Re: [opennhrp-devel] Errors when testing OpenNHRP
Brought to you by:
fabled80
From: Jon C. <sup...@gm...> - 2017-02-03 19:55:11
|
ok only worked when i hardcoded the IP's into the script. 3.3.3.254 hub >>>> 5.5.5.254 spoke When I put the vars back it screws up :( It seems to being pulling the wrong IP's maybe into those vars and stopping the script working? Not sure why though! Any ideas? :) Cheers, Jon. auto eth0 iface eth0 inet static address 3.3.3.254 netmask 255.255.255.0 gateway 3.3.3.1 dns-nameservers 8.8.8.8 auto gre1 iface gre1 inet static pre-up ip tunnel add $IFACE mode gre ttl 64 tos inherit key 12.34.56.78 || true address 172.16.1.1 netmask 255.255.0.0 post-down ip tunnel del $IFACE || true #up ip rule add lookup nhrp_shortcut pref 11000 #up ip rule add lookup quagga pref 11001 #up ip rule add lookup nhrp_mtu pref 11999 AlpineHUB:/etc/opennhrp# AlpineHUB:/etc/opennhrp# cat /etc/network/interfaces auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 3.3.3.254 netmask 255.255.255.0 gateway 3.3.3.1 dns-nameservers 8.8.8.8 auto gre1 iface gre1 inet static pre-up ip tunnel add $IFACE mode gre ttl 64 tos inherit key 12.34.56.78 || true address 172.16.1.1 netmask 255.255.0.0 post-down ip tunnel del $IFACE || true #up ip rule add lookup nhrp_shortcut pref 11000 #up ip rule add lookup quagga pref 11001 #up ip rule add lookup nhrp_mtu pref 11999 AlpineHUB:/etc/opennhrp# Hub opennhrp.conf interface gre1 route-table 44 shortcut redirect non-caching interface lo shortcut-destination auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 5.5.5.254 netmask 255.255.255.0 gateway 5.5.5.1 dns-nameservers 8.8.8.8 auto eth1 iface eth1 inet static address 10.10.10.1 netmask 255.255.255.0 auto gre1 iface gre1 inet static pre-up ip tunnel add $IFACE mode gre ttl 64 tos inherit key 12.34.56.78 || true address 172.16.1.10 netmask 255.255.0.0 post-down ip tunnel del $IFACE || true On Fri, 3 Feb 2017 at 19:31 Jon Clayton <sup...@gm...> wrote: > Ok sort of got it working now, wangled the script a bit, I've pinged the > spoke finally! > > > On Fri, 3 Feb 2017 at 15:32 Jon Clayton <sup...@gm...> wrote: > > Public IP of Spoke: *5.5.5.254 * > Public IP of Hub: *3.3.3.254* > > echo `racoonctl get-cert inet *5.5.5.254* *3.3.3.254* | openssl x509 > -inform der -text -noout | awk "/CN=/{i++}i==2" | egrep -o "CN=[^/] > *(/[0-9]+)?" | cut -b 4- | grep "^GRE=172.16.1"` > ^^ returns null > > echo `racoonctl get-cert inet *3.3.3.254 5.5.5.254* | openssl x509 > -inform der -text -noout | awk "/CN=/{i++}i==2" | egrep -o "CN=[^/] > *(/[0-9]+)?" | cut -b 4- | grep "^GRE=172.16.1"` > ^^^ returns a string > *GRE=172.16.1.10 AS=50001* > > On Fri, 3 Feb 2017 at 15:13 Jon Clayton <sup...@gm...> wrote: > > Hi again, > > Is there a way I can view what it's pulling into these variables? *$NHRP_SRCNBMA > $NHRP_DESTNBMA* > > I think its rejecting as its not getting a match on the string, but when > i manually run the command with what I think should be correct IP's it *does > *return a match, also i had to modify the script to match my cert fields > I put the information in CN=. > > CERT=`racoonctl get-cert inet* $NHRP_SRCNBMA $NHRP_DESTNBMA *| openssl > x509 -inform der -text -noout | awk "/CN=/{i++}i==2" | egrep -o > "CN=[^/]*(/[0-9]+)?" | cut > > Cheers! > Jon. > > > On Fri, 3 Feb 2017 at 09:30 Jon Clayton <sup...@gm...> wrote: > > Hi Timo, > > Thanks for that. So I will re-do my certs with the relevant information > embedded in them (GRE IP and AS number), and see where I get up to. > > Cheers! > > Jon. > > > On Fri, 3 Feb 2017 at 06:18 Timo Teras <tim...@ik...> wrote: > > On Thu, 02 Feb 2017 23:23:05 +0000 > Jon Clayton <sup...@gm...> wrote: > > > I followed the instructions here : > > https://wiki.alpinelinux.org/wiki/Dynamic_Multipoint_VPN_(DMVPN) > > > > I'm firstly getting error messages when its trying to register > > > > opennhrp[1917]: Sending Registration Request to 172.16.0.0 (my mtu=0)* > > *Feb 2 23:06:51 SpokeWest daemon.info <http://daemon.info> > > opennhrp[1917]: Received Registration Reply from 172.16.1.1 > > <http://172.16.1.1>: administratively prohibited* > > The hub rejected the registration. Due to opennhrp-script. > > > On hub: > > > > Feb 2 23:06:51 AlpineHUB daemon.info opennhrp[2029]: Received > > Registration Request from proto src 172.16.1.10 to 172.16.1.1 > > Feb 2 23:06:51 AlpineHUB auth.err opennhrp-script: GRE registration > > of 172.16.1.10 to 5.5.5.254 DENIED > > Pretty clear, opennhrp-script denied it. > > > The hub is 172.16.1.1 gre address and the spoke is 172.16.1.10 ... > > subnet is /16 > > > > The public "internet" facing address of hub is *3.3.3.254* > > the public facing address of spoke is *5.5.5.254* > > > > > > I'm using some certs that I generated with PFsense which i have used > > for openvpn and the tunnel seems to be coming up as far as I can tell > > with racoon as I can see what looks like an SA. > > > > When I look at the hub opennhrp-script, it seems to be running > > through a check for OU= and AS= embedded within the certificate? If > > this is the case, then I'm pretty sure the Certs will not have this > > info in them as I just generated bog standard x509 certs with the > > usual info in them (location ,department...)? ... Doesn't mention it > > on the instructions re: embedding some kind of ID in the cert? > > Correct. The script has: > > CERT=`racoonctl get-cert inet $NHRP_SRCNBMA $NHRP_DESTNBMA | > openssl x509 -inform der -text -noout | egrep -o "/OU=[^/]*(/[0-9]+)?" | > cut -b 5-` > if [ -z "`echo "$CERT" | grep "^GRE=$NHRP_DESTADDR"`" ]; then > logger -t opennhrp-script -p auth.err "GRE registration of > $NHRP_DESTADDR to $NHRP_DESTNBMA DENIED" > exit 1 > fi > > Which expects that there's in subject name a field like > "OU=GRE=172.16.x.x". The intention is that there's an GRE address > binding in the certificate, making it sure that no other hub 'steals' > GRE addresses it's not supposed to have. > > You can comment these lines if you don't want to have this enforcement. > > The script also assumes other fields in the certificate to do automatic > BGP configuration. You may need to adjust those parts too. > > > Also if I delete/comment that section, it gets a bit further but then > > says failed exitstatus 2 > > > > I'm pretty confused it has done this in two setups as I started from > > scratch but still not getting anywhere with it :( > > > > Is anyone able to help? I'm probably doing something daft, but I've > > spent ages on it now and I'm going round in circles. > > Cheers, > Timo > > |