le 17-01-2020 08:01 AM
Pour expliquer mon problème rapidement, je n'arrive pas à faire circuler la plage IP "172.25.5.0 0.0.0.255" dans le tunnel IPSec.
De l'autre côté, le tunnel est monté et fonctionnel. Je parviens à faire transiter le flux 10.0.0.0/8 vers 10.15.0.0/16.
La configuration de mon cisco:
crypto isakmp policy 1
encr aes 256
hash sha256
authentication pre-share
group 5
lifetime 28800
crypto isakmp key 6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX address 1.111.1.111
!
crypto ipsec transform-set rtpset esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto map rtp 1 ipsec-isakmp
set peer 1.111.1.111
set transform-set rtpset
match address 115
!
!
!
interface GigabitEthernet0
switchport trunk native vlan 1001
switchport mode trunk
no ip address
spanning-tree portfast
!
interface GigabitEthernet8
ip address 123.123.123.123 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex full
speed 1000
crypto map rtp
!
interface Vlan1
no ip address
shutdown
!
interface Vlan1001
description Backbone
ip address 10.100.10.110 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat pool WanSFR 123.123.123.123 123.123.123.123 netmask 255.255.255.248
ip nat inside source route-map nonat interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 123.123.123.123
ip route 10.15.0.0 255.255.0.0 10.100.10.110
ip ssh logging events
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm mac hmac-sha2-256
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list extended LAN
permit ip 10.15.0.0 0.0.255.255 any
!
route-map nonat permit 10
match ip address 110
!
access-list 110 deny ip 10.100.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 110 permit ip 10.100.0.0 0.0.255.255 any
access-list 110 deny ip 10.15.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 110 deny ip 10.15.0.0 0.0.255.255 172.25.5.0 0.0.0.255
access-list 110 permit ip 10.15.0.0 0.0.255.255 any
access-list 115 permit ip 10.120.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 115 permit ip 10.15.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 115 permit ip 10.15.0.0 0.0.255.255 172.25.5.0 0.0.0.255
le 17-01-2020 08:06 AM
Résultat d'un sh crypto ipsec sa:
interface: GigabitEthernet8
Crypto map tag: rtp, local addr 123.123.123.123
protected vrf: (none)
local ident (addr/mask/prot/port): (10.15.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
current_peer 1.111.1.111 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 271252562, #pkts encrypt: 271252562, #pkts digest: 271252562
#pkts decaps: 335397886, #pkts decrypt: 335397886, #pkts verify: 335397886
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 1126
local crypto endpt.: 123.123.123.123, remote crypto endpt.: 1.111.1.111
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet8
current outbound spi: 0xE5683D6A(3848813930)
PFS (Y/N): Y, DH group: group5
inbound esp sas:
spi: 0x4B51388(78975880)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 567, flow_id: Onboard VPN:567, sibling_flags 80000040, crypto map: rtp
sa timing: remaining key lifetime (k/sec): (4283283/2198)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xE5683D6A(3848813930)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 568, flow_id: Onboard VPN:568, sibling_flags 80000040, crypto map: rtp
sa timing: remaining key lifetime (k/sec): (4332814/2198)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.120.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
current_peer 1.111.1.111 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 468158, #pkts encrypt: 468158, #pkts digest: 468158
#pkts decaps: 344671, #pkts decrypt: 344671, #pkts verify: 344671
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 123.123.123.123, remote crypto endpt.: 1.111.1.111
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet8
current outbound spi: 0xB2F6802F(3002499119)
PFS (Y/N): Y, DH group: group5
inbound esp sas:
spi: 0xE333F197(3811832215)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 569, flow_id: Onboard VPN:569, sibling_flags 80000040, crypto map: rtp
sa timing: remaining key lifetime (k/sec): (4252130/2751)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB2F6802F(3002499119)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 570, flow_id: Onboard VPN:570, sibling_flags 80000040, crypto map: rtp
sa timing: remaining key lifetime (k/sec): (4252102/2751)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.15.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (172.25.5.0/255.255.255.0/0/0)
current_peer 1.111.1.111 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2031, #recv errors 0
local crypto endpt.: 123.123.123.123, remote crypto endpt.: 1.111.1.111
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet8
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
le 17-01-2020 08:31 AM
17-01-2020 09:13 AM - modifié 17-01-2020 09:20 AM
Bon, je viens de résoudre mon problème...
Je n'arrive pas à comprendre pourquoi cela fonctionnait pour la plage 10.0.0.0/8 et non pour 172.25.5.0/24, mais bon..
Tout d'abord, j'avais des informations sur Cisco et Palo Alto, qui m'avertissait un problème de communication dans la Phase 2 IKE.
Message d'erreur sur Cisco:
Message d'erreur pour Palo Alto:
En résumé:
j'ai activé PFS et modifié lifetime de la phase 2 pour être en lien entre les deux configurations IPSEC Crypto.
j'ai modifié les ACL
access-list 110 deny ip 10.100.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 110 deny ip 10.100.0.0 0.0.255.255 172.25.5.0 0.0.0.255
access-list 110 permit ip 10.110.0.0 0.0.255.255 any
access-list 110 deny ip 10.15.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 110 deny ip 10.15.0.0 0.0.255.255 172.25.5.0 0.0.0.255
access-list 110 permit ip 10.15.0.0 0.0.255.255 any
access-list 115 permit ip 10.100.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 115 permit ip 10.100.0.0 0.0.255.255 172.25.5.0 0.0.0.255
access-list 115 permit ip 10.15.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 115 permit ip 10.15.0.0 0.0.255.255 172.25.5.0 0.0.0.255
A présent, c'est fonctionnel et a permis de corriger les problèmes de communication SA.
Cordialement
Découvrez et enregistrez vos notes préférées. Revenez pour trouver les réponses d'experts, des guides étape par étape, des sujets récents et bien plus encore.
Êtes-vous nouveau ici? Commencez par ces conseils. Comment utiliser la communauté Guide pour les nouveaux membres
Parcourez les liens directs de la Communauté et profitez de contenus personnalisés en français