Lorsque l’on regarde l’état des SA, on trouve les informations suivantes :
cpe-annexe1#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 172.23.211.3
protected vrf: (none)
local ident (addr/mask/prot/port): (172.23.211.3/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.22.0.1/255.255.255.255/47/0)
current_peer 172.22.0.1 port 500
local crypto endpt.: 172.23.211.3, remote crypto endpt.: 172.22.0.1
inbound esp sas:
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
Status: ACTIVE
outbound esp sas:
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
Status: ACTIVE
On remarque ici une chose : les SA vers le Hub sont bien montées, mais rien concernant l’autre Spoke ; même pas l’amorce d’une négotiation ISAKMP.
C’est tout à fait normal : les tunnels Spoke-to-Spoke sont créés dynamiquement lorsque du trafic est échangé entre-eux :
cpe-annexe1#ping 192.168.2.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/32 ms
cpe-annexe1#
cpe-annexe1#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 172.23.211.3
protected vrf: (none)
local ident (addr/mask/prot/port): (172.23.211.3/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.23.211.2/255.255.255.255/47/0)
current_peer 172.23.211.2 port 500
local crypto endpt.: 172.23.211.3, remote crypto endpt.: 172.23.211.2
path mtu 1500, ip mtu 1500
inbound esp sas:
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
Status: ACTIVE
outbound esp sas:
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
Status: ACTIVE
protected vrf: (none)
local ident (addr/mask/prot/port): (172.23.211.3/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.22.0.1/255.255.255.255/47/0)
current_peer 172.22.0.1 port 500
local crypto endpt.: 172.23.211.3, remote crypto endpt.: 172.22.0.1
inbound esp sas:
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
Status: ACTIVE
outbound esp sas:
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
Status: ACTIVE
cpe-annexe1#
On voit qu’après le ping (spécifié avec une source correcte, pour éviter qu’il s’échappe du routeur avec l’IP du Tunnel), les SAs sont bien montés avec le deuxième Spoke (172.22.211.2).
- Configurations complètes
Seule la configuration de l’annexe 1 est donnée. Celle du deuxième spoke est facilement dérivable du premier.
- Site central (Hub, mairie)
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cpe-mairie
!
boot-start-marker
boot-end-marker
!
enable secret 0 MOT_DE_PASSE
enable password 0 MOT_DE_PASSE
!
username admin privilege 15 password 0 MOT_DE_PASSE
no aaa new-model
ip subnet-zero
!
!
!
!
no ip domain lookup
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key PRE_SHARED_KEY address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set default-ts esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile vpn_tunnel_profile
set transform-set default-ts
!
!
!
!
interface Tunnel0
bandwidth 1000
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1436
ip nhrp authentication NHRP_KEY
ip nhrp map multicast dynamic
ip nhrp network-id 99
ip nhrp holdtime 600
ip ospf network broadcast
ip ospf priority 2
delay 1000
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpn_tunnel_profile
!
interface Loopback0
ip address 172.22.0.1 255.255.255.255
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface Ethernet1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
no cdp enable
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
passive-interface Ethernet0
network 10.0.0.0 0.0.0.255 area 0
network 192.168.0.0 0.0.0.255 area 0
!
router rip
version 2
passive-interface default
no passive-interface Ethernet1
network 172.22.0.0
network 172.23.0.0
no auto-summary
!
ip classless
!
no ip http server
no ip http secure-server
!
ip nat inside source list 101 interface Ethernet1 overload
!
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
!
!
control-plane
!
!
line con 0
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
exec-timeout 30 0
password 0 MOT_DE_PASSE
login local
length 0
transport preferred all
transport input all
transport output all
escape-character 3
!
scheduler max-task-time 5000
end - Site distant (Spoke, annexe 1)
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cpe-annexe1
!
boot-start-marker
boot-end-marker
!
enable secret 0 MOT_DE_PASSE
enable password 0 MOT_DE_PASSE
!
username admin privilege 15 password 0 MOT_DE_PASSE
no aaa new-model
ip subnet-zero
!
!
!
!
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key PRE_SHARED_KEY address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set default-ts esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile vpn_tunnel_profile
set transform-set default-ts
!
!
!
!
interface Tunnel0
bandwidth 1000
ip address 10.0.0.2 255.255.255.0
no ip redirects
ip mtu 1436
ip nhrp authentication NHRP_KEY
ip nhrp map 10.0.0.1 172.22.0.1
ip nhrp map multicast 172.22.0.1
ip nhrp network-id 99
ip nhrp holdtime 600
ip nhrp nhs 10.0.0.1
ip ospf network broadcast
ip ospf priority 0
delay 1000
tunnel source Ethernet1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpn_tunnel_profile
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface Ethernet1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
no cdp enable
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
passive-interface Ethernet0
network 10.0.0.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip classless
!
no ip http server
no ip http secure-server
!
ip nat inside source list 101 interface Ethernet1 overload
!
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
!
control-plane
!
!
line con 0
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
exec-timeout 30 0
password 0 MOT_DE_PASSE
login local
length 0
transport preferred all
transport input all
transport output all
escape-character 3
!
scheduler max-task-time 5000
end