TOTAL
Depuis Dec 2006
1'942'871 Visiteurs
4'218'042 Pages

Stats Nov 2010
82'909 Visiteurs
146'476 Pages
196 pays
Statistiques completes



Aidez-nous à traduire
nos tutoriaux!

REJOINGNEZ
l'équipe OpenManiak.
VYATTA - Le Tutorial Facile - Etude 8 - IPSEC

Vyatta Case 8 - IPSec
Dernière modif: Jul 05 2010


Outil
Installation
Ergonomie
Forum



Détails Vyatta, c'est quoi?
Captures d'écran
Prérequis
Tutorial Vyatta
Commandes Vyatta & Cisco
Comparaison Vyatta/Quagga/Cisco (Section Quagga)
Étude de cas 1 - Routage Statique VC 2.0
Étude de cas 2 - OSPF Simple VC 2.0
Étude de cas 3 - OSPF Avancé VC 2.0
Étude de cas 4 - BGP VC 3.0
Étude de cas 5 - VRRP VC 2.2
Étude de cas 6 - NAT VC 2.0
Étude de cas 7 - DHCP VC 2.2
Étude de cas 8 - IPSec VC 2.2
Étude de cas 9 - Packages VC 3.0
Étude de cas 10 - Pontage (Bridging) VC 3.0
Étude de cas 11 - CDP VC 3.0



⚠️⚠️⚠️
Please check our website about
attractions in Western Switzerland !! (Please use english translation).

⚠️⚠️⚠️
Merci de consulter notre site sur les
activités à faire en Suisse romande !!



1. PRINCIPE 2. SCHEMA 3. CONFIGURATIONS 4. COMMANDES SHOW


1. PRINCIPE

Version de Vyatta utilisée: VC 2.2 Aug 30, 2007
Le but de ce tutorial est de créer un tunnel sécurisé enter un routeur Vyatta et un routeur Cisco à l'aide du protocole IPSec.
IPSec est un set de protocole de niveau 3 et est typiquement utilisé pour créer des réseaux virtuels privés (VPN) à travers des réseaux non-sécurisés comme Internet.
Pour fournir les fonctionnalités IPSec, Vyatta a intégré OpenSwan, un outil gratuit et open source utilisé pour créer des tunnels IPSec sur des plate-formes Linux.

Nous nous limiterons ici à quelques concepts clefs à propos d'IPSec et des VPN.

IPSec:

IPSec peut être composé d'un ou des deux protocoles de niveau 3 suivant:
ESP (Protocole IP 50, RFC 2406), AH (Protocole IP 51, RFC 2402). ESP peut être utilisé pour fournir l'intégrité et la confidentialité et AH l'intégrité seulement.

Deux protocoles sont étroitement liés à IPSec: ISAKMP (RFC 2408) et IKE (RFC 2409). ISAKMP (Internet Security Association and Key Management Protocol) est utilisé pour l'établissement des associations de sécurité et IKE (Internet Key Exchange) pour la gestion automatique des clefs d'échange via le port UDP 500.

Seul du trafic pré-défini, appelé "trafic intéréssant" (interesting traffic) peut lever un tunnel IPSec.

VPN:

Pour être considéré comme un VPN, un tunnel doit respecter les principes suivants:

- Confidentialité: Les données ne peuvent être vues dans un format lisible.
- Intégrité: Les données ne peuvent être modifiées.
- Authentification: les passerelles VPN sont sur de l'identité de l'autre.

A propos de l'étude de cas:

Des adresses de loopback (ou virtuelles) ont été créées sur les routeurs Cisco A et Vyatta. Le tunnel IPSec se monte seulement quand du trafic vient depuis une l'adresse de loopback d'un routeur en direction de l'adresse de loopback de l'autre routeur.
Voir ci-dessous pour savoir comment monter le tunnel.

Note importante: Vyatta supporte seulement ESP mais pas AH.


