NHRP

[zendulkaj]

I would like to use the NHRP / FRR implementation, but when I test the NHRP / FRR implementation, then the DMVPN does not work with Cisco (the openhrp implementation works in this configuration).

I noticed that some commands are not supported by NHRP / FRR, but by openhrp they are supported.
i.e. cisco-authentication.
https://sourceforge.net/p/opennhrp/code/ci/613277fda0f3a54e670e3e4b521adb82a6a5ed46/tree/nhrp/opennhrp.c#l257
This may be the reason why NHRP registration fails. See log below.
Or I missed something in nhrp configuration?

Some packets are sent via GRE/IPSEC but there is no answer from cisco:

gre1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.234.4 Mask:255.255.255.255
UP RUNNING MULTICAST MTU:1472 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:7360 (7.1 KB)

IPsec:

ipsec1: #32, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-256
installed 84s ago, rekeying in 2487s, expires in 3516s
in c8cbc95d, 0 bytes, 0 packets
out 4c892df5, 240 bytes, 2 packets, 52s ago
local 192.168.7.232/32[gre]
remote 85.xx.xx.xx/32[gre]

Cisco configuration:

interface Tunnel11
ip address 192.168.234.1 255.255.255.0
no ip redirects
ip nhrp authentication 1234
ip nhrp map multicast dynamic
ip nhrp network-id 1234
no ip nhrp record
no ip nhrp cache non-authoritative
tunnel source GigabitEthernet0
tunnel mode gre multipoint
tunnel key 1234
tunnel protection ipsec profile ikev2
!

opennhrp configuration (works):

interface gre1
map 192.168.234.1/24 85.xx.xx.xx register
holding-time 60
cisco-authentication 1234
shortcut
redirect
non-caching

NHRP/FRR configuration:

frr version 7.5
frr defaults traditional
!
hostname Router
password test
enable password test
!
line vty
!
interface gre1
description DMVPN Tunnel Interface
ip nhrp network-id 1234
ip nhrp map 192.168.234.1/24 85.xx.xx.xx register
ip nhrp nhs dynamic nbma 85.xx.xx.xx
ip nhrp redirect
ip nhrp registration no-unique
ip nhrp shortcut
no ip nhrp record
no ip nhrp cache non-authoritative
tunnel protection vici profile ipsec1
tunnel source eth1
!
debug nhrp all

NHRP log:

2020-12-09 13:37:10 charon: 10[IKE] CHILD_SA ipsec1{28} established with SPIs c66b7ce6_i c08def2f_o and TS 192.168.7.232/32[gre] === 85.xx.xx.xx/32[gre]
2020-12-09 13:37:10 nhrpd[2683]: VICI: Message 7, 2686 bytes
2020-12-09 13:37:10 nhrpd[2683]: VICI: Event 'child-state-installed'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Section start 'ipsec1'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'uniqueid'='14'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'version'='2'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'state'='ESTABLISHED'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'local-host'='192.168.7.232'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'local-port'='4500'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'local-id'='client3@router'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'local-cert-data'='0‚^CČ0‚^B° ^C^B^A^B^B^T)ľřŔľ“wő…äÉçĺi´±ţ¨TM0^M^F^I*†H†÷^M^A^A^K^E'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'remote-host'='85.xx.xx.xx'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'remote-port'='4500'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'remote-id'='server.cisco'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'remote-cert-data'='0‚^CÂ0‚^BŞ ^C^B^A^B^B^T)ľřŔľ“wő…äÉçĺi´±ţ¨TJ0^M^F^I*†H†÷^M^A^A^K^E'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'initiator'='yes'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'initiator-spi'='fba7706e5ada98c9'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'responder-spi'='3f09d4b20002b451'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'nat-local'='yes'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'nat-any'='yes'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'encr-alg'='AES_CBC'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'encr-keysize'='256'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'integ-alg'='HMAC_SHA2_256_128'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'prf-alg'='PRF_HMAC_SHA2_256'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'dh-group'='MODP_2048'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'established'='0'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'reauth-time'='2706'
2020-12-09 13:37:10 nhrpd[2683]: VICI: List start 'tasks-active'
2020-12-09 13:37:10 nhrpd[2683]: VICI: List item: 'CHILD_CREATE'
2020-12-09 13:37:10 nhrpd[2683]: VICI: List item: 'IKE_AUTH_LIFETIME'
2020-12-09 13:37:10 nhrpd[2683]: VICI: List item: 'IKE_MOBIKE'
2020-12-09 13:37:10 nhrpd[2683]: VICI: List end
2020-12-09 13:37:10 nhrpd[2683]: VICI: Section start 'child-sas'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Section start 'ipsec1'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'name'='ipsec1'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'uniqueid'='28'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'reqid'='1'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'state'='INSTALLING'
2020-12-09 13:37:10 nhrpd[2683]: VICI: Key 'mode'='TUNNEL'
2020-12-09 13:37:10 nhrpd[2683]: VICI: List start 'local-ts'
2020-12-09 13:37:10 nhrpd[2683]: VICI: List item: '192.168.7.232/32[gre]'
2020-12-09 13:37:10 nhrpd[2683]: VICI: List end
2020-12-09 13:37:10 nhrpd[2683]: VICI: List start 'remote-ts'
2020-12-09 13:37:10 nhrpd[2683]: VICI: List item: '85.xx.xx.xx/32[gre]'
2020-12-09 13:37:10 nhrpd[2683]: VICI: List end
2020-12-09 13:37:10 nhrpd[2683]: VICI: Section end
2020-12-09 13:37:10 last message repeated 2 times
2020-12-09 13:37:11 nhrpd[2683]: NHS: Flush timer for 85.xx.xx.xx
2020-12-09 13:37:11 nhrpd[2683]: NHS: Register 192.168.234.4 - 192.168.234.4 (timeout 16)
2020-12-09 13:37:11 nhrpd[2683]: Send Registration-Request(3) 192.168.234.4 - 192.168.234.4
2020-12-09 13:37:11 nhrpd[2683]: PACKET: Send 192.168.7.232 - 85.xx.xx.xx
2020-12-09 13:37:14 nhrpd[2683]: Netlink: Received msg_type 28, msg_flags 0
2020-12-09 13:37:14 zebra[1485]: netlink_parse_info: netlink-listen (NS 0) type RTM_NEWNEIGH(28), len=76, seq=0, pid=0
2020-12-09 13:37:14 zebra[1485]: ^INeighbor Entry received is not on a VLAN or a BRIDGE, ignoring

