VPN IPSec
VPN IPSec - Réseaux - Réseaux grand public / SoHo
Marsh Posté le 18-03-2015 à 15:55:27
Voilà pour ce qui est de la configuration des routeurs
R1 :
!
! Last configuration change at 13:43:21 UTC Wed Mar 18 2015
! NVRAM config last updated at 13:21:20 UTC Wed Mar 18 2015
! NVRAM config last updated at 13:21:20 UTC Wed Mar 18 2015
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
crypto pki token default removal timeout 0
!
ip source-route
ip cef
!
no ipv6 cef
!
license udi pid C881W-E-K9 sn FCZ1706C5GJ
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 1.1.1.2
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set TS
match address VPN-TRAFFIC
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map CMAP
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
no ip address
shutdown
!
interface Vlan1
ip address 10.10.10.1 255.255.255.0
!
router rip
version 2
network 1.0.0.0
network 10.0.0.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip access-list extended VPN-TRAFFIC
permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end
R1#sh crypto ipsec sa
interface: FastEthernet4
Crypto map tag: CMAP, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.20.20.0/255.255.255.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
R1#show crypto session
Crypto session current status
Interface: FastEthernet4
Session status: DOWN
Peer: 1.1.1.2 port 500
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 20.20.20.0/255.255.255.0
Active SAs: 0, origin: crypto map
R1#
Mar 18 13:44:39.659: No peer struct to get peer description
R2 :
!
! Last configuration change at 14:21:04 UTC Wed Mar 18 2015
! NVRAM config last updated at 14:08:18 UTC Wed Mar 18 2015
! NVRAM config last updated at 14:08:18 UTC Wed Mar 18 2015
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
crypto pki token default removal timeout 0
!
!
ip source-route
ip cef
!
no ipv6 cef
!
license udi pid C881W-E-K9 sn FCZ1706C5GR
!
vtp mode client
vtp version 2
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 1.1.1.1
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set TS
match address VPN-TRAFFIC
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address 1.1.1.2 255.255.255.0
duplex auto
speed auto
crypto map CMAP
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
no ip address
shutdown
!
interface Vlan1
ip address 20.20.20.1 255.255.255.0
!
router rip
version 2
network 1.0.0.0
network 20.0.0.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip access-list extended VPN-TRAFFIC
permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end
R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
R2#sh crypto ipsec sa
interface: FastEthernet4
Crypto map tag: CMAP, local addr 1.1.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (20.20.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
R2#sh crypto session
Crypto session current status
Interface: FastEthernet4
Session status: DOWN
Peer: 1.1.1.1 port 500
IPSEC FLOW: permit ip 20.20.20.0/255.255.255.0 10.10.10.0/255.255.255.0
Active SAs: 0, origin: crypto map
R2#
Mar 18 14:25:07.015: No peer struct to get peer description
Sujets relatifs:
- Connexion VPN
- Réseau VPN et accés a toutes les machines
- [Aide rémunérée] configurer un serveur VPN
- VPN avec Livebox pro v3 et client Android
- Les VPN passeraient tous par les USA ? (in fine)
- Vpn qui fonctionne avec un réseau wifi public
- Avis technique, VPN : Synology, Livebox, Rasp...
- Découverte du réseau sous WINDOWS par VPN PPTP ou IPSEC
- VPN et L2TP/IPSec
- Création d'un VPN L2TP / IPSec plusieurs questions...
Marsh Posté le 17-03-2015 à 12:01:02
Bonjour,
J’essaie de monter un VPN IPSEC avec 2 routeurs Cisco 881W, mais ce dernier ne monte pas
J’ai suivi ce tutoriel, qui m’a l’air bien fournit. http://www.lolokai.com/blog/2012/0 [...] urs-cisco/
Le seul problème est qu’il n’y a aucune trace de VPN IPSEC. De plus, je n’arrive pas à accéder au fichier de log, afin de savoir quelle étape pose problème…
Les réseaux privés sont en 192.168.1.0/24 et 192.168.2.0/24. Le réseau entre routeur est 10.0.0.0/24. À savoir que tout communique bien-sur.
Les clés correspondent, les ACL sont bien configurées…
Si quelqu’un a une idée, je suis preneur !
Message édité par musha76 le 17-03-2015 à 12:03:26