Hello
I have two VPN routers (Linux+Quagga+OpenVPN+IPsec) in my LAN hosting a
number of VPN connections to customers servers. All the routers
connected to inter-router VLAN 172.16.83.64/26 and uses one OSPF area.
One VPN router (hostname vpn1, ip 172.16.83.68) is old, another is new
(vpn3, 172.16.83.70). I move customers from vpn1 to vpn3 one-by-one.
After reconfiguration a VPN client disconnects from vpn1 and few seconds
later connects to vpn3. OpenVPN up/down scripts removes host route at
vpn1 and add it at vpn3. I expect that OSPF reflects the route change in
some seconds, but I see that an old route is still annonced by vpn1. So
the central router (Cisco L3 switch, ip 172.16.83.65) shows two routes
to the same remote host - one new via vpn3 and one old via vpn1. But the
old route is not valid on vpn1, so packets travels switch-> vpn1->vpn3.
It seems that OSPF tables got stuck at vpn1.
l3_switch#sh ip ospf database
OSPF Router with ID (172.16.83.65) (Process ID 1)
Router Link States (Area 172.16.80.0)
Link ID ADV Router Age Seq# Checksum Link count
172.16.80.4 ns.solvo.ru 1271 0x80006570 0x006DCC 1
172.16.80.5 ns2.solvo.ru 1064 0x8001270F 0x008D3D 1
172.16.83.65 cat3560-vlan3.s 809 0x80010890 0x00F727 2
172.16.83.67 gw2-vlan3.solvo 1344 0x80004FEC 0x00E0E4 1
172.16.83.68 vpn1-vlan3.solv 1385 0x80012C4B 0x0078D3 3
172.16.83.70 vpn3-vlan3.solv 1264 0x80000BF9 0x008D66 1
172.16.89.9 ns3.solvo.ru 551 0x80000F6B 0x00DD65 2
Net Link States (Area 172.16.80.0)
Link ID ADV Router Age Seq# Checksum
172.16.80.4 ns.solvo.ru 1071 0x80000022 0x00445A
172.16.83.70 vpn3-vlan3.solv 1704 0x80000BF2 0x00E7B0
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
0.0.0.0 gw2-vlan3.solvo 954 0x8000500F 0x0072AD 0
[...]
172.16.88.0 vpn3-vlan3.solv 1196 0x80000030 0x007CA7 0
172.16.88.4 vpn3-vlan3.solv 1166 0x80000005 0x00AAA0 0
172.16.88.6 vpn1-vlan3.solv 1328 0x8000002C 0x0054CF 0
172.16.88.6 vpn3-vlan3.solv 1136 0x80000020 0x0060CD 0
172.16.88.7 vpn1-vlan3.solv 1208 0x8000002C 0x004AD8 0
172.16.88.7 vpn3-vlan3.solv 1237 0x80000020 0x0056D6 0
172.16.88.8 vpn1-vlan3.solv 1168 0x8000002B 0x0042E0 0
172.16.88.8 vpn3-vlan3.solv 1217 0x80000020 0x004CDF 0
172.16.88.9 vpn1-vlan3.solv 1358 0x8000002C 0x0036EA 0
172.16.88.9 vpn3-vlan3.solv 1137 0x80000020 0x0042E8 0
172.16.88.10 vpn1-vlan3.solv 1028 0x8000002D 0x002AF4 0
172.16.88.10 vpn3-vlan3.solv 1137 0x80000028 0x0028F9 0
172.16.88.11 vpn3-vlan3.solv 1207 0x80000002 0x006ADC 0
172.16.88.13 vpn1-vlan3.solv 938 0x8000002D 0x000C10 0
172.16.88.13 vpn3-vlan3.solv 1497 0x80000027 0x000C14 0
172.16.88.14 vpn1-vlan3.solv 1088 0x8000002D 0x000219 0
172.16.88.14 vpn3-vlan3.solv 1197 0x80000029 0x00FD1F 0
[root@vpn1 ~]# ip route show | grep 172.16.88
172.16.88.7 via 172.16.83.70 dev eth0.3 proto zebra metric 20
172.16.88.6 via 172.16.83.70 dev eth0.3 proto zebra metric 20
172.16.88.4 via 172.16.83.70 dev eth0.3 proto zebra metric 20
172.16.88.11 via 172.16.83.70 dev eth0.3 proto zebra metric 20
172.16.88.10 via 172.16.83.70 dev eth0.3 proto zebra metric 20
172.16.88.9 via 172.16.83.70 dev eth0.3 proto zebra metric 20
172.16.88.8 via 172.16.83.70 dev eth0.3 proto zebra metric 20
172.16.88.14 via 172.16.83.70 dev eth0.3 proto zebra metric 20
172.16.88.13 via 172.16.83.70 dev eth0.3 proto zebra metric 20
172.16.88.0/24 via 172.16.83.70 dev eth0.3 proto zebra metric 20
[root@vpn1 ~]# vtysh
Hello, this is Quagga (version 1.2.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
vpn1.solvo.ru# sh ru
Building configuration...
