Quagga not connecting to other routers

hans-d

I have two pfsense boxes, connected via openvpn.

A: OpenVpn Server, Lan 192.168.10.0/24 (multi wan)
VPN

• running on LAN, with NAT forwarding
• tunnel 172.21.12.0/22
• local network 192.168.10.0/24
• remote network 172.20.2.0/24
  Client Specific Override (for B)
• iroute 172.20.2.0 255.255.255.0
  B: OpenVpn Client, Lan 172.20.2.0/24

From both A and B I can work on the lan of the other.

At both sides:

• fire wall rules on openvpn: allow all

Running Quagga on both ends:

• Router: id set to lan ip of that side
• Area: 192.168.10.0
  Interface: only the vpn used on that site for the other site

On both ends:
Number of fully adjacent neighbors in this area: 0

What am I missing?

hans-d

Additional info:
on site A I captured the following fragment:
    172.21.12.6 > 224.0.0.5: OSPFv2, Hello, length 44
Router-ID 192.168.2.32, Area 192.168.10.0, Authentication Type: none (0)
Options [External]
  Hello Timer 10s, Dead Timer 40s, Mask 0.0.0.0, Priority 1

Router-ID 192.168.2.32 is coming from site B

heper

did you set a master password ?

hans-d

Yep, masterpassword is set at both sites to the same value

heper

could you provide us with some screenshot of all your quagga configuration tabs  ?
if you've assigned interfaces to your openvpn tunnel, make sure you set type to 'none' & restart the tunnels

other then that i'm not sure what could be the problem, i have multiple sites with dynamic routing using quagga without issues.

hans-d

The Quagga screens from the server side.

Client is almost identical, except:

• router id: has a different router id
• no addtional routes (yet)
• different interface (the openvpn client is choosen there)

hans-d

2nd tab

heper

only differences i see with my configurations are the following:

-my area is not an ip address (don't know what the limitations are). Try setting the area to 0.0.0.1
-i've filled in the metric @ interface config
-i've a description filled in @ interface config
-my openvpn server/clients are assigned as physical interface (interfaces–>assign). But ive been told by jimp or cmb that this is no longer a requirement when using quagga, so it shouldn't matter

i hope one of these solves your problems, altho i somewhat doubt they will.

hans-d

Here the current routes (first is the client, second is the server).

Tried the description and other area, no luck so far.

heper

there are only a few basic requirements for quagga to work:

-tunnel endpoints must be able to reach each other
-firewall rules must allow ospf traffic

it has allways worked for me. probably some small thing we're missing to get your setup working

hans-d

Thanks for helping me think this through.
Seems I got all the point covered, but there must be a missing link (pun intended).

Quagga status Server

Area ID: 0.0.0.1
  Shortcutting mode: Default, S-bit consensus: ok
  Number of interfaces in this area: Total: 2, Active: 2
  Number of fully adjacent neighbors in this area: 0
  Area has no authentication
  Number of full virtual adjacencies going through this area: 0
      OSPF Router with ID (192.168.10.254)

Router Link States (Area 0.0.0.1)

Link ID        ADV Router      Age  Seq#      CkSum  Link count
192.168.10.254  192.168.10.254    2 0x80000002 0x3cc9 2

Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
      I - ISIS, B - BGP, > - selected route, * - FIB route

K>* 0.0.0.0/0 via 194.xxx.xxx.xxx, re0
C>* 127.0.0.0/8 is directly connected, lo0
K>* 172.20.2.0/24 via 172.21.12.2, ovpns4
K>* 172.21.4.0/22 via 172.21.4.2, ovpns2
C>* 172.21.4.2/32 is directly connected, ovpns2
C>* 172.21.8.2/32 is directly connected, ovpns3
K>* 172.21.12.0/22 via 172.21.12.2, ovpns4
O  172.21.12.2/32 [110/10] is directly connected, ovpns4, 00:00:02
C>* 172.21.12.2/32 is directly connected, ovpns4
C>* 192.168.8.0/23 is directly connected, em1
O  192.168.10.0/24 [110/10] is directly connected, em1, 00:00:02
C>* 192.168.10.0/24 is directly connected, em1
C>* 192.168.11.0/24 is directly connected, em1
C>* 192.168.12.0/22 is directly connected, em2
C>* 192.168.178.0/24 is directly connected, em3
C>* 194.xxx.xxx.xxx/29 is directly connected, re0
C>* 194.xxx.xxx.xxx/32 is directly connected, re0
K>* 194.xxx.xxx.xxx/32 via 192.168.178.1, em3
K>* 194.xxx.xxx.xxx/32 via 194.xxx.xxx.xxx, re0
K>* 194.xxx.xxx.xxx/32 via 194.xxx.xxx.xxx, re0
K>* 208.67.220.220/32 via 192.168.178.1, em3
K>* 208.67.222.222/32 via xxx.xxx.xxx, re0

