<a href='/s/10p2kR1AJ' target='_self'>Retour à la page principale</a>
# VPN IPSec site à site - la configuration IPSec
[TOC]
---
## Les patrons de configuration
Tout comme dans le cas du <a href='/s/UOI1RSg8S' target='_self'>tunnel GRE</a>, on utilise des patrons **Jinja2** pour générer la configuration IPSec pour chacun des deux systèmes.
Toute la difficulté ici consiste à faire correspondre les "jeux cryptographiques" entre les deux systèmes hétérogènes.
* Côté **Cisco IOS XE**, le patron [ipsec-iosxe.j2](https://gitlab.inetdoc.net/labs/vpn-ipsec/-/blob/main/mix/templates/ipsec-iosxe.j2) utilise les paramètres suivants :
* IKEv2
```
crypto ikev2 proposal LAB-IKEV2-PROPOSAL
encryption aes-gcm-256
prf sha512
group 21
```
* ESP
```
crypto ipsec transform-set LAB-IPSEC-TSET esp-aes 256 esp-sha256-hmac
mode transport
```
* Côté **Linux strongSwan**, le patron [ipsec-linux.conf.j2](https://gitlab.inetdoc.net/labs/vpn-ipsec/-/blob/main/mix/templates/ipsec-linux.conf.j2) utilise les correspondances suivantes :
* IKEv2
```
ike=aes256gcm-prfsha512-ecp521!
```
* ESP
```
esp=aes256-sha256!
```
## L'association de sécurité IPSec
Pour valider les correspondances de "jeux cryptographiques", on doit se placer sur chacune des extrémités pour réaliser les tests.
* Côté **Cisco IOS XE**, on utilise la commande `show crypto ikev2 session` pour connaître l'état de l'association ainsi que l'identification des différents outils de chiffrement.
La ligne de la copie d'écran ci-dessous qui débute par `Encr:` montre la liste des paramètres appliqués dans la proposition `LAB-IKEV2-PROPOSAL`.
```
GLA#sh crypto ikev2 session
IPv4 Crypto IKEv2 Session
Session-id:20, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote fvrf/ivrf Status
1 192.0.2.66/500 192.0.2.34/500 none/none READY
Encr: AES-GCM, keysize: 256, PRF: SHA512, Hash: None, DH Grp:21, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/1753 sec
Child sa: local selector 192.0.2.66/0 - 192.0.2.66/65535
remote selector 192.0.2.34/0 - 192.0.2.34/65535
ESP spi in/out: 0x73A0547B/0xCE7BE077
```
* Côté **Linux strongSwan**, on utilise la commande `sudo ipsec statusall` pour connaître l'état de l'association ainsi que l'identification des mêmes outils de chiffrement.
La ligne de la copie d'écran ci-dessous qui débute par `GLA[2]: IKE proposal:` montre la liste des paramètres définis dans le fichier de configuration `/etc/ipsec.conf`.
```
etu@TLS:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.8, Linux 6.1.0-7-amd64, x86_64):
uptime: 47 minutes, since May 02 18:55:12 2023
malloc: sbrk 2850816, mmap 0, used 979856, free 1870960
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf gmp
agent xcbc hmac kdf gcm drbg attr kernel-netlink resolve socket-default connmark stroke
updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
192.0.2.34
2001:db8:19a::22
Connections:
GLA: %any...192.0.2.66 IKEv2
GLA: local: uses pre-shared key authentication
GLA: remote: [192.0.2.66] uses pre-shared key authentication
GLA: child: dynamic === dynamic TRANSPORT
Security Associations (1 up, 0 connecting):
GLA[2]: ESTABLISHED 46 minutes ago, 192.0.2.34[192.0.2.34]...192.0.2.66[192.0.2.66]
GLA[2]: IKEv2 SPIs: 9a8850d7fdd12224_i 1d0521858b73c9dd_r*, pre-shared key reauthentication in 2 hours
GLA[2]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_521
GLA{3}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: ce7be077_i 73a0547b_o
GLA{3}: AES_CBC_256/HMAC_SHA2_256_128, 1088 bytes_i (14 pkts, 2759s ago), 0 bytes_o, rekeying in 97 seconds
GLA{3}: 192.0.2.34/32[gre] === 192.0.2.66/32[gre]
```
## Les journaux système
Pour terminer, il ne faut pas oublier de consulter les journaux de chaque système de façon à identifier les problèmes de correspodance entre les configurations.
