DMVPN with LINUX

======================================CONTENT=============================
|| HUB: Linux CentOS 6.4 x86_64
|| SPOKE1: Linux CentOS 6.4 x86_64
|| SPOKE2: Linux CentOS 6.4 x86_64
||
|| 1/ Compile kernel with CONFIG_ARPD enabl
ed
|| 2/ Compile OPENNHRP
|| 3/ Configure OPENNHRP for HUB and 2 SPOK
E without IPSEC
|| 4/ Compile IPSEC-TOOLS
|| 5/ Configure ipsec-tools (racoon)
=========================================================================

Tip: to check if CONFIG_ARPD is set, simply see if there are any results from
cat /proc/kallsyms | grep neigh_app
------------------------------------------------------
1/ Compiling Kernel with CONFIG_ARPD enabled
------------------------------------------------------
REF ARPD: http://www.linuxfoundation.org/collaborate/workgroups/networking/neigh
boring_subsystem
yum groupinstall "Development Tools"
yum install ncurses-devel bison flex openssl-devel
#download kernel linux-2.6.32.27.tar.bz2 from kernel.org
cd /usr/src/
tar xjf linux-2.6.32.27.tar.bz2
ln -s /usr/src/linux-2.6.32.27.tar.bz2 /usr/src/linux
cd /usr/src/linux
make mrproper
make menuconfig --> custome network option (arpd) --> save .config file
make -j4
make bzImage <---->(sudo cp -v arch/x86_64/boot/bzImage /boot/vmlinuz-Customize
d)
make modules
make modules_install
make install
#make initial RAM Disk
#sudo mkinitcpio -k <FullKernelName> -c /etc/mkinitcpio.conf -g /boot/initramfs-
Customized.img
#sudo mkinitcpio -k 3.13.0 -c /etc/mkinitcpio.conf -g /boot/initramfs-Customized
.img
#copy System.map
#sudo cp System.map /boot/System.map-Customized
#Edit Grub config --> choose new kernel
vi /etc/grub.conf
reboot
-------------------------------------------------------
2/ Compile OpenNHRP
-------------------------------------------------------
download opennhrp-0.14.1.tar.bz2
tar xjf opennhrp-0.14.1.tar.bz2
yum install c-ares c-ares-devel
-------------------------------------------------------
3/ Configuration OpenNHRP (without IPSEC)
-------------------------------------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HUB:
NBMA Address: 10.90.41.116/24
Tunnel Address: 172.16.0.116/24
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ip tunnel add gre1 mode gre local 10.90.41.116 key 1234 ttl 64
ip addr add 172.16.0.116/24 dev gre1
ip link set gre1 arp on
ip link set gre1 up
vi /etc/opennhrp/opennhrp-script ( or use alternative method: sed -i 's/racoon/\
#racoon/g' /etc/opennhrp/opennhrp-script --> disable ipsec
case $1 in
interface-up)
/sbin/ip route flush proto 42 dev $NHRP_INTERFACE
/sbin/ip neigh flush dev $NHRP_INTERFACE
peer-up)
#racoonctl establish-sa -w isakmp inet $NHRP_SRCNBMA $NHRP_DESTN
BMA || exit 1
#racoonctl establish-sa -w esp inet $NHRP_SRCNBMA $NHRP_DESTNBMA
gre || exit 1
vi /etc/opennhrp/opennhrp.conf
interface gre1
holding-time 3600
multicast dynamic
shortcut
redirect
non-caching
opennhrp -c /etc/opennhrp/opennhrp.conf -d
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SPOKE1
NBMA Address: 10.90.41.216/24
Tunnel Address: 172.16.0.216/24
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ip tunnel add gre1 mode gre local 10.90.41.216 key 1234 ttl 64
ip addr add 172.16.0.216/24 dev gre1
ip link set gre1 arp on
ip link set gre1 up
vi /etc/opennhrp/opennhrp-script
case $1 in
interface-up)
/sbin/ip route flush proto 42 dev $NHRP_INTERFACE
/sbin/ip neigh flush dev $NHRP_INTERFACE
peer-up)
#racoonctl establish-sa -w isakmp inet $NHRP_SRCNBMA $NHRP_DESTN
BMA || exit 1
#racoonctl establish-sa -w esp inet $NHRP_SRCNBMA $NHRP_DESTNBMA
gre || exit 1
vi /etc/opennhrp/opennhrp.conf
interface gre1
holding-time 3600
map 172.16.0.116/29 192.168.200.1 register
multicast dynamic
shortcut
redirect
non-caching
opennhrp -c /etc/opennhrp/opennhrp.conf -d
#Checking
ip neigh show
ip link
ip addr
opennhrpctl show
opennhrpctl interface show
opennhrpctl purge
ping 172.16.0.116
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SPOKE2
NBMA Address: 10.90.41.217/24
Tunnel Address: 172.16.0.217/24
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
the same for SPOKE2
ip tunnel add gre1 mode gre local 10.90.41.217 key 1234 ttl 64
ip addr add 172.16.0.217/24 dev gre1
ip link set gre1 arp on
ip link set gre1 up
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
TESTING DMVPN WITHOUT IPSEC and STATIC ROUTE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HUB:
ping 172.16.0.216 (spoke1)
ping 172.16.0.217 (spoke2)
From Spoke:
ping 172.16.0.217 (spoke1 ping spoke2)
Change IP Interface Loopback
HUB: 200.200.200.116/32 ( vi /etc/sysconfig/network-scripts/ifcf
g-lo)
SPOKE1: 100.100.216.216/32
SPOKE2: 169.254.217.217/32
Add static route for ping loopback
HUB:
route add 100.100.216.216/32 gw 172.16.0.216 dev gre1
route add 169.254.217.217/32 gw 172.16.0.217 dev gre1
SPOKE1:
route add 200.200.200.116/32 gw 172.16.0.116 dev gre1
ping 200.200.200.116 -I 100.100.216.216
SPOKE2:
route add 200.200.200.116/32 gw 172.16.0.116 dev gre1
ping 200.200.200.116 -I 169.254.217.217
------------------------------------------------------------
4/ Compile IPSEC-TOOLS
------------------------------------------------------------
#download ipsec-tools-0.8.2.tar.bz2
#untar
tar xjf ipsec-tools-0.8.2.tar.bz2
cd ipsec-tools-0.8.2
 ./configure --sysconfdir=/etc/racoon CFLAGS="-fno-strict-aliasing" --ena
ble-natt --enable-adminport
make
make install

------------------------------------------------------------
5/ Configure IPSEC-TOOLS (racoon)
------------------------------------------------------------
/etc/ipsec.conf:
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;
mkdir /etc/racoon
/etc/racoon/racoon.conf:
path pre_shared_key "/etc/racoon/psk.txt";
remote anonymous {
exchange_mode main, aggressive;
lifetime time 24 hour;
script "/etc/opennhrp/racoon-ph1dead.sh" phase1_dead;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm 3des, blowfish 448, rijndael;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
vi psk.txt
172.16.0.116 1234
racoon -4 -f /etc/racoon/racoon.conf -l /etc/racoon/racoon.log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SPOKE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
vi /etc/ipsec.conf:
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;
mkdir /etc/racoon
vi /etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
remote anonymous {
exchange_mode main, aggressive;
lifetime time 24 hour;
script "/etc/opennhrp/racoon-ph1dead.sh" phase1_dead;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
 }
sainfo anonymous {
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm 3des, blowfish 448, rijndael;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
vi psk.txt
172.16.0.116 1234