Re: [opennhrp-devel] Quagga-NHRP
Brought to you by:
fabled80
From: John M. <jo...@zi...> - 2016-06-07 18:28:25
|
Peter, At least with Cisco hubs this is standard behaviour. There is no way for NHRP to disambiguate between two different IPSec peers that have the same global address. In theory if the source ports were NATed it might be possible to use that, Cisco doesn't, don't believe that opennhrp can either. Sorry, hope that someone else has a workaround, -JohnF On Tue, Jun 7, 2016 at 12:50 PM, <pb...@ne...> wrote: > After figuring out my issue and DMVPN working as expected in my lab, I > decided to increase the complexity to real world situations by putting one > spoke behind a firewall and relying on NAT. This still worked perfectly and > ipsec tunnels connected with no issue. However, when I placed the second > spoke behind a firewall with NAT I have not been able to complete the ipsec > tunnel connection. Before I start providing configurations and logs I was > wondering if there was a simple answer to this, I have searched strongswan > forums and opennhrp and have found nothing to tell me that this should or > should not work. > > Thanks, > > -- > Peter Barton > > > > > --------- Original Message --------- > Subject: Re: [opennhrp-devel] Quagga-NHRP > From: pb...@ne... > Date: 5/28/16 9:38 am > To: "Timo Teras" <tim...@ik...> > Cc: ope...@li... > > I figured my problem, I assumed that since "ip forwarding" was set inside > "vtysh" that it was also set for sysctl. I set net.ipv4.ip_forward=1 and > everything started working! > > Thanks for the great product!. > > -- > Peter Barton > > --------- Original Message --------- > Subject: Re: [opennhrp-devel] Quagga-NHRP > From: "Timo Teras" <tim...@ik...> > Date: 5/27/16 12:17 am > To: pb...@ne... > Cc: ope...@li... > > On Thu, 26 May 2016 20:14:49 -0700 > pb...@ne... wrote: > >> I emailed this to the quagga-users list but I was not sure where you >> would want it so I copied it here as well. >> >> I have working through the Dynamic Multipoint VPN (DMVPN) Phase 3 >> with Quagga NHRPd and I have successfully configured a Hub and 2 >> Spokes. I am able to nail up two IPSEC encrypted GRE tunnels between >> Spoke1 -> Hub and Spoke2 -> Hub. BGP is sharing all routes between >> all 3 points. However, when I attempt to connect between >> Spoke1-Spoke2 Phase 3 never occurs and no direct tunnel is even >> attempted to connect. > > Did you configure the iptables rule on hub required for the redirect > notifications? > > See: > http://git.alpinelinux.org/cgit/user/tteras/quagga/tree/nhrpd/README.nhrpd?h=nhrp#n85 > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. > https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________ > opennhrp-devel mailing list ope...@li... > https://lists.sourceforge.net/lists/listinfo/opennhrp-devel > > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e > _______________________________________________ > opennhrp-devel mailing list > ope...@li... > https://lists.sourceforge.net/lists/listinfo/opennhrp-devel > |