Re: [opennhrp-devel] Errors when testing OpenNHRP

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

ok only worked when i hardcoded the IP's into the script.

3.3.3.254 hub >>>>  5.5.5.254  spoke

When I put the vars back it screws up :(

It seems to being pulling the wrong IP's maybe into those vars and stopping
the script working?  Not sure why though!
Any ideas? :)
Cheers,
Jon.

auto eth0
iface eth0 inet static
address 3.3.3.254
netmask 255.255.255.0
gateway 3.3.3.1
dns-nameservers 8.8.8.8

auto gre1
iface gre1 inet static
pre-up ip tunnel add $IFACE mode gre ttl 64 tos inherit key 12.34.56.78 ||
true
address 172.16.1.1
netmask 255.255.0.0
post-down ip tunnel del $IFACE || true
#up ip rule add lookup nhrp_shortcut pref 11000
#up ip rule add lookup quagga pref 11001
#up ip rule add lookup nhrp_mtu pref 11999
AlpineHUB:/etc/opennhrp#

    AlpineHUB:/etc/opennhrp# cat /etc/network/interfaces

    auto lo
    iface lo inet loopback

    auto eth0
    iface eth0 inet static
            address 3.3.3.254
            netmask 255.255.255.0
            gateway 3.3.3.1
            dns-nameservers 8.8.8.8

    auto gre1
    iface gre1 inet static
          pre-up ip tunnel add $IFACE mode gre ttl 64 tos inherit key
12.34.56.78 || true
          address 172.16.1.1
          netmask 255.255.0.0
          post-down ip tunnel del $IFACE || true
          #up ip rule add lookup nhrp_shortcut pref 11000
          #up ip rule add lookup quagga pref 11001
          #up ip rule add lookup nhrp_mtu pref 11999

    AlpineHUB:/etc/opennhrp#

Hub opennhrp.conf

    interface gre1
      route-table 44
      shortcut
      redirect
      non-caching

    interface lo
      shortcut-destination

    auto lo
    iface lo inet loopback

    auto eth0
    iface eth0 inet static
            address 5.5.5.254
            netmask 255.255.255.0
            gateway 5.5.5.1
            dns-nameservers 8.8.8.8

    auto eth1
    iface eth1 inet static
            address 10.10.10.1
            netmask 255.255.255.0

    auto gre1
    iface gre1 inet static
          pre-up ip tunnel add $IFACE mode gre ttl 64 tos inherit key
12.34.56.78 || true
          address 172.16.1.10
          netmask 255.255.0.0
          post-down ip tunnel del $IFACE || true

On Fri, 3 Feb 2017 at 19:31 Jon Clayton <sup...@gm...> wrote:

> Ok sort of got it working now, wangled the script a bit, I've pinged the
> spoke finally!
>
>
> On Fri, 3 Feb 2017 at 15:32 Jon Clayton <sup...@gm...> wrote:
>
> Public IP of Spoke: *5.5.5.254 *
> Public IP of Hub: *3.3.3.254*
>
> echo `racoonctl get-cert inet *5.5.5.254* *3.3.3.254* | openssl x509
> -inform der -text -noout | awk "/CN=/{i++}i==2" | egrep -o "CN=[^/]
> *(/[0-9]+)?" | cut -b 4- | grep "^GRE=172.16.1"`
> ^^ returns null
>
> echo `racoonctl get-cert inet *3.3.3.254 5.5.5.254* | openssl x509
> -inform der -text -noout | awk "/CN=/{i++}i==2" | egrep -o "CN=[^/]
> *(/[0-9]+)?" | cut -b 4- | grep "^GRE=172.16.1"`
> ^^^ returns a string
> *GRE=172.16.1.10 AS=50001*
>
> On Fri, 3 Feb 2017 at 15:13 Jon Clayton <sup...@gm...> wrote:
>
> Hi again,
>
> Is there a way I can view what it's pulling into these variables?  *$NHRP_SRCNBMA
> $NHRP_DESTNBMA*
>
> I think its rejecting as its not getting a match on the string,  but when
> i manually run the command with what I think should be correct IP's it *does
> *return a match, also i had to modify the script to match my cert fields
> I put the information in CN=.
>
>  CERT=`racoonctl get-cert inet* $NHRP_SRCNBMA $NHRP_DESTNBMA *| openssl
> x509 -inform der -text -noout | awk "/CN=/{i++}i==2" | egrep -o
> "CN=[^/]*(/[0-9]+)?" | cut
>
> Cheers!
> Jon.
>
>
> On Fri, 3 Feb 2017 at 09:30 Jon Clayton <sup...@gm...> wrote:
>
> Hi Timo,
>
> Thanks for that.  So I will re-do my certs with the relevant information
> embedded in them (GRE IP and AS number), and see where I get up to.
>
> Cheers!
>
> Jon.
>
>
> On Fri, 3 Feb 2017 at 06:18 Timo Teras <tim...@ik...> wrote:
>
> On Thu, 02 Feb 2017 23:23:05 +0000
> Jon Clayton <sup...@gm...> wrote:
>
> > I followed the instructions here :
> > https://wiki.alpinelinux.org/wiki/Dynamic_Multipoint_VPN_(DMVPN)
> >
> > I'm firstly getting error messages when its trying to register
> >
> > opennhrp[1917]: Sending Registration Request to 172.16.0.0 (my mtu=0)*
> > *Feb  2 23:06:51 SpokeWest daemon.info <http://daemon.info>
> > opennhrp[1917]: Received Registration Reply from 172.16.1.1
> > <http://172.16.1.1>: administratively prohibited*
>
> The hub rejected the registration. Due to opennhrp-script.
>
> > On hub:
> >
> > Feb  2 23:06:51 AlpineHUB daemon.info opennhrp[2029]: Received
> > Registration Request from proto src 172.16.1.10 to 172.16.1.1
> > Feb  2 23:06:51 AlpineHUB auth.err opennhrp-script: GRE registration
> > of 172.16.1.10 to 5.5.5.254 DENIED
>
> Pretty clear, opennhrp-script denied it.
>
> > The hub is 172.16.1.1 gre address and the spoke is 172.16.1.10 ...
> > subnet is /16
> >
> > The public "internet" facing address of hub is *3.3.3.254*
> > the public facing address of spoke is *5.5.5.254*
> >
> >
> > I'm using some certs that I generated with PFsense which i have used
> > for openvpn and the tunnel seems to be coming up as far as I can tell
> > with racoon as I can see what looks like an SA.
> >
> > When I look at the hub opennhrp-script, it seems to be running
> > through a check for OU= and AS= embedded within the certificate?   If
> > this is the case, then I'm pretty sure the Certs will not have this
> > info in them as I just generated bog standard x509 certs with the
> > usual info in them (location ,department...)? ...  Doesn't mention it
> > on the instructions re: embedding some kind of ID in the cert?
>
> Correct. The script has:
>
>         CERT=`racoonctl get-cert inet $NHRP_SRCNBMA $NHRP_DESTNBMA |
> openssl x509 -inform der -text -noout | egrep -o "/OU=[^/]*(/[0-9]+)?" |
> cut -b 5-`
>         if [ -z "`echo "$CERT" | grep "^GRE=$NHRP_DESTADDR"`" ]; then
>                 logger -t opennhrp-script -p auth.err "GRE registration of
> $NHRP_DESTADDR to $NHRP_DESTNBMA DENIED"
>                 exit 1
>         fi
>
> Which expects that there's in subject name a field like
> "OU=GRE=172.16.x.x". The intention is that there's an GRE address
> binding in the certificate, making it sure that no other hub 'steals'
> GRE addresses it's not supposed to have.
>
> You can comment these lines if you don't want to have this enforcement.
>
> The script also assumes other fields in the certificate to do automatic
> BGP configuration. You may need to adjust those parts too.
>
> > Also if I delete/comment that section, it gets a bit further but then
> > says failed exitstatus 2
> >
> > I'm pretty confused it has done this in two setups as I started from
> > scratch but still not getting anywhere with it :(
> >
> > Is anyone able to help?  I'm probably doing something daft, but I've
> > spent ages on it now and I'm going round in circles.
>
> Cheers,
> Timo
>
>