[qlyoung]

NHRP is in alpha at this time and we are looking for someone to maintain it. Can't make any guarantees about it working or not. I'll leave the issue open in case someone wants it.

[pguibert6WIND]

Did you try without nhrp authentication of cisco ?

[zendulkaj]

Do you know reason why some configuration items are missing in FRR/NHRP implementation (in comparison with opennrhp)?
The "cisco-authentication" is used in many Cisco configuration of DMVPN.

I am newbie in DMVPN and I have another question regarding NHRP flags (U, T, A) and DMVPN flags meaning in NHPR/DMVPN status (see bellow). So far I do not find any explanation what these flags exactly mean.

However, DMVPN (Cisco - FRR) works with this configuration:

Cisco:
!
interface Tunnel11
ip address 192.168.234.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 1234
no ip nhrp record
no ip nhrp cache non-authoritative
ip ospf 1 area 0
tunnel source GigabitEthernet0
tunnel mode gre multipoint
tunnel key 1234
tunnel protection ipsec profile profile_ikev2
!

FRR/NHRP.conf:
!
hostname Router
password test
enable password test
!
line vty
!
interface gre1
description DMVPN Tunnel Interface
ip nhrp holdtime 60
ip nhrp network-id 1234
ip nhrp nhs 192.168.234.1 nbma 85.xx.xx.xx
ip nhrp redirect
ip nhrp registration no-unique
ip nhrp shortcut
tunnel protection vici profile ipsec1
tunnel source usb0
!
debug nhrp all

Router# show ip nhrp
Iface Type Protocol NBMA Flags Identity
gre1 local 192.168.234.3 - -
gre1 nhs 192.168.234.1 85.xx.xx.xx UT server.cisco

Router# show ipv6 nhrp
% No entries

Router# show dmvpn
Src Dst Flags SAs Identity
89.xx.xx.x 85.xx.xx.xx n 1 server.cisco

[pguibert6WIND]

=> https://tools.ietf.org/html/rfc2332
described U,T,A flags

=> with opennhrp, you can use ospf, but not with frr.

=> I recomend you to look at current issues and pull requests using keyword nhrp, as there is some activity. for isntance, I think someone is looking at how to implement multicast traffic with frr over dmvpn.

[Jafaral]

@pguibert6WIND , Does opennhrp support mullticast ? how did they get ospf to work ?

[zendulkaj]

I looked into RFC for flags and I found

 A :     Authoritative bit 
 U:      Uniqueness bit.

But flags T is not mentioned there.

Yes, I noticed that FRR/NHRP does not support multicast so OSPF does not work.

[pguibert6WIND]

@pguibert6WIND , Does opennhrp support mullticast ? how did they get ospf to work ?

Opennhrp uses a userplan patch, that is to say that they interrupt all multicast packets and do a processing per multicast packet for each nhrp peer. I think this is not very perf, and I would prefer a kernel support for that.

[pguibert6WIND]

I looked into RFC for flags and I found

 A :     Authoritative bit 
 U:      Uniqueness bit.

But flags T is not mentioned there.

Yes, I noticed that FRR/NHRP does not support multicast so OSPF does not work.

T stands for timeout.
that means a timer is attached to the session.

[sarthurdev]

Is there any plan for adding support of cisco-authentication to nhrpd?

[xrpixer]

Bump.
+1 for this.

[maugli13]

Bump. "Nice to have" feature.
Will help with smooth migration from the existing DMVPN network

[gotthardp]

For your information, the cisco-authentication password was added in #16172