(em3 and re0 are both wan)

em1 is up (= lan 1)
  ifindex 2, MTU 1500 bytes, BW 0 Kbit <up,broadcast,running,promisc,simplex,multicast>Internet Address 192.168.10.254/24, Broadcast 192.168.10.255, Area 0.0.0.1
  MTU mismatch detection:enabled
  Router ID 192.168.10.254, Network Type BROADCAST, Cost: 10
  Transmit Delay is 1 sec, State Waiting, Priority 1
  No designated router on this network
  No backup designated router on this network
  Multicast group memberships: OSPFAllRouters
  Timer intervals configured, Hello 10s, Dead 40s, Wait 40s, Retransmit 5
    Hello due in 7.921s
  Neighbor Count is 0, Adjacent neighbor count is 0
ovpns4 is up (=openvpn server)
  ifindex 14, MTU 1500 bytes, BW 0 Kbit <up,pointopoint,running,multicast>Internet Address 172.21.12.1/32, Peer 172.21.12.2, Area 0.0.0.1
  MTU mismatch detection:enabled
  Router ID 192.168.10.254, Network Type POINTOPOINT, Cost: 10
  Transmit Delay is 1 sec, State Point-To-Point, Priority 1
  No designated router on this network
  No backup designated router on this network
  Multicast group memberships: OSPFAllRouters
  Timer intervals configured, Hello 10s, Dead 40s, Wait 40s, Retransmit 5
    Hello due in 7.921s
  Neighbor Count is 0, Adjacent neighbor count is 0

Quagga on client

ovpns4 is up
  ifindex 14, MTU 1500 bytes, BW 0 Kbit <up,pointopoint,running,multicast>Internet Address 172.21.12.1/32, Peer 172.21.12.2, Area 0.0.0.1
  MTU mismatch detection:enabled
  Router ID 192.168.10.254, Network Type POINTOPOINT, Cost: 10
  Transmit Delay is 1 sec, State Point-To-Point, Priority 1
  No designated router on this network
  No backup designated router on this network
  Multicast group memberships: OSPFAllRouters
  Timer intervals configured, Hello 10s, Dead 40s, Wait 40s, Retransmit 5
    Hello due in 7.921s
  Neighbor Count is 0, Adjacent neighbor count is 0
      OSPF Router with ID (172.20.2.254)

Router Link States (Area 0.0.0.1)

Link ID        ADV Router      Age  Seq#      CkSum  Link count
172.20.2.254    172.20.2.254    421 0x80000004 0xe62c 2

Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
      I - ISIS, B - BGP, > - selected route, * - FIB route

K>* 0.0.0.0/0 via 192.168.2.254, em0
K>* 8.8.8.8/32 via 192.168.2.254, em0
C>* 127.0.0.0/8 is directly connected, lo0
O  172.20.2.0/24 [110/10] is directly connected, em1, 00:07:41
C>* 172.20.2.0/24 is directly connected, em1
K>* 172.21.12.1/32 via 172.21.12.5, ovpnc4
O  172.21.12.5/32 [110/10] is directly connected, ovpnc4, 00:07:41
C>* 172.21.12.5/32 is directly connected, ovpnc4
C>* 192.168.2.0/24 is directly connected, em0
K>* 192.168.10.0/24 via 172.21.12.5, ovpnc4
K>* 208.67.222.222/32 via 192.168.2.254, em0