Current configuration:
!
hostname vpn1.solvo.ru
log file /var/log/quagga/zebra.log
log syslog informational
log facility local4
log record-priority
log timestamp precision 1
!
service advanced-vty
service password-encryption
!
password 8 ************
!
interface eth0
bandwidth 100000
description "DMZ PI network (VLAN 5)"
ip address <hide public ip>
ip ospf authentication-key daCzCt
!
interface eth0.3
bandwidth 100000
description "LAN routing network (VLAN 3)"
ip address 172.16.83.68/26
ip ospf authentication-key *******
!
interface lo
bandwidth 1000000
description "Loopback"
!
interface sit0
!
interface tun0
!
interface tun1
!
interface tun2
!
interface tun3
!
interface tun4
!
interface tun5
!
router ospf
ospf router-id 172.16.83.68
log-adjacency-changes detail
auto-cost reference-bandwidth 1000
redistribute kernel route-map LAN
redistribute connected route-map LAN
redistribute static route-map LAN
passive-interface tun1
passive-interface tun2
passive-interface tun3
passive-interface tun4
passive-interface tun5
network 172.16.83.68/26 area 172.16.80.0
network 172.16.87.0/24 area 172.16.80.0
area 172.16.80.0 authentication
!
ip route 0.0.0.0/0 <hide public ip>
[...]
!
access-list rfc1918 remark Local (RFC1918) networks
access-list rfc1918 permit 10.0.0.0/8
access-list rfc1918 permit 192.168.0.0/16
access-list rfc1918 permit 172.16.0.0/12
access-list rfc1918 deny any
!
route-map LAN permit 10
match ip address rfc1918
!
ip forwarding
!
line vty
!
end
[root@vpn3 ~]# ip route show | grep 172.16.88
172.16.88.0/24 dev tun3 proto kernel scope link src 172.16.88.1
172.16.88.4 dev tun3 scope link
172.16.88.6 dev tun3 scope link
172.16.88.7 dev tun3 scope link
172.16.88.8 dev tun3 scope link
172.16.88.9 dev tun3 scope link
172.16.88.10 dev tun3 scope link
172.16.88.11 dev tun3 scope link
172.16.88.13 dev tun3 scope link
172.16.88.14 dev tun3 scope link
[root@vpn3 ~]# vtysh
Hello, this is Quagga (version 1.2.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
vpn3.solvo.ru# sh ru
Building configuration...
Current configuration:
!
hostname vpn3.solvo.ru
log file /var/log/quagga/zebra.log
log syslog informational
log facility local4
log record-priority
log timestamp precision 1
!
service advanced-vty
service password-encryption
!
password 8 ***********
!
interface eth0
bandwidth 1000000
description "LAN routing network (VLAN3)"
ip address 172.16.83.70/26
ip ospf authentication-key daCzCt
!
interface eth1
bandwidth 100000
description "Public network (VLAN5)"
ip address <hide public ip>
ip ospf authentication-key ******
!
interface lo
bandwidth 1000000
description "Loopback"
!
interface tun3
!
router ospf
ospf router-id 172.16.83.70
log-adjacency-changes detail
auto-cost reference-bandwidth 1000
redistribute kernel route-map LAN
redistribute connected route-map LAN
redistribute static route-map LAN
network 172.16.83.70/26 area 172.16.80.0
area 172.16.80.0 authentication
!
ip route 0.0.0.0/0 <hide public ip>
[...]
!
access-list rfc1918 remark Local (RFC1918) networks
access-list rfc1918 permit 10.0.0.0/8
access-list rfc1918 permit 192.168.0.0/16
access-list rfc1918 permit 172.16.0.0/12
access-list rfc1918 deny any
!
route-map LAN permit 10
match ip address rfc1918
!
ip forwarding
!
line vty
!
end
--
Ivan Kuznetsov
SOLVO ltd
_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users
I have two VPN routers (Linux+Quagga+OpenVPN+IPsec) in my LAN hosting a
number of VPN connections to customers servers. All the routers
connected to inter-router VLAN 172.16.83.64/26 and uses one OSPF area.