2. SCHEMA

  vyatta cisco case study IPSec Fonctionnalités testées:

(cliquez sur les liens internet pour avoir plus de détails sur un protocole)

Interface settings
IPSec
IKE

 


3. CONFIGURATIONS

ROUTEUR VYATTA VC2.2 Aug 30, 2007
Voir la configuration complète
 
ROUTEUR CISCO A 2621 IOS: 12.2(46a)
Voir la configuration complète
 
edit interfaces ethernet eth0
  set address 100.0.0.1 prefix-length 24
 
interface FastEthernet0/1
  ip address 50.0.0.1 255.255.255.0
  crypto map m1
edit interfaces loopback lo
  set address 10.200.1.1 prefix-length 24
interface Loopback 1
  ip address 10.250.1.1 255.255.255.255
set system host-name Vyatta hostname Cisco-routerA
set service telnet
 
line vty 0 4
  no login
edit system login user vyatta
  set authentification plaintext-password
   password
enable secret password
 
set vpn ipsec
edit vpn ipsec
  set ipsec-interfaces
  edit ipsec-interfaces
    set interface eth0

  set ike-group IKE
  edit ike-group IKE
    set lifetime 7200
  set ike-group IKE proposal 1
  edit ike-group IKE proposal 1
      set encryption 3des
      set hash md5
      set dh-group 2
 
  set esp-group ESP
  edit esp-group ESP
    set lifetime 1800
  set esp-group ESP proposal 1
  edit esp-group ESP proposal 1
      set encryption 3des
      set hash md5

  set site-to-site
  edit site-to-site
    set peer 50.0.0.1
    edit peer 50.0.0.1
    set authentification pre-shared-secret
     teddy
    set ike-group IKE
    set local-ip 100.0.0.1
    set tunnel 1
    edit tunnel 1
      set local-subnet 10.200.0.0/16
      set remote-subnet 10.250.0.0/16
      set esp-group ESP
crypto isakmp policy 1
  encr 3des
  hash md5
  authentification pre-share
  group 2
  lifetime 7200
crypto isakmp key teddy address 100.0.0.1

crypto ipsec transform-set t1 esp-3des
 esp-md5-hmac
crypto ipsec security-association lifetime
 seconds 1800

crypto map m1 110 ipsec-isakmp
  set peer 100.0.0.1
  set transform-set t1
  match address 111

access-list 111 permit ip 10.250.0.0
 0.0.255.255 10.200.0.0 0.0.255.255

set protocols static route 50.0.0.1/32
 next-hop 100.0.0.2
 
ip route 100.0.0.1 255.255.255.255 50.0.0.2

ip route 10.200.1.1 255.255.255.255 100.0.0.1
ROUTEUR CISCO B 2621 IOS: 12.2(23a)
Voir la configuration complète
 
interface FastEthernet0/0
  ip address 100.0.0.2 255.255.255.0
interface FastEthernet0/1
  ip address 50.0.0.2 255.255.255.0
hostname Cisco-routerB
line vty 0 4
  no login
enable secret password
 
Haut de la page


4. COMMANDES SHOW:

MONTER LE TUNNEL IPSEC:

Le trafic intéressant a été défini de la manière suivante:

Sur le routeur Cisco: IP source: 10.250.0.0/16 ; IP destination: 10.200.0.0/16
   access-list 111 permit ip 10.250.0.0 0.0.255.255 10.200.0.0 0.0.255.255

Sur le routeur Vyatta: IP source: 10.200.0.0/16 ; IP destination: 10.250.0.0/16
   set local-subnet 10.200.0.0/16
   set remote-subnet 10.250.0.0/16


Pour monter le tunnel ISec, les adresses IP source et destination des paquets doivent être à l'intérieur des étendues définies par les routeurs Vyatta ou Cisco A.

Nous utilisons la commande Ping pour générer du trafic correspondant aux conditions définies par les routeur Cisco ou Vyatta. L'adresse IP source doit être spécifiée dans la commande ping, autrement l'adresse IP source prends l'adresse IP de l'interface physique de sortie.

