678 views
<a href='/s/10p2kR1AJ' target='_self'>Retour à la page principale</a> # VPN IPSec site à site - la configuration IPSec [TOC] --- ## Les patrons de configuration Tout comme dans le cas du <a href='/s/UOI1RSg8S' target='_self'>tunnel GRE</a>, on utilise des patrons **Jinja2** pour générer la configuration IPSec pour chacun des deux systèmes. Toute la difficulté ici consiste à faire correspondre les "jeux cryptographiques" entre les deux systèmes hétérogènes. * Côté **Cisco IOS XE**, le patron [ipsec-iosxe.j2](https://gitlab.inetdoc.net/labs/vpn-ipsec/-/blob/main/mix/templates/ipsec-iosxe.j2) utilise les paramètres suivants&nbsp;: * IKEv2 ``` crypto ikev2 proposal LAB-IKEV2-PROPOSAL encryption aes-gcm-256 prf sha512 group 21 ``` * ESP ``` crypto ipsec transform-set LAB-IPSEC-TSET esp-aes 256 esp-sha256-hmac mode transport ``` * Côté **Linux strongSwan**, le patron [ipsec-linux.conf.j2](https://gitlab.inetdoc.net/labs/vpn-ipsec/-/blob/main/mix/templates/ipsec-linux.conf.j2) utilise les correspondances suivantes&nbsp;: * IKEv2 ``` ike=aes256gcm-prfsha512-ecp521! ``` * ESP ``` esp=aes256-sha256! ``` ## L'association de sécurité IPSec Pour valider les correspondances de "jeux cryptographiques", on doit se placer sur chacune des extrémités pour réaliser les tests. * Côté **Cisco IOS XE**, on utilise la commande `show crypto ikev2 session` pour connaître l'état de l'association ainsi que l'identification des différents outils de chiffrement. La ligne de la copie d'écran ci-dessous qui débute par `Encr:` montre la liste des paramètres appliqués dans la proposition `LAB-IKEV2-PROPOSAL`. ``` GLA#sh crypto ikev2 session IPv4 Crypto IKEv2 Session Session-id:20, Status:UP-ACTIVE, IKE count:1, CHILD count:1 Tunnel-id Local Remote fvrf/ivrf Status 1 192.0.2.66/500 192.0.2.34/500 none/none READY Encr: AES-GCM, keysize: 256, PRF: SHA512, Hash: None, DH Grp:21, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/1753 sec Child sa: local selector 192.0.2.66/0 - 192.0.2.66/65535 remote selector 192.0.2.34/0 - 192.0.2.34/65535 ESP spi in/out: 0x73A0547B/0xCE7BE077 ``` * Côté **Linux strongSwan**, on utilise la commande `sudo ipsec statusall` pour connaître l'état de l'association ainsi que l'identification des mêmes outils de chiffrement. La ligne de la copie d'écran ci-dessous qui débute par `GLA[2]: IKE proposal:` montre la liste des paramètres définis dans le fichier de configuration `/etc/ipsec.conf`. ``` etu@TLS:~$ sudo ipsec statusall Status of IKE charon daemon (strongSwan 5.9.8, Linux 6.1.0-7-amd64, x86_64): uptime: 47 minutes, since May 02 18:55:12 2023 malloc: sbrk 2850816, mmap 0, used 979856, free 1870960 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4 loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf gmp agent xcbc hmac kdf gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters Listening IP addresses: 192.0.2.34 2001:db8:19a::22 Connections: GLA: %any...192.0.2.66 IKEv2 GLA: local: uses pre-shared key authentication GLA: remote: [192.0.2.66] uses pre-shared key authentication GLA: child: dynamic === dynamic TRANSPORT Security Associations (1 up, 0 connecting): GLA[2]: ESTABLISHED 46 minutes ago, 192.0.2.34[192.0.2.34]...192.0.2.66[192.0.2.66] GLA[2]: IKEv2 SPIs: 9a8850d7fdd12224_i 1d0521858b73c9dd_r*, pre-shared key reauthentication in 2 hours GLA[2]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_521 GLA{3}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: ce7be077_i 73a0547b_o GLA{3}: AES_CBC_256/HMAC_SHA2_256_128, 1088 bytes_i (14 pkts, 2759s ago), 0 bytes_o, rekeying in 97 seconds GLA{3}: 192.0.2.34/32[gre] === 192.0.2.66/32[gre] ``` ## Les journaux système Pour terminer, il ne faut pas oublier de consulter les journaux de chaque système de façon à identifier les problèmes de correspodance entre les configurations. * Côté **Cisco IOS XE**, on utilise la commande `show logging`. Pour les besoins de la copie d'écran