Scribd
Upload
836 views5 pages

DMVPN With Linux CentOS

The document describes how to configure DMVPN between Linux routers without using IPsec. It involves compiling the kernel with CONFIG_ARPD enabled, compiling and configuring OpenNHRP on the hub and spokes, and testing connectivity between them without additional security.

Uploaded by

kzarne735
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
836 views5 pages

DMVPN With Linux CentOS

The document describes how to configure DMVPN between Linux routers without using IPsec. It involves compiling the kernel with CONFIG_ARPD enabled, compiling and configuring OpenNHRP on the hub and spokes, and testing connectivity between them without additional security.

Uploaded by

kzarne735
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 5

DMVPN with LINUX

======================================CONTENT=============================
|| HUB: Linux CentOS 6.4 x86_64
|| SPOKE1: Linux CentOS 6.4 x86_64
|| SPOKE2: Linux CentOS 6.4 x86_64
||
|| 1/ Compile kernel with CONFIG_ARPD enabl
ed
|| 2/ Compile OPENNHRP
|| 3/ Configure OPENNHRP for HUB and 2 SPOK
E without IPSEC
|| 4/ Compile IPSEC-TOOLS
|| 5/ Configure ipsec-tools (racoon)
=========================================================================

Tip: to check if CONFIG_ARPD is set, simply see if there are any results from
cat /proc/kallsyms | grep neigh_app
------------------------------------------------------
1/ Compiling Kernel with CONFIG_ARPD enabled
------------------------------------------------------
REF ARPD: http://www.linuxfoundation.org/collaborate/workgroups/networking/neigh
boring_subsystem
yum groupinstall "Development Tools"
yum install ncurses-devel bison flex openssl-devel
#download kernel linux-2.6.32.27.tar.bz2 from kernel.org
cd /usr/src/
tar xjf linux-2.6.32.27.tar.bz2
ln -s /usr/src/linux-2.6.32.27.tar.bz2 /usr/src/linux
cd /usr/src/linux
make mrproper
make menuconfig --> custome network option (arpd) --> save .config file
make -j4
make bzImage <---->(sudo cp -v arch/x86_64/boot/bzImage /boot/vmlinuz-Customize
d)
make modules
make modules_install
make install
#make initial RAM Disk
#sudo mkinitcpio -k <FullKernelName> -c /etc/mkinitcpio.conf -g /boot/initramfs-
Customized.img
#sudo mkinitcpio -k 3.13.0 -c /etc/mkinitcpio.conf -g /boot/initramfs-Customized
.img
#copy System.map
#sudo cp System.map /boot/System.map-Customized
#Edit Grub config --> choose new kernel
vi /etc/grub.conf
reboot
-------------------------------------------------------
2/ Compile OpenNHRP
-------------------------------------------------------
download opennhrp-0.14.1.tar.bz2
tar xjf opennhrp-0.14.1.tar.bz2
yum install c-ares c-ares-devel
-------------------------------------------------------
3/ Configuration OpenNHRP (without IPSEC)
-------------------------------------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HUB:
NBMA Address: 10.90.41.116/24
Tunnel Address: 172.16.0.116/24
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ip tunnel add gre1 mode gre local 10.90.41.116 key 1234 ttl 64
ip addr add 172.16.0.116/24 dev gre1
ip link set gre1 arp on
ip link set gre1 up
vi /etc/opennhrp/opennhrp-script ( or use alternative method: sed -i 's/racoon/\
#racoon/g' /etc/opennhrp/opennhrp-script --> disable ipsec
case $1 in
interface-up)
/sbin/ip route flush proto 42 dev $NHRP_INTERFACE
/sbin/ip neigh flush dev $NHRP_INTERFACE
peer-up)
#racoonctl establish-sa -w isakmp inet $NHRP_SRCNBMA $NHRP_DESTN
BMA || exit 1
#racoonctl establish-sa -w esp inet $NHRP_SRCNBMA $NHRP_DESTNBMA
gre || exit 1
vi /etc/opennhrp/opennhrp.conf
interface gre1
holding-time 3600
multicast dynamic
shortcut
redirect
non-caching
