#liste_articles {display:block}

VPNs IPsec multipoints dynamiques (3)

vendredi 1er avril 2005

 

VPNs IPsec multipoints dynamiques (3)

Lorsque l’on regarde l’état des SA, on trouve les informations suivantes :

cpe-annexe1#show crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 172.23.211.3

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.23.211.3/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.22.0.1/255.255.255.255/47/0)
   current_peer 172.22.0.1 port 500

     local crypto endpt.: 172.23.211.3, remote crypto endpt.: 172.22.0.1

     inbound esp sas:
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        Status: ACTIVE

     outbound esp sas:
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        Status: ACTIVE

On remarque ici une chose : les SA vers le Hub sont bien montées, mais rien concernant l’autre Spoke ; même pas l’amorce d’une négotiation ISAKMP.

C’est tout à fait normal : les tunnels Spoke-to-Spoke sont créés dynamiquement lorsque du trafic est échangé entre-eux :

cpe-annexe1#ping 192.168.2.1 source 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/32 ms
cpe-annexe1#
cpe-annexe1#show crypto ipsec sa                 

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 172.23.211.3

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.23.211.3/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.23.211.2/255.255.255.255/47/0)
   current_peer 172.23.211.2 port 500

     local crypto endpt.: 172.23.211.3, remote crypto endpt.: 172.23.211.2
     path mtu 1500, ip mtu 1500

     inbound esp sas:
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        Status: ACTIVE

     outbound esp sas:
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        Status: ACTIVE

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.23.211.3/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.22.0.1/255.255.255.255/47/0)
   current_peer 172.22.0.1 port 500

     local crypto endpt.: 172.23.211.3, remote crypto endpt.: 172.22.0.1

     inbound esp sas:
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        Status: ACTIVE

     outbound esp sas:
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        Status: ACTIVE

cpe-annexe1#

On voit qu’après le ping (spécifié avec une source correcte, pour éviter qu’il s’échappe du routeur avec l’IP du Tunnel), les SAs sont bien montés avec le deuxième Spoke (172.22.211.2).

 Configurations complètes

Seule la configuration de l’annexe 1 est donnée. Celle du deuxième spoke est facilement dérivable du premier.

 Site central (Hub, mairie)

!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cpe-mairie
!
boot-start-marker
boot-end-marker
!
enable secret 0 MOT_DE_PASSE
enable password 0 MOT_DE_PASSE
!
username admin privilege 15 password 0 MOT_DE_PASSE
no aaa new-model
ip subnet-zero
!
!
!
!
no ip domain lookup
ip ips po max-events 100
no ftp-server write-enable
!
!

!
! 
!
crypto isakmp policy 1
  authentication pre-share
crypto isakmp key PRE_SHARED_KEY address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set default-ts esp-3des esp-sha-hmac 
  mode transport
!
crypto ipsec profile vpn_tunnel_profile
  set transform-set default-ts 
!
!
!
!
interface Tunnel0
  bandwidth 1000
  ip address 10.0.0.1 255.255.255.0
  no ip redirects
  ip mtu 1436
  ip nhrp authentication NHRP_KEY
  ip nhrp map multicast dynamic
  ip nhrp network-id 99
  ip nhrp holdtime 600
  ip ospf network broadcast
  ip ospf priority 2
  delay 1000
  tunnel source Loopback0
  tunnel mode gre multipoint
  tunnel key 100000
  tunnel protection ipsec profile vpn_tunnel_profile
!
interface Loopback0
  ip address 172.22.0.1 255.255.255.255
!
interface Ethernet0
  ip address 192.168.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  no cdp enable
!
interface Ethernet1
  ip address dhcp
  ip nat outside
  ip virtual-reassembly
  duplex auto
  no cdp enable
!
interface FastEthernet1
  no ip address
  duplex auto
  speed auto
!
interface FastEthernet2
  no ip address
  duplex auto
  speed auto
!
interface FastEthernet3
  no ip address
  duplex auto
  speed auto
!
interface FastEthernet4
  no ip address
  duplex auto
  speed auto
!
router ospf 1
  log-adjacency-changes
  passive-interface Ethernet0
  network 10.0.0.0 0.0.0.255 area 0
  network 192.168.0.0 0.0.0.255 area 0
!
router rip
  version 2
  passive-interface default
  no passive-interface Ethernet1
  network 172.22.0.0
  network 172.23.0.0
  no auto-summary
!
ip classless
!
no ip http server
no ip http secure-server
!
ip nat inside source list 101 interface Ethernet1 overload
!
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
!
!
control-plane
!
!
line con 0
  no modem enable
  transport preferred all
  transport output all
line aux 0
  transport preferred all
  transport output all
line vty 0 4
  exec-timeout 30 0
  password 0 MOT_DE_PASSE
  login local
  length 0
  transport preferred all
  transport input all
  transport output all
  escape-character 3
!
scheduler max-task-time 5000
end


 Site distant (Spoke, annexe 1)

!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cpe-annexe1
!
boot-start-marker
boot-end-marker
!
enable secret 0 MOT_DE_PASSE
enable password 0 MOT_DE_PASSE
!
username admin privilege 15 password 0 MOT_DE_PASSE
no aaa new-model
ip subnet-zero
!
!
!
!
ip ips po max-events 100
no ftp-server write-enable
!
!
!
! 
!
crypto isakmp policy 1
  authentication pre-share
crypto isakmp key PRE_SHARED_KEY address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set default-ts esp-3des esp-sha-hmac 
  mode transport
!
crypto ipsec profile vpn_tunnel_profile
  set transform-set default-ts 
!
!
!
!
interface Tunnel0
  bandwidth 1000
  ip address 10.0.0.2 255.255.255.0
  no ip redirects
  ip mtu 1436
  ip nhrp authentication NHRP_KEY
  ip nhrp map 10.0.0.1 172.22.0.1
  ip nhrp map multicast 172.22.0.1
  ip nhrp network-id 99
  ip nhrp holdtime 600
  ip nhrp nhs 10.0.0.1
  ip ospf network broadcast
  ip ospf priority 0
  delay 1000
  tunnel source Ethernet1
  tunnel mode gre multipoint
  tunnel key 100000
  tunnel protection ipsec profile vpn_tunnel_profile
!
interface Ethernet0
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  no cdp enable
!
interface Ethernet1
  ip address dhcp
  ip nat outside
  ip virtual-reassembly
  duplex auto
  no cdp enable
!
interface FastEthernet1
  no ip address
  duplex auto
  speed auto
!
interface FastEthernet2
  no ip address
  duplex auto
  speed auto
!
interface FastEthernet3
  no ip address
  duplex auto
  speed auto
!
interface FastEthernet4
  no ip address
  duplex auto
  speed auto
!
router ospf 1
  log-adjacency-changes
  passive-interface Ethernet0
  network 10.0.0.0 0.0.0.255 area 0
  network 192.168.1.0 0.0.0.255 area 0
!
ip classless
!
no ip http server
no ip http secure-server
!
ip nat inside source list 101 interface Ethernet1 overload
!
access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
!
control-plane
!
!
line con 0
  no modem enable
  transport preferred all
  transport output all
line aux 0
  transport preferred all
  transport output all
line vty 0 4
  exec-timeout 30 0
  password 0 MOT_DE_PASSE
  login local
  length 0
  transport preferred all
  transport input all
  transport output all
  escape-character 3
!
scheduler max-task-time 5000
end

Documents :

par Michel Blanc