One VPN router (hostname vpn1, ip 172.16.83.68) is old, another is new
(vpn3, 172.16.83.70). I move customers from vpn1 to vpn3 one-by-one.
After reconfiguration a VPN client disconnects from vpn1 and few seconds
later connects to vpn3. OpenVPN up/down scripts removes host route at
vpn1 and add it at vpn3. I expect that OSPF reflects the route change in
some seconds, but I see that an old route is still annonced by vpn1. So
the central router (Cisco L3 switch, ip 172.16.83.65) shows two routes
to the same remote host - one new via vpn3 and one old via vpn1. But the
old route is not valid on vpn1, so packets travels switch-> vpn1->vpn3.
It seems that OSPF tables got stuck at vpn1.
l3_switch#sh ip ospf database
OSPF Router with ID (172.16.83.65) (Process ID 1)
Router Link States (Area 172.16.80.0)
Link ID ADV Router Age Seq# Checksum Link count
172.16.80.4 ns.solvo.ru 1271 0x80006570 0x006DCC 1
172.16.80.5 ns2.solvo.ru 1064 0x8001270F 0x008D3D 1
172.16.83.65 cat3560-vlan3.s 809 0x80010890 0x00F727 2
172.16.83.67 gw2-vlan3.solvo 1344 0x80004FEC 0x00E0E4 1
172.16.83.68 vpn1-vlan3.solv 1385 0x80012C4B 0x0078D3 3
172.16.83.70 vpn3-vlan3.solv 1264 0x80000BF9 0x008D66 1
172.16.89.9 ns3.solvo.ru 551 0x80000F6B 0x00DD65 2
Net Link States (Area 172.16.80.0)
Link ID ADV Router Age Seq# Checksum
172.16.80.4 ns.solvo.ru 1071 0x80000022 0x00445A
172.16.83.70 vpn3-vlan3.solv 1704 0x80000BF2 0x00E7B0
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
0.0.0.0 gw2-vlan3.solvo 954 0x8000500F 0x0072AD 0
[...]
172.16.88.0 vpn3-vlan3.solv 1196 0x80000030 0x007CA7 0
172.16.88.4 vpn3-vlan3.solv 1166 0x80000005 0x00AAA0 0
172.16.88.6 vpn1-vlan3.solv 1328 0x8000002C 0x0054CF 0
172.16.88.6 vpn3-vlan3.solv 1136 0x80000020 0x0060CD 0
172.16.88.7 vpn1-vlan3.solv 1208 0x8000002C 0x004AD8 0
172.16.88.7 vpn3-vlan3.solv 1237 0x80000020 0x0056D6 0
172.16.88.8 vpn1-vlan3.solv 1168 0x8000002B 0x0042E0 0
172.16.88.8 vpn3-vlan3.solv 1217 0x80000020 0x004CDF 0
172.16.88.9 vpn1-vlan3.solv 1358 0x8000002C 0x0036EA 0
172.16.88.9 vpn3-vlan3.solv 1137 0x80000020 0x0042E8 0
172.16.88.10 vpn1-vlan3.solv 1028 0x8000002D 0x002AF4 0
172.16.88.10 vpn3-vlan3.solv 1137 0x80000028 0x0028F9 0
172.16.88.11 vpn3-vlan3.solv 1207 0x80000002 0x006ADC 0
172.16.88.13 vpn1-vlan3.solv 938 0x8000002D 0x000C10 0
172.16.88.13 vpn3-vlan3.solv 1497 0x80000027 0x000C14 0
172.16.88.14 vpn1-vlan3.solv 1088 0x8000002D 0x000219 0
172.16.88.14 vpn3-vlan3.solv 1197 0x80000029 0x00FD1F 0
[root@vpn1 ~]# ip route show | grep 172.16.88
172.16.88.7 via 172.16.83.70 dev eth0.3 proto zebra metric 20
172.16.88.6 via 172.16.83.70 dev eth0.3 proto zebra metric 20
172.16.88.4 via 172.16.83.70 dev eth0.3 proto zebra metric 20
172.16.88.11 via 172.16.83.70 dev eth0.3 proto zebra metric 20
172.16.88.10 via 172.16.83.70 dev eth0.3 proto zebra metric 20
172.16.88.9 via 172.16.83.70 dev eth0.3 proto zebra metric 20
172.16.88.8 via 172.16.83.70 dev eth0.3 proto zebra metric 20
172.16.88.14 via 172.16.83.70 dev eth0.3 proto zebra metric 20
172.16.88.13 via 172.16.83.70 dev eth0.3 proto zebra metric 20
172.16.88.0/24 via 172.16.83.70 dev eth0.3 proto zebra metric 20
[root@vpn1 ~]# vtysh
Hello, this is Quagga (version 1.2.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
vpn1.solvo.ru# sh ru
Building configuration...