* Côté **Cisco IOS XE**, on utilise la commande `show logging`.
Pour les besoins de la copie d'écran ci-dessous, on lance la commande `clear crypto ikev2 sa` dans le but de réinitialiser l'association de sécurité. Le résultat dans les journaux système est le suivant :
```
May 2 16:07:37.840: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
May 2 16:07:37.852: %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to establish an IPsec tunnel; local traffic selector = Address Range: 192.0.2.66-192.0.2.66 Protocol: 47 Port Range: 0-65535; remote traffic selector = Address Range: 192.0.2.34-192.0.2.34 Protocol: 47 Port Range: 0-65535
May 2 16:07:37.876: %IKEV2-5-SA_DOWN: SA DOWN
May 2 16:07:37.929: %IKEV2-5-SA_UP: SA UP
May 2 16:07:37.936: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
```
* Côté **Linux strongSwan**, on utilise la commande `journalctl`.
Relativement, à la réinitialisation de l'association de sécurité faite côté **IOS XE**, on obtient les messages ci-dessous.
Même si la copie d'écran est très longue, on repère la réinitialisation à partir de la ligne 14. À partir de la ligne 19, on relève les phases de l'établissement d'une nouvelle association de sécurité.
```=
etu@TLS:~$ journalctl -n 50 -f -u strongswan-starter.service
May 02 19:57:54 TLS charon[5113]: 15[IKE] authentication of '192.0.2.34' (myself) with pre-shared key
May 02 19:57:54 TLS charon[5113]: 15[IKE] IKE_SA GLA[4] established between 192.0.2.34[192.0.2.34]...192.0.2.66[192.0.2.66]
May 02 19:57:54 TLS charon[5113]: 15[IKE] IKE_SA GLA[4] established between 192.0.2.34[192.0.2.34]...192.0.2.66[192.0.2.66]
May 02 19:57:54 TLS charon[5113]: 15[IKE] scheduling reauthentication in 10099s
May 02 19:57:54 TLS charon[5113]: 15[IKE] maximum IKE_SA lifetime 10639s
May 02 19:57:54 TLS charon[5113]: 15[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
May 02 19:57:54 TLS charon[5113]: 15[IKE] CHILD_SA GLA{154} established with SPIs c5d8dad4_i 7274d45a_o and TS 192.0.2.34/32[gre] === 192.0.2.66/32[gre]
May 02 19:57:54 TLS charon[5113]: 15[IKE] CHILD_SA GLA{154} established with SPIs c5d8dad4_i 7274d45a_o and TS 192.0.2.34/32[gre] === 192.0.2.66/32[gre]
May 02 19:57:54 TLS charon[5113]: 15[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(USE_TRANSP) SA TSi TSr ]
May 02 19:57:54 TLS charon[5113]: 15[NET] sending packet: from 192.0.2.34[500] to 192.0.2.66[500] (241 bytes)
May 02 20:07:35 TLS charon[5113]: 11[NET] received packet: from 192.0.2.66[500] to 192.0.2.34[500] (65 bytes)
May 02 20:07:35 TLS charon[5113]: 11[ENC] parsed INFORMATIONAL request 2 [ D ]
May 02 20:07:35 TLS charon[5113]: 11[IKE] received DELETE for IKE_SA GLA[4]
May 02 20:07:35 TLS charon[5113]: 11[IKE] deleting IKE_SA GLA[4] between 192.0.2.34[192.0.2.34]...192.0.2.66[192.0.2.66]
May 02 20:07:35 TLS charon[5113]: 11[IKE] deleting IKE_SA GLA[4] between 192.0.2.34[192.0.2.34]...192.0.2.66[192.0.2.66]
May 02 20:07:35 TLS charon[5113]: 11[IKE] IKE_SA deleted
May 02 20:07:35 TLS charon[5113]: 11[IKE] IKE_SA deleted
May 02 20:07:35 TLS charon[5113]: 06[NET] received packet: from 192.0.2.66[500] to 192.0.2.34[500] (386 bytes)
May 02 20:07:36 TLS vpn[5238]: - 192.0.2.66 192.0.2.66 -- 192.0.2.34
May 02 20:07:36 TLS charon[5113]: 11[ENC] generating INFORMATIONAL response 2 [ ]
