Introduction:
DMVPN (Dynamic Multipoint VPN) is a routing technique we can use to build a VPN network with multiple sites without having to statically configure all devices. It’s a “hub and spoke” network where the spokes will be able to communicate with each other directly without having to go through the hub. Encryption is supported through IPsec which makes DMVPN a popular choice for connecting different sites using regular Internet connections.
Ursalink Industrial Router supports DMVPN feature and works as client mode, in this manual, we will guide you how to install the DMVPN server, then connect Ursalink router (UR3X) to the server.
Example:
UR Router IP: 192.168.22.225
DMVPN Hub: 192.168.5.251
GRE Hub IP 10.0.0.1
GRE tunnel IP: 10.0.0.XX (10.0.0.2-10.0.0.254)
GRE Key: 123456, Pre shared key: 123456
Here are the steps
step1. login ubuntu, execute: apt-get update
step2. install the racoon
root@Base:~# apt-get install racoon
step3: install the opsec-tools.
root@Base:~# apt-get install ipsec-tools
step4: install the build-essential.
root@Base:~# apt-get install build-essential
step5: install the libc-ares-dev
root@Base:~# apt-get install libc-ares-dev
step6: install the pkg-config
root@Base:~# apt-get install pkg-config
step7: Download opennhrp-0.14.1.tar.bz2 through this URL .
step8: Install the opennhrp, tar -xjvf opennhrp-0.14.1.tar.tz2 & make & make install
root@Base:~# tar xjvf opennhrp-0.14.1.tar.bz2
root@Base:~/opennhrp-0.14.1# ls
AUTHORS contrib doc etc libev Makefile Make.rules man MIT-LICENSE.txt NEWS nhrp patches README TODO
root@Base:~/opennhrp-0.14.1# make
root@Base:~/opennhrp-0.14.1# make install
install -d /usr/sbin
install nhrp/opennhrp nhrp/opennhrpctl /usr/sbin
install -d /etc/opennhrp
install etc/opennhrp.conf etc/opennhrp-script etc/racoon-ph1down.sh etc/racoon-ph1dead.sh /etc/opennhrp
install -d /usr/share/man/man5 /usr/share/man/man8
install man/opennhrp.conf.5 /usr/share/man/man5
install man/opennhrp.8 man/opennhrpctl.8 man/opennhrp-script.8 /usr/share/man/man8
install -d /usr/share/doc/opennhrp
install README /usr/share/doc/opennhrp
Step9. Configure /etc/opennhrp/opennhrp.conf
root@Base:/etc/opennhrp# cat opennhrp.conf
interface gre1
shortcut
redirect
non-caching
multicast nhs
Step10. Configure /etc/racoon/racoon.conf
root@Base:/etc/racoon# cat racoon.conf
path include "/etc/racoon/";
path pre_shared_key "/etc/racoon/psk.txt";
remote anonymous {
exchange_mode main;
lifetime time 10800 seconds;
my_identifier address;
dpd_delay 30;
dpd_retry 3;
dpd_maxfail 6;
nat_traversal on;
proposal {
encryption_algorithm des;
hash_algorithm sha1;
dh_group modp768;
authentication_method pre_shared_key;
}
}
sainfo anonymous {
lifetime time 3600 seconds;
compression_algorithm deflate;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
}
Step11. Configure /etc/racoon/psk.txt
root@Base:/etc/racoon# cat psk.txt
# IPv4/v6 addresses
192.168.24.6 123456
192.168.22.225 123456
10.160.94.3 mekmitasdigoat
172.16.1.133 0x12345678
194.100.55.1 whatcertificatereally
3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat
3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat
# USER_FQDN
foo@kame.net mekmitasdigoat
# FQDN
foo.kame.net hoge
Step12. Configure the ipsec-tools.conf
root@Base:/# cat /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;
Step13. Create a scrpt to start/stop the DMVPN
root@Base:/# cat dmvpn.sh
#!/bin/sh
start_nhrp() {
opennhrp -d
}
stop_nhrp() {
killall -9 opennhrp
}
start_gre1() {
ip tunnel add gre1 mode gre local 192.168.5.251 key 123456 ttl 64
ip addr add 10.0.0.1/24 dev gre1
ip link set gre1 up multicast on
}
stop_gre1() {
ifconfig gre1 down
ip tunnel del gre1
}
start_ipsec() {
setkey -f /etc/ipsec-tools.conf
racoon -f /etc/racoon/racoon.conf
}
stop_ipsec() {
setkey -F
setkey -FP
killall -9 racoon
}
ACTION="$1"
if [ "$ACTION" = "start" ];then
start_gre1
start_ipsec
start_nhrp
fi
if [ "$ACTION" = "stop" ];then
stop_nhrp
stop_gre1
stop_ipsec
fi
Step 13 Start the service using the script we created
root@Base:/home/harry# chmod +x dmvpn.sh
root@Base:/home/harry# ./dmvpn.sh start
opennhrp[7228]: OpenNHRP 0.14.1 starting
opennhrp[7228]: Interface lo: configured UP, mtu=0
opennhrp[7228]: Interface ens32: configured UP, mtu=1500
opennhrp[7228]: Interface tun0: configured UP, mtu=1500
opennhrp[7228]: Interface ip_vti0: config change, mtu=1480
opennhrp[7228]: Interface gre0: config change, mtu=1476
opennhrp[7228]: Interface gretap0: config change, mtu=1462
opennhrp[7228]: Interface gre1: configured UP, mtu=1472
opennhrp[7228]: Interface gre1: GRE configuration changed. Purged 0 peers.