Cisco-RouterA#ping

Protocol [ip]:
Target IP address: 10.200.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.250.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.250.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
Vyatta>ping -I 10.200.1.1 -c 4 10.250.1.1

-I: Spécifie l'adresse IP source
-c: Nombre de paquets envoyés

PING 10.250.1.1 (10.250.1.1) from 10.200.1.1 : 56(84) bytes of data.
64 bytes from 10.250.1.1: icmp_seq=1 ttl=255 time=3.53 ms
64 bytes from 10.250.1.1: icmp_seq=2 ttl=255 time=3.60 ms
64 bytes from 10.250.1.1: icmp_seq=1 ttl=255 time=3.50 ms
64 bytes from 10.250.1.1: icmp_seq=2 ttl=255 time=3.58 ms

--- 10.250.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 3.502/3.557/3.607/0.039 ms
IKE

Cisco-RouterA#show crypto isakmp policy

Protection suite of priority 1
  encryption algorithm: Three key triple DES
  hash algorithm: Message Digest 5
  authentication method: Pre-Shared Key
  Diffie-Hellman group: #2 (1024 bit)
  lifetime: 7200 seconds, no volume limit
Default protection suite
  encryption algorithm: DES - Data Encryption Standard (56 bit keys).
  hash algorithm: Secure Hash Standard
  authentication method: Rivest-Shamir-Adleman Signature
  Diffie-Hellman group: #1 (768 bit)
  lifetime: 86400 seconds, no volume limit
Cisco-RouterA#show crypto isakmp sa

dst src state conn-id slot
50.0.0.1 100.0.0.1 QM_IDLE 4 0
Cisco-RouterA#show crypto isakmp key

Hostname/Address 100.0.0.1
Preshared Key teddy
Vyatta>show vpn ike status

IKE Process Running

PID: 8366
Vyatta>show vpn ike secrets

Local IP Peer IP Secret
------ ------ ------
100.0.0.1 50.0.0.1 "teddy"
Vyatta>show vpn ike sa

Local IP Peer IP State Encrypt Hash NAT-T A-Time L-Time
-------- ------- ----- ------- ---- ----- ------ ------
100.0.0.1 50.0.0.1 up 3des md5 No 769 7200
IPSEC

Cisco-RouterA#show crypto ipsec transform-set

Transform set t1: { esp-3des esp-md5-hmac }
  will negotiate = { Tunnel, },
Cisco-RouterA#show crypto ipsec security-association-lifetime

Security association lifetime: 4608000 kilobytes/1800 seconds
Cisco-RouterA#show crypto ipsec sa

interface: FastEthernet0/1
    Crypto map tag: m1, local addr. 50.0.0.1
           
  local ident (addr/mask/prot/port): (10.250.0.0/255.255.0.0/0/0)
  remote ident (addr/mask/prot/port): (10.200.0.0/255.255.0.0/0/0)
  current_peer: 100.0.0.1
      PERMIT, flags={origin_is_acl,}
    # pkts encaps: 30, #pkts encrypt: 30, #pkts digest 30
    # pkts decaps: 30, #pkts decrypt: 30, #pkts verify 30
    # pkts compressed: 0, #pkts decompressed: 0
    # pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    # send errors 0, #recv errors 0
           
      local crypto endpt.: 50.0.0.1, remote crypto endpt.: 100.0.0.1
      path mtu 1500, ip mtu 1500, ip mtu interface FastEthernet0/1
      current outbound spi: CA59FF09
           
      inbound esp sas:
        spi: 0xEC0B17CB(3960149963)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel, }
          slot: 0, conn id: 2004, flow_id: 5, crypto map: m1
          sa timing: remaining key lifetime (k/sec): (4607999/1419)
          IV size: 8 bytes
          replay detection support: Y
           
      inbound ah sas:
           
      inbound pcp sas:
           
      outbound esp sas:
        spi: 0xCA59FF09(3394895625)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel, }
          slot: 0, conn id: 2005, flow_id: 6, crypto map: m1
          sa timing: remaining key lifetime (k/sec): (4607999/1419)
          IV size: 8 bytes
          replay detection support: Y
           
      outbound ah sas:
           
      outbound pcp sas:
Cisco-RouterA#show crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt
4 FastEthernet0/1 50.0.0.1 set HMAC_MD5+3DES_56_C 0 0
2004 FastEthernet0/1 50.0.0.1 set HMAC_MD5+3DES_56_C 0 5
2005 FastEthernet0/1 50.0.0.1 set HMAC_MD5+3DES_56_C 5 0
Vyatta>show vpn ipsec status