opennhrp -c /etc/opennhrp/opennhrp.conf -d
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SPOKE1
NBMA Address: 10.90.41.216/24
Tunnel Address: 172.16.0.216/24
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ip tunnel add gre1 mode gre local 10.90.41.216 key 1234 ttl 64
ip addr add 172.16.0.216/24 dev gre1
ip link set gre1 arp on
ip link set gre1 up
vi /etc/opennhrp/opennhrp-script
case $1 in
interface-up)
/sbin/ip route flush proto 42 dev $NHRP_INTERFACE
/sbin/ip neigh flush dev $NHRP_INTERFACE
peer-up)
#racoonctl establish-sa -w isakmp inet $NHRP_SRCNBMA $NHRP_DESTN
BMA || exit 1
#racoonctl establish-sa -w esp inet $NHRP_SRCNBMA $NHRP_DESTNBMA
gre || exit 1
vi /etc/opennhrp/opennhrp.conf
interface gre1
holding-time 3600
map 172.16.0.116/29 192.168.200.1 register
multicast dynamic
shortcut
redirect
non-caching
opennhrp -c /etc/opennhrp/opennhrp.conf -d
#Checking
ip neigh show
ip link
ip addr
opennhrpctl show
opennhrpctl interface show
opennhrpctl purge
ping 172.16.0.116
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SPOKE2
NBMA Address: 10.90.41.217/24
Tunnel Address: 172.16.0.217/24
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
the same for SPOKE2
ip tunnel add gre1 mode gre local 10.90.41.217 key 1234 ttl 64
ip addr add 172.16.0.217/24 dev gre1
ip link set gre1 arp on
ip link set gre1 up
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
TESTING DMVPN WITHOUT IPSEC and STATIC ROUTE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HUB:
ping 172.16.0.216 (spoke1)
ping 172.16.0.217 (spoke2)
From Spoke:
ping 172.16.0.217 (spoke1 ping spoke2)
Change IP Interface Loopback
HUB: 200.200.200.116/32 ( vi /etc/sysconfig/network-scripts/ifcf
g-lo)
SPOKE1: 100.100.216.216/32
SPOKE2: 169.254.217.217/32
Add static route for ping loopback
HUB:
route add 100.100.216.216/32 gw 172.16.0.216 dev gre1
route add 169.254.217.217/32 gw 172.16.0.217 dev gre1
SPOKE1:
route add 200.200.200.116/32 gw 172.16.0.116 dev gre1
ping 200.200.200.116 -I 100.100.216.216
SPOKE2:
route add 200.200.200.116/32 gw 172.16.0.116 dev gre1
ping 200.200.200.116 -I 169.254.217.217
------------------------------------------------------------
4/ Compile IPSEC-TOOLS
------------------------------------------------------------
#download ipsec-tools-0.8.2.tar.bz2
#untar
tar xjf ipsec-tools-0.8.2.tar.bz2
cd ipsec-tools-0.8.2
./configure --sysconfdir=/etc/racoon CFLAGS="-fno-strict-aliasing" --ena
ble-natt --enable-adminport
make
make install

------------------------------------------------------------
5/ Configure IPSEC-TOOLS (racoon)
------------------------------------------------------------
/etc/ipsec.conf:
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;
mkdir /etc/racoon
/etc/racoon/racoon.conf:
path pre_shared_key "/etc/racoon/psk.txt";
remote anonymous {
exchange_mode main, aggressive;
lifetime time 24 hour;
script "/etc/opennhrp/racoon-ph1dead.sh" phase1_dead;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm 3des, blowfish 448, rijndael;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
vi psk.txt
172.16.0.116 1234
racoon -4 -f /etc/racoon/racoon.conf -l /etc/racoon/racoon.log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SPOKE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
vi /etc/ipsec.conf:
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;
mkdir /etc/racoon
vi /etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
remote anonymous {
exchange_mode main, aggressive;
lifetime time 24 hour;
script "/etc/opennhrp/racoon-ph1dead.sh" phase1_dead;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm 3des, blowfish 448, rijndael;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
vi psk.txt
172.16.0.116 1234

You might also like