
- set protocols nhrp tunnel tun100 shortcut
+.. code-block:: none
- set vpn ipsec esp-group ESP-HUB lifetime '1800'
- set vpn ipsec esp-group ESP-HUB mode 'transport'
- set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
- set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
- set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
- set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
- set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
- set vpn ipsec ike-group IKE-HUB close-action 'none'
- set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
- set vpn ipsec ike-group IKE-HUB lifetime '3600'
- set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
- set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
- set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
- set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
- set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
- set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
+ vyos@vyos:~$ show ip nhrp cache
+ Iface Type Protocol NBMA Claimed NBMA Flags Identity
+ tun100 dynamic 10.0.0.1 192.168.1.2 192.168.1.2 T 192.168.1.2
+ tun100 dynamic 10.0.0.3 192.168.3.2 192.168.3.2 T 192.168.3.2
+ tun100 dynamic 10.0.0.2 192.168.2.2 192.168.2.2 T 192.168.2.2
+ tun100 local 10.0.0.100 192.168.0.2 192.168.0.2 -
- set vpn ipsec interface 'eth0'
+ vyos@vyos:~$ show vpn ipsec sa
+ Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
+ -------------------------- ------- -------- -------------- ---------------- ---------------- ----------- ----------------------------------
+ dmvpn-NHRPVPN-tun100-child up 3m46s 230B/270B 2/2 192.168.1.2 192.168.1.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024
+ dmvpn-NHRPVPN-tun100-child up 5m48s 460B/540B 4/4 192.168.2.2 192.168.2.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024
+ dmvpn-NHRPVPN-tun100-child up 16m26s 1K/1K 13/12 192.168.3.2 192.168.3.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024
- set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
- set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
- set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
- set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
- set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
+Monitoring on Spokes
+^^^^^^^^^^^^^^^^^^^^
+
+.. code-block:: none
+ vyos@vyos:~$ show ip nhrp cache
+ Iface Type Protocol NBMA Claimed NBMA Flags Identity
+ tun100 local 10.0.0.1 192.168.1.2 192.168.1.2 -
+ tun100 dynamic 10.0.0.3 192.168.3.2 192.168.3.2 T 192.168.3.2
+ tun100 nhs 10.0.0.100 192.168.0.2 192.168.0.2 T 192.168.0.2
+
+ vyos@vyos:~$ show ip nhrp nhs
+ Iface FQDN NBMA Protocol
+ tun100 192.168.0.2 192.168.0.2 10.0.0.100
+
+ vyos@vyos:~$ show ip nhrp shortcut
+ Type Prefix Via Identity
+ dynamic 10.0.0.3/32 10.0.0.3 192.168.3.2
+
+ vyos@vyos:~$ show vpn ipsec sa
+ Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
+ -------------------------- ------- -------- -------------- ---------------- ---------------- ----------- ----------------------------------
+ dmvpn-NHRPVPN-tun100-child up 6m43s 898B/695B 7/6 192.168.0.2 192.168.0.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024
+ dmvpn-NHRPVPN-tun100-child up 49s 215B/187B 2/2 192.168.3.2 192.168.3.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024
--
cgit v1.2.3