IPSec Process Running PID: 8366

IPsec Interfaces:
   eth0 (100.0.0.1)
Vyatta>show vpn ipsec sa

Peer IP Tunnel# Dir SPI Encrypt Hash NAT-T A-TimeL-Time
------- ------- --- --- ------- ---- ------ ------L-Time
50.0.0.1 1 in e834f47b 3des md5 No 1851800
50.0.0.1 1 out 778ed647 3des No 1851800
ROUTES:

Cisco-RouterA#show ip route

Gateway of last resort is not set
 
  50.0.0.0/24 is subnetted, 1 subnets
C   50.0.0.0 is directly connected, FastEthernet0/1
  100.0.0.0/32 is subnetted, 1 subnets
S   100.0.0.1 [1/0] via 50.0.0.2
  10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C   10.0.0.0/24 is directly connected, FastEthernet0/0
S   10.200.1.1/32 [1/0] via 100.0.0.1
C   10.250.1.1/32 is directly connected, Loopback1
Vyatta>show route

Routes: 4/4, Paths: 4/4
10.200.1.0/24 [connected(0)] > to 10.200.1.1 via lo
50.0.0.1 [static(1)] > to 100.0.0.2 via eth0
100.0.0.0/24 [connected(0)] > to 100.0.0.1 via eth0
127.0.0.0/8 [connected(0)] > to 127.0.0.1 via lo
Vyatta>show route system forward

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use
Iface
50.0.0.1 100.0.0.2 255.255.255.255 UGH 1 0
0
eth0
100.0.0.0 0.0.0.0 255.255.255.0 U 0 0
0
eth0
10.250.0.0 0.0.0.0 255.255.0.0 U 0 0
0
eth0
DEBUGGING:

Cisco-RouterA#debug crypto isakmp

ISAKMP (0:0):     received packet from 100.0.0.1 (N) NEW SA
ISAKMP local   port 500, remote port 500
ISAKMP (0:5):   processing SA payload. message ID = 0
ISAKMP (0:5):   found peer pre-shared key matching 100.0.0.1
ISAKMP (0:5):   Checking ISAKMP transform 0 against priority 1 policy
ISAKMP:     life type in seconds
ISAKMP:     life duration (basic) of 7200
ISAKMP:     encryption 3DES-CBC
ISAKMP:     hash MD5
ISAKMP:     auth pre-share
ISAKMP:     default group 2
ISAKMP (0:5):   atts are acceptable. Next payload is 0
ISAKMP (0:5):   processing vendor id payload
ISAKMP (0:5):   processing vendor id payload
ISAKMP (0:5):   SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (0:5):   sending packet to 100.0.0.1 (R) MM_SA_SETUP
ISAKMP (0:5):   received packet from 100.0.0.1 (R) MM_SA_SETUP
ISAKMP (0:5):   processing KE payload. message ID = 0
ISAKMP (0:5):   processing NONCE payload. message ID = 0
ISAKMP (0:5):   found peer pre-shared key matching 100.0.0.1
ISAKMP (0:5):   SKEYID state generated
ISAKMP (0:5):   sending packet to 100.0.0.1 (R) MM_KEY_EXCH
ISAKMP (0:5):   received packet from 100.0.0.1 (R) MM_KEY_EXCH
ISAKMP (0:5):   processing ID payload. message ID = 0
ISAKMP (0:5):   processing HASH payload. message ID = 0
ISAKMP (0:5):   SA has been authenticated with 100.0.0.1
ISAKMP (5): ID payload
  next-payload : 8
  type : 1
  protocol : 17
  port : 500
  length : 8
ISAKMP (5): Total payload length: 12
ISAKMP (0:5):   sending packet to 100.0.0.1 (R) QM_IDLE
ISAKMP (0:5):   received packet from 100.0.0.1 (R) QM_IDLE
ISAKMP (0:5):   processing HASH payload. message ID = -1931975646
ISAKMP (0:5):   processing SA payload. message ID = -1931975646
ISAKMP (0:5):   Checking IPSec proposal 0
  transform 0, ESP_3DES
    attributes in transform:
      group is 2
      encaps is 1
      SA life type in seconds
      SA life duration (basic) of 1800
      authenticator is HMAC-MD5
ISAKMP (0:5):   atts are acceptable.
ISAKMP (0:5):   processing NONCE payload. message ID = -1931975646
ISAKMP (0:5):   processing KE payload. message ID = -1931975646
ISAKMP (0:5):   processing ID payload. message ID = -1931975646
ISAKMP (0:5):   processing ID payload. message ID = -1931975646
ISAKMP (0:5):   asking for 1 spis from ipsec
  received ke message (2/1)
ISAKMP (0:5):   sending packet to 100.0.0.1 (R) QM_IDLE
ISAKMP (0:5):   received packet from 100.0.0.1 (R) QM_IDLE
ISAKMP (0:5):   Creating IPSec SAs
  inbound SA from 100.0.0.1 to 50.0.0.1
  (proxy 10.200.0.0 to 10.250.0.0)
  has spi 0xE834F47B and conn_id 2006 and flags 25
  lifetime of 1800 seconds
  outbound SA from 50.0.0.1 to 100.0.0.1 (proxy 10.250.0.0 to 10.200.0.0 )
  has spi 2005849671 and conn_id 2007 and flags 2D
  lifetime of 1800 seconds
Cisco-RouterA#debug crypto ipsec

