Dear Quagga user-list,
I am working on a Linux-based router that has to be able to dynamically set up GRE over IPsec tunnels between hub and spoke routers. At this point we can already configure just one generic IPsec profile on the hub route to set up IPsec tunnels with all of the spokes, using Strongswan's "%any" value for the remote endpoints on the hub. However, for GRE we need a solution for the spokes to "notify" the hub router about their GRE tunnel adresses, so that the GRE tunnels can be set up between the spokes and the hub without having to configure any remote GRE tunnel information on the hub, requiring only one generic configuration for GRE on the hub.
After a bit of research I read that on Cisco routers, NHRP is used for this. We already use Quagga on the routers for OSPF and RIP, so I found out that Quagga also has an implementation for NHRP, but the Quagga NHRP docs state that it needs tight integration with IKE. However, the Strongswan compiled on our routers isn't patched for the NHRP daemon ("VICI: StrongSwan does not support mandatory events (unpatched?)" message comes up when running the daemon). I don't see why, in my situation, the NHRP daemon would need integration with IKE, because I am only concerned about the spokes "advertising" their GRE tunnel information to the hub. So the main question here is why the daemon needs IKE integration, and if it is possible to use the Quagga NHRP without it being integrated with IKE.
Kind Regards,
Vincent Beck
I am working on a Linux-based router that has to be able to dynamically set up GRE over IPsec tunnels between hub and spoke routers. At this point we can already configure just one generic IPsec profile on the hub route to set up IPsec tunnels with all of the spokes, using Strongswan's "%any" value for the remote endpoints on the hub. However, for GRE we need a solution for the spokes to "notify" the hub router about their GRE tunnel adresses, so that the GRE tunnels can be set up between the spokes and the hub without having to configure any remote GRE tunnel information on the hub, requiring only one generic configuration for GRE on the hub.
After a bit of research I read that on Cisco routers, NHRP is used for this. We already use Quagga on the routers for OSPF and RIP, so I found out that Quagga also has an implementation for NHRP, but the Quagga NHRP docs state that it needs tight integration with IKE. However, the Strongswan compiled on our routers isn't patched for the NHRP daemon ("VICI: StrongSwan does not support mandatory events (unpatched?)" message comes up when running the daemon). I don't see why, in my situation, the NHRP daemon would need integration with IKE, because I am only concerned about the spokes "advertising" their GRE tunnel information to the hub. So the main question here is why the daemon needs IKE integration, and if it is possible to use the Quagga NHRP without it being integrated with IKE.
Kind Regards,
Vincent Beck