May 02 20:07:36 TLS charon[5113]: 11[NET] sending packet: from 192.0.2.34[500] to 192.0.2.66[500] (57 bytes)
May 02 20:07:36 TLS charon[5113]: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No V V V V N(NATD_S_IP) N(NATD_D_IP) ]
May 02 20:07:36 TLS charon[5113]: 06[IKE] received Cisco Delete Reason vendor ID
May 02 20:07:36 TLS charon[5113]: 06[ENC] received unknown vendor ID: 43:49:53:43:4f:56:50:4e:2d:52:45:56:2d:30:32
May 02 20:07:36 TLS charon[5113]: 06[ENC] received unknown vendor ID: 43:49:53:43:4f:2d:44:59:4e:41:4d:49:43:2d:52:4f:55:54:45
May 02 20:07:36 TLS charon[5113]: 06[IKE] received Cisco FlexVPN Supported vendor ID
May 02 20:07:36 TLS charon[5113]: 06[IKE] 192.0.2.66 is initiating an IKE_SA
May 02 20:07:36 TLS charon[5113]: 06[IKE] 192.0.2.66 is initiating an IKE_SA
May 02 20:07:36 TLS charon[5113]: 06[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_521
May 02 20:07:36 TLS charon[5113]: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(CHDLESS_SUP) N(MULT_AUTH) ]
May 02 20:07:36 TLS charon[5113]: 06[NET] sending packet: from 192.0.2.34[500] to 192.0.2.66[500] (316 bytes)
May 02 20:07:36 TLS charon[5113]: 07[NET] received packet: from 192.0.2.66[500] to 192.0.2.34[500] (651 bytes)
May 02 20:07:36 TLS charon[5113]: 07[ENC] unknown attribute type (28692)
May 02 20:07:36 TLS charon[5113]: 07[ENC] parsed IKE_AUTH request 1 [ V IDi AUTH CPRQ(DNS DNS NBNS NBNS SUBNET DNS6 SUBNET6 VER U_SPLITDNS U_BANNER (28692) U_BKPSRV U_DEFDOM) SA TSi TSr N(INIT_CONTACT) N(USE_TRANSP) N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
May 02 20:07:36 TLS charon[5113]: 07[CFG] looking for peer configs matching 192.0.2.34[%any]...192.0.2.66[192.0.2.66]
May 02 20:07:36 TLS charon[5113]: 07[CFG] selected peer config 'GLA'
May 02 20:07:36 TLS charon[5113]: 07[IKE] authentication of '192.0.2.66' with pre-shared key successful
May 02 20:07:36 TLS charon[5113]: 07[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
May 02 20:07:36 TLS charon[5113]: 07[CFG] no IDr configured, fall back on IP address
May 02 20:07:36 TLS charon[5113]: 07[IKE] authentication of '192.0.2.34' (myself) with pre-shared key
May 02 20:07:36 TLS charon[5113]: 07[IKE] IKE_SA GLA[5] established between 192.0.2.34[192.0.2.34]...192.0.2.66[192.0.2.66]
May 02 20:07:36 TLS charon[5113]: 07[IKE] IKE_SA GLA[5] established between 192.0.2.34[192.0.2.34]...192.0.2.66[192.0.2.66]
May 02 20:07:36 TLS charon[5113]: 07[IKE] scheduling reauthentication in 9940s
May 02 20:07:36 TLS charon[5113]: 07[IKE] maximum IKE_SA lifetime 10480s
May 02 20:07:36 TLS charon[5113]: 07[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
May 02 20:07:36 TLS charon[5113]: 07[IKE] CHILD_SA GLA{155} established with SPIs c881e27d_i 2d8b089d_o and TS 192.0.2.34/32[gre] === 192.0.2.66/32[gre]
May 02 20:07:36 TLS charon[5113]: 07[IKE] CHILD_SA GLA{155} established with SPIs c881e27d_i 2d8b089d_o and TS 192.0.2.34/32[gre] === 192.0.2.66/32[gre]
May 02 20:07:36 TLS vpn[5245]: + 192.0.2.66 192.0.2.66 -- 192.0.2.34
May 02 20:07:36 TLS charon[5113]: 07[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(USE_TRANSP) SA TSi TSr ]
May 02 20:07:36 TLS charon[5113]: 07[NET] sending packet: from 192.0.2.34[500] to 192.0.2.66[500] (241 bytes)
```