IPSEC(sa_aging): lifetime expiring,
  (sa) sa_dest= 50.0.0.1, sa_prot= 50,
    sa_spi= 0xEC0B17CB(3960149963),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2004,
  (identity) local= 50.0.0.1, remote= 100.0.0.1,
    local_proxy= 10.250.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 10.200.0.0/255.255.0.0/0/0 (type=4)
IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 50.0.0.1, sa_prot= 50,
    sa_spi= 0xEC0B17CB(3960149963),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2004
IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 100.0.0.1, sa_prot= 50,
    sa_spi= 0xCA59FF09(3394895625),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2005
Vyatta>show vpn debug

000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 10.200.1.1
000 interface eth0/eth0 100.0.0.1
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128,keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128,keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36}trans={0,2,336} attrs={0,2,224}
000
000 "peer-50.0.0.1-tunnel-1":10.200.0.0/16===100.0.0.1...50.0.0.1===10.250.0.0/16; erouted; eroute owner:#2
000 "peer-50.0.0.1-tunnel-1": srcip=unset; dstip=unset; srcup=ipsec_updown; dstup=ipsec _updown;
000 "peer-50.0.0.1-tunnel-1": ike_life: 7200s; ipsec_life: 1800s;rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "peer-50.0.0.1-tunnel-1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 16,16;interface: eth0;
000 "peer-50.0.0.1-tunnel-1": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "peer-50.0.0.1-tunnel-1": IKE algorithms wanted: 5_000-1-2, flags=strict
000 "peer-50.0.0.1-tunnel-1": IKE algorithms found: 5_192-1_128-2,
000 "peer-50.0.0.1-tunnel-1": IKE algorithm newest:3DES_CBC_192-MD5-MODP1024
000 "peer-50.0.0.1-tunnel-1": ESP algorithms wanted: 3_000-1, flags=strict
000 "peer-50.0.0.1-tunnel-1": ESP algorithms loaded: 3_000-1, flags=strict
000 "peer-50.0.0.1-tunnel-1": ESP algorithm newest: 3DES_0-HMAC_MD5;pfsgroup=
000
000 #2: "peer-50.0.0.1-tunnel-1":500 STATE_QUICK_I2 (sent QI2, IPsec SAestablished); EVENT_SA_REPLACE in 526s; newest IPSEC; eroute owner
000 #2: "peer-50.0.0.1-tunnel-1" esp.e834f47b@50.0.0.1 esp.778ed647@100.0.0.1tun.0@50.0.0.1 tun.0@100.0.0.1
000 #1: "peer-50.0.0.1-tunnel-1":500 STATE_MAIN_I4 (ISAKMP SA established);EVENT_SA_REPLACE in 6418s; newest ISAKMP; nodpd
000
VERIFICATION DE CONNECTIVITE:

Les routeur Cisco-RouterA et Vyatta doivent être capable de s'atteindre mutuellement sur leurs adresses WAN.
Adresse WAN Cisco-RouterA: 50.0.0.1
Adresse WAN Vyatta: 100.0.0.1

Cisco-RouterA#traceroute 100.0.0.1

Type escape sequence to abort.
Tracing the route to 100.0.0.1

   1 50.0.0.2 0 msec 0 msec 0 msec
   2 100.0.0.1 4 msec 0 msec 4 msec
Vyatta>traceroute 50.0.0.1

traceroute to 50.0.0.1 (50.0.0.1), 30 hops max, 40 byte packets
1 100.0.0.2 (100.0.0.2) 1.870 0.872 0.875
2 50.0.0.1 (50.0.0.1) 1.988 * 1.203
   ---------------------------------------------------------------------

Si un routeur IPSec essaie de pinger ou de tracer (traceroute) l'adresse de loopback de l'autre routeur, il ne va recevoir aucune réponse parce que les adresses de loopback des routeurs ne sont pas routés sur le WAN.
Le traceroute ou le ping ne vont pas monter le tunnel car leur adresses IP source ne correspondent pas aux conditions des routeurs IPSec.

Cisco-RouterA#ping 10.200.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.1.1, timeout is 2 seconds:
U.U.U

Success rate is 0 percent (0/5)
Vyatta>ping 10.250.1.1 -c 4

PING 10.250.1.1 (10.250.1.1) 56(84) bytes of data.
From 100.0.0.1 icmp_seq=2 Destination Host Unreachable
From 100.0.0.1 icmp_seq=3 Destination Host Unreachable
From 100.0.0.1 icmp_seq=4 Destination Host Unreachable

--- 10.250.1.1 ping statistics ---
4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2999ms, pipe 3
Cisco-RouterA#traceroute 10.200.1.1

Type escape sequence to abort.
Tracing the route to 100.0.0.1

   1 50.0.0.2 0 msec 0 msec 0 msec
   2 50.0.0.2 !H !H *
Vyatta>traceroute 10.250.1.1

traceroute to 10.250.1.1 (10.250.1.1), 30 hops max, 40 byte packets
1 100.0.0.1 (100.0.0.1) 3002.304 ms !H 3003.655 ms !H 3003.975 ms !H
   ---------------------------------------------------------------------

Pour s'atteindre mutuellement sur leur adresse de loopback et ainsi monter le tunnel IPSec, les routeurs Vyatta ou Cisco doivent pinger ou tracer (traceroute) depuis leur adresse IP de loopback.
Par défaut, l'adresse IP source est l'adresse IP de l'interface physique de sortie.

Cisco-RouterA#ping

Protocol [ip]:
Target IP address: 10.200.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.250.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.250.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
Vyatta>ping -I 10.200.1.1 -c 4 10.250.1.1

-I: Spécifie l'adresse IP source
-c: Nombre de paquets envoyés

PING 10.250.1.1 (10.250.1.1) from 10.200.1.1 : 56(84) bytes of data.
64 bytes from 10.250.1.1: icmp_seq=1 ttl=255 time=3.53 ms
64 bytes from 10.250.1.1: icmp_seq=2 ttl=255 time=3.60 ms
64 bytes from 10.250.1.1: icmp_seq=1 ttl=255 time=3.50 ms
64 bytes from 10.250.1.1: icmp_seq=2 ttl=255 time=3.58 ms

--- 10.250.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 3.502/3.557/3.607/0.039 ms
Cisco-RouterA#traceroute

Target IP address: 10.200.1.1
Source address: 10.250.1.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
MaximumTime to Live [1]:
Port number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.200.1.1

   1 10.200.1.1 4 msec 0 msec 4 msec
Haut de la page