Using DMVPN with Linux

DMVPN is a very intelligent combination of IPsec, GRE and NHRP. Many Thanks to the Guys at Cisco, Christoph, Frederick and all other.

This week i discovered “opennhrp” on sourceforge.

It took me a minute or two to have a VM with debian up and the needed tools installed.

I used VMWare with a bridged ethernet interface for testing, installed debian 4.0 netinstall iso and upgraded to sid / testing, so i got Kernel Version 2.6.26-1-686.

Then downloaded ipsec-tools-0.8-alpha20090126.tar.bz2 from the site. you have to install some libs and tools to build ipsec tools, like kernel headers and so on:-) and done some configure and make stuff.

I went to make opennhrp, well all done with out a problem to here.

Next i configured racoon and ipsec-tools and opennhrp like this:

   #!/usr/sbin/setkey -f
   spdadd gre -P out ipsec esp/transport//require;
   spdadd gre -P in ipsec esp/transport//require;

   path pre_shared_key "/etc/racoon/psk.txt";
   remote anonymous {
      exchange_mode main,aggressive;
      lifetime time 24 hour;
      # nat_traversal on;
      script "/etc/opennhrp/" phase1_down;
      proposal {
         encryption_algorithm 3des;
         hash_algorithm sha1;
         authentication_method pre_shared_key;
         dh_group 5;
   sainfo anonymous {
      lifetime time 12 hour;
      encryption_algorithm 3des, blowfish 448, rijndael;
      authentication_algorithm hmac_sha1, hmac_md5;
      compression_algorithm deflate;

   /etc/racoon/psk.txt 1234

   interface gre1
      map register cisco
      cisco-authentication 1234

No get the Tunnel UP:

   ip tunnel add gre1 mode gre key 1234 ttl 64
   ip addr add dev gre1
   ip tunnel change gre1 local
   ip link set gre1 up

Now its time to get on the other side.

We are using a Cisco 1812 with c181x-advsecurityk9-mz.124-15.T7.bin running.

   crypto isakmp policy 10
      encr 3des
      authentication pre-share
      group 5
   crypto isakmp key 1234 address
   crypto ipsec transform-set TRANSFORMSET_3 esp-3des esp-sha-hmac
      mode transport
   crypto ipsec profile Profile3
      set transform-set TRANSFORMSET_3
   interface Tunnel888
      ip address
      no ip redirects
      no ip unreachables
      no ip proxy-arp
      ip mtu 1400
      ip flow ingress
      ip nhrp authentication 1234
      ip nhrp map multicast dynamic
      ip nhrp network-id 10064
      ip nhrp holdtime 360
      ip nhrp max-send 200 every 10
      ip route-cache same-interface
      ip tcp adjust-mss 1350
      load-interval 30
      tunnel source
      tunnel mode gre multipoint
      tunnel key 1234
      tunnel protection ipsec profile Profile3

and viola

   Router# sh dmvpn interface tunnel 888
   Load for five secs: 8%/3%; one minute: 9%; five minutes: 10%
   Time source is NTP, 22:14:22.148 CET Sat Feb 14 2009
   Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
   N - NATed, L - Local, X - No Socket
   # Ent --> Number of NHRP entries with same NBMA peer
   Tunnel888, Type:Hub, NHRP Peers:1,
   # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
   ----- --------------- --------------- ----- -------- -----
   1 UP never D

   Router# ping
   Type escape sequence to abort.
   Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
   Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

this looks great:-)
Many thanks Timo for doing such a impressiv work. I like the cisco for they impressiv boxes and i also like opensource software.

— edit February 15, 2009 at 12:09 am —

I found after a while no packets traveling, the nhrp registration had gone on the cisco side may be holdtimers differ so added “holding-time 360″ to the opennhrp.conf , a opennhrpctl purge fixed the problem.


Thanks to Patrick

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s