em0 = wan

em1 is up
  ifindex 2, MTU 1500 bytes, BW 0 Kbit <up,broadcast,running,simplex,multicast>Internet Address 172.20.2.254/24, Broadcast 172.20.2.255, Area 0.0.0.1
  MTU mismatch detection:enabled
  Router ID 172.20.2.254, Network Type BROADCAST, Cost: 10
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 172.20.2.254, Interface Address 172.20.2.254
  No backup designated router on this network
  Multicast group memberships: OSPFAllRouters OSPFDesignatedRouters
  Timer intervals configured, Hello 10s, Dead 40s, Wait 40s, Retransmit 5
    Hello due in 9.275s
  Neighbor Count is 0, Adjacent neighbor count is 0

ovpnc4 is up
  ifindex 8, MTU 1500 bytes, BW 0 Kbit <up,pointopoint,running,multicast>Internet Address 172.21.12.6/32, Peer 172.21.12.5, Area 0.0.0.1
  MTU mismatch detection:enabled
  Router ID 172.20.2.254, Network Type POINTOPOINT, Cost: 10
  Transmit Delay is 1 sec, State Point-To-Point, Priority 1
  No designated router on this network
  No backup designated router on this network
  Multicast group memberships: OSPFAllRouters
  Timer intervals configured, Hello 10s, Dead 2s, Wait 2s, Retransmit 5
    Hello due in 9.275s
  Neighbor Count is 0, Adjacent neighbor count is 0

Firewall

On openvpn tab:

ID Proto Source Port Destination Port Gateway Queue Schedule Description

• • • • • • none   allow all</up,pointopoint,running,multicast></up,broadcast,running,simplex,multicast></up,pointopoint,running,multicast></up,pointopoint,running,multicast></up,broadcast,running,promisc,simplex,multicast>

hans-d

assigning vpn server / client to interfaces did not work.

on server side I can see in pftop:
ospf  I 172.21.12.6:0        224.0.0.5:0 
ospf  O 172.21.12.1:0        224.0.0.5:0

on the client side I can see in pftop
ospf  O 172.21.12.6:0        224.0.0.5:0 
ospf  I 172.21.12.1:0        224.0.0.5:0

Doing a trace on 172.21.12.6 on both sides gets me on both sides
    172.21.12.6 > 224.0.0.5: OSPFv2, Hello, length 44
Router-ID 172.20.2.254, Area 0.0.0.1, Authentication Type: none (0)
Options [External]
  Hello Timer 10s, Dead Timer 40s, Mask 0.0.0.0, Priority 1

And a trace on 172.2.12.1 gets me on both sides:
    172.21.12.1 > 224.0.0.5: OSPFv2, Hello, length 44
Router-ID 192.168.10.254, Area 0.0.0.1, Authentication Type: none (0)
Options [External]
  Hello Timer 10s, Dead Timer 40s, Mask 0.0.0.0, Priority 1

So data is coming through on both ends, but somehow Quagga doesn't respond

heper

i've been wondering ….

how have you been adding routes for you openvpn connection ?

also i just noticed```
172.21.12.6 > 224.0.0.5: OSPFv2, Hello, length 44

192.168.222.1 > 224.0.0.5: OSPFv2, Hello, length 48
Router-ID 10.10.10.1, Area 0.0.0.1, Authentication Type: none (0)
Options [External]
 Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.255, Priority 1
 Neighbor List:
   10.0.0.1

hans-d

My vpn server settings:

• peer-to-peer ssl/tls
• udp
• tun
• interface LAN (portforwarded from two WAN)
• Tunnel: 172.21.12.0/22
• Local network: 192.168.10.0/24 *
• Remote network: 172.20.2.0/24 *
• nothing with advanced

Client specific override:

• iroute 172.20.2.0 255.255.255.0; *

Open vpn client:

• tunnel network: left empty
• remote network: left empty
• nothing with advanced

• Needed to work on both lans (prior to quagga)

No additional routes entered anywhere else

heper

could you do me a favor and fill in the tunnel network on the client side ?

restart ovpn & quagga afterwards to be sure

hans-d

I've setup a additional testbox to have two boxes that could be easily reset without disrupting the normal users.
I've now got it working on these test machines by adding tunnel and remote on the vpn client configuration.