Current configuration:
!
hostname vpn1.solvo.ru
log file /var/log/quagga/zebra.log
log syslog informational
log facility local4
log record-priority
log timestamp precision 1
!
service advanced-vty
service password-encryption
!
password 8 ************
!
interface eth0
bandwidth 100000
description "DMZ PI network (VLAN 5)"
ip address <hide public ip>
ip ospf authentication-key daCzCt
!
interface eth0.3
bandwidth 100000
description "LAN routing network (VLAN 3)"
ip address 172.16.83.68/26
ip ospf authentication-key *******
!
interface lo
bandwidth 1000000
description "Loopback"
!
interface sit0
!
interface tun0
!
interface tun1
!
interface tun2
!
interface tun3
!
interface tun4
!
interface tun5
!
router ospf
ospf router-id 172.16.83.68
log-adjacency-changes detail
auto-cost reference-bandwidth 1000
redistribute kernel route-map LAN
redistribute connected route-map LAN
redistribute static route-map LAN
passive-interface tun1
passive-interface tun2
passive-interface tun3
passive-interface tun4
passive-interface tun5
network 172.16.83.68/26 area 172.16.80.0
network 172.16.87.0/24 area 172.16.80.0
area 172.16.80.0 authentication
!
ip route 0.0.0.0/0 <hide public ip>
[...]
!
access-list rfc1918 remark Local (RFC1918) networks
access-list rfc1918 permit 10.0.0.0/8
access-list rfc1918 permit 192.168.0.0/16
access-list rfc1918 permit 172.16.0.0/12
access-list rfc1918 deny any
!
route-map LAN permit 10
match ip address rfc1918
!
ip forwarding
!
line vty
!
end
[root@vpn3 ~]# ip route show | grep 172.16.88
172.16.88.0/24 dev tun3 proto kernel scope link src 172.16.88.1
172.16.88.4 dev tun3 scope link
172.16.88.6 dev tun3 scope link
172.16.88.7 dev tun3 scope link
172.16.88.8 dev tun3 scope link
172.16.88.9 dev tun3 scope link
172.16.88.10 dev tun3 scope link
172.16.88.11 dev tun3 scope link
172.16.88.13 dev tun3 scope link
172.16.88.14 dev tun3 scope link
[root@vpn3 ~]# vtysh
Hello, this is Quagga (version 1.2.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
vpn3.solvo.ru# sh ru
Building configuration...
Current configuration:
!
hostname vpn3.solvo.ru
log file /var/log/quagga/zebra.log
log syslog informational
log facility local4
log record-priority
log timestamp precision 1
!
service advanced-vty
service password-encryption
!
password 8 ***********
!
interface eth0
bandwidth 1000000
description "LAN routing network (VLAN3)"
ip address 172.16.83.70/26
ip ospf authentication-key daCzCt
!
interface eth1
bandwidth 100000
description "Public network (VLAN5)"
ip address <hide public ip>
ip ospf authentication-key ******
!
interface lo
bandwidth 1000000
description "Loopback"
!
interface tun3
!
router ospf
ospf router-id 172.16.83.70
log-adjacency-changes detail
auto-cost reference-bandwidth 1000
redistribute kernel route-map LAN
redistribute connected route-map LAN
redistribute static route-map LAN
network 172.16.83.70/26 area 172.16.80.0
area 172.16.80.0 authentication
!
ip route 0.0.0.0/0 <hide public ip>
[...]
!
access-list rfc1918 remark Local (RFC1918) networks
access-list rfc1918 permit 10.0.0.0/8
access-list rfc1918 permit 192.168.0.0/16
access-list rfc1918 permit 172.16.0.0/12
access-list rfc1918 deny any
!
route-map LAN permit 10
match ip address rfc1918
!
ip forwarding
!
line vty
!
end
--
Ivan Kuznetsov
SOLVO ltd
_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users