opennhrp[7228]: Filter code installed (21 opcodes)
Step 14 Configure the UR router's DMVPN page
Thu Apr 16 17:48:27 2020 daemon.info racoon: [192.168.5.251] INFO: Hashing 192.168.5.251[500] with algo #2
Thu Apr 16 17:48:27 2020 daemon.info racoon: [192.168.22.225] INFO: Hashing 192.168.22.225[500] with algo #2
Thu Apr 16 17:48:27 2020 daemon.info racoon: INFO: Adding remote and local NAT-D payloads.
Thu Apr 16 17:48:27 2020 daemon.info racoon: [192.168.22.225] INFO: Hashing 192.168.22.225[500] with algo #2
Thu Apr 16 17:48:27 2020 daemon.info racoon: INFO: NAT-D payload #0 verified
Thu Apr 16 17:48:27 2020 daemon.info racoon: [192.168.5.251] INFO: Hashing 192.168.5.251[500] with algo #2
Thu Apr 16 17:48:27 2020 daemon.info racoon: INFO: NAT-D payload #1 verified
Thu Apr 16 17:48:27 2020 daemon.info racoon: INFO: NAT not detected
Thu Apr 16 17:48:27 2020 daemon.info racoon: INFO: ISAKMP-SA established 192.168.22.225[500]-192.168.5.251[500] spi:c1f9fb380f2b1d7a:969ea82a4171d413
Thu Apr 16 17:48:27 2020 daemon.info racoon: [192.168.5.251] INFO: received INITIAL-CONTACT
Thu Apr 16 17:48:27 2020 daemon.info racoon: INFO: initiate new phase 2 negotiation: 192.168.22.225[500]<=>192.168.5.251[500]
Thu Apr 16 17:48:27 2020 daemon.info racoon: INFO: IPsec-SA established: ESP/Transport 192.168.22.225[500]->192.168.5.251[500] spi=226819687(0xd84fe67)
Thu Apr 16 17:48:27 2020 daemon.info opennhrp[24091]: Sending Registration Request to 10.0.0.1 (my mtu=0)
Thu Apr 16 17:48:27 2020 daemon.info racoon: INFO: IPsec-SA established: ESP/Transport 192.168.22.225[500]->192.168.5.251[500] spi=230612359(0xdbedd87)
Thu Apr 16 17:48:32 2020 daemon.info racoon: INFO: respond new phase 2 negotiation: 192.168.22.225[500]<=>192.168.5.251[500]
Thu Apr 16 17:48:32 2020 daemon.info racoon: INFO: IPsec-SA established: ESP/Transport 192.168.22.225[500]->192.168.5.251[500] spi=247825369(0xec583d9)
Thu Apr 16 17:48:32 2020 daemon.info racoon: INFO: IPsec-SA established: ESP/Transport 192.168.22.225[500]->192.168.5.251[500] spi=10319056(0x9d74d0)
Thu Apr 16 17:48:37 2020 daemon.info opennhrp[24091]: Received Registration Reply from 10.0.0.1: success
Thu Apr 16 17:48:37 2020 daemon.info opennhrp[24091]: Sending Purge Request (of local routes) to 10.0.0.1
Thu Apr 16 17:48:37 2020 daemon.info opennhrp[24091]: [10.0.0.1] Peer inserted to multicast list
Thu Apr 16 17:48:38 2020 daemon.info eventadd[24337]: eventadd 4007 type=dmvpn&local=10.0.0.2:192.168.22.225&remote=10.0.0.1:192.168.5.251
Thu Apr 16 17:48:38 2020 daemon.info ys_thirdparty[1535]: dmvpn connected, local ip:10.0.0.2:192.168.22.225, remote ip:10.0.0.1:192.168.5.251
Ps: If you see this error in UR32
Thu Apr 16 16:11:13 2020 daemon.info racoon: ERROR: bind(sockname:/home/ur3x/release/rt_vpn/src/apps/ipsec-tools-0.8.2/install/var/racoon/racoon.sock): No such file or directory
Thu Apr 16 16:11:18 2020 daemon.err opennhrp[10065]: [10.0.0.1] Peer up script failed: exitstatus 1
It's a small BUG in old release, we has fixed it in the latest version
Comments
0 comments
Please sign in to leave a comment.