ci-dessous, on lance la commande `clear crypto ikev2 sa` dans le but de réinitialiser l'association de sécurité. Le résultat dans les journaux système est le suivant&nbsp;: ``` May 2 16:07:37.840: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down May 2 16:07:37.852: %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to establish an IPsec tunnel; local traffic selector = Address Range: 192.0.2.66-192.0.2.66 Protocol: 47 Port Range: 0-65535; remote traffic selector = Address Range: 192.0.2.34-192.0.2.34 Protocol: 47 Port Range: 0-65535 May 2 16:07:37.876: %IKEV2-5-SA_DOWN: SA DOWN May 2 16:07:37.929: %IKEV2-5-SA_UP: SA UP May 2 16:07:37.936: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up ``` * Côté **Linux strongSwan**, on utilise la commande `journalctl`. Relativement, à la réinitialisation de l'association de sécurité faite côté **IOS XE**, on obtient les messages ci-dessous. Même si la copie d'écran est très longue, on repère la réinitialisation à partir de la ligne 14. À partir de la ligne 19, on relève les phases de l'établissement d'une nouvelle association de sécurité. ```= etu@TLS:~$ journalctl -n 50 -f -u strongswan-starter.service May 02 19:57:54 TLS charon[5113]: 15[IKE] authentication of '192.0.2.34' (myself) with pre-shared key May 02 19:57:54 TLS charon[5113]: 15[IKE] IKE_SA GLA[4] established between 192.0.2.34[192.0.2.34]...192.0.2.66[192.0.2.66] May 02 19:57:54 TLS charon[5113]: 15[IKE] IKE_SA GLA[4] established between 192.0.2.34[192.0.2.34]...192.0.2.66[192.0.2.66] May 02 19:57:54 TLS charon[5113]: 15[IKE] scheduling reauthentication in 10099s May 02 19:57:54 TLS charon[5113]: 15[IKE] maximum IKE_SA lifetime 10639s May 02 19:57:54 TLS charon[5113]: 15[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ May 02 19:57:54 TLS charon[5113]: 15[IKE] CHILD_SA GLA{154} established with SPIs c5d8dad4_i 7274d45a_o and TS 192.0.2.34/32[gre] === 192.0.2.66/32[gre] May 02 19:57:54 TLS charon[5113]: 15[IKE] CHILD_SA GLA{154} established with SPIs c5d8dad4_i 7274d45a_o and TS 192.0.2.34/32[gre] === 192.0.2.66/32[gre] May 02 19:57:54 TLS charon[5113]: 15[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(USE_TRANSP) SA TSi TSr ] May 02 19:57:54 TLS charon[5113]: 15[NET] sending packet: from 192.0.2.34[500] to 192.0.2.66[500] (241 bytes) May 02 20:07:35 TLS charon[5113]: 11[NET] received packet: from 192.0.2.66[500] to 192.0.2.34[500] (65 bytes) May 02 20:07:35 TLS charon[5113]: 11[ENC] parsed INFORMATIONAL request 2 [ D ] May 02 20:07:35 TLS charon[5113]: 11[IKE] received DELETE for IKE_SA GLA[4] May 02 20:07:35 TLS charon[5113]: 11[IKE] deleting IKE_SA GLA[4] between 192.0.2.34[192.0.2.34]...192.0.2.66[192.0.2.66] May 02 20:07:35 TLS charon[5113]: 11[IKE] deleting IKE_SA GLA[4] between 192.0.2.34[192.0.2.34]...192.0.2.66[192.0.2.66] May 02 20:07:35 TLS charon[5113]: 11[IKE] IKE_SA deleted May 02 20:07:35 TLS charon[5113]: 11[IKE] IKE_SA deleted May 02 20:07:35 TLS charon[5113]: 06[NET] received packet: from 192.0.2.66[500] to 192.0.2.34[500] (386 bytes) May 02 20:07:36 TLS vpn[5238]: - 192.0.2.66 192.0.2.66 -- 192.0.2.34 May 02 20:07:36 TLS charon[5113]: 11[ENC] generating INFORMATIONAL response 2 [ ] May 02 20:07:36 TLS charon[5113]: 11[NET] sending packet: from 192.0.2.34[500] to 192.0.2.66[500] (57 bytes) May 02 20:07:36 TLS charon[5113]: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No V V V V N(NATD_S_IP) N(NATD_D_IP) ] May 02 20:07:36 TLS charon[5113]: 06[IKE] received Cisco Delete Reason vendor ID May 02 20:07:36 TLS charon[5113]: 06[ENC] received unknown vendor ID: 43:49:53:43:4f:56:50:4e:2d:52:45:56:2d:30:32 May 02 20:07:36 TLS charon[5113]: 06[ENC] received unknown vendor ID: 43:49:53:43:4f:2d:44:59:4e:41:4d:49:43:2d:52:4f:55:54:45 May 02 20:07:36 TLS charon[5113]: 06[IKE] received Cisco FlexVPN Supported vendor ID May 02 20:07:36 TLS charon[5113]: 06[IKE] 192.0.2.66 is initiating an IKE_SA May 02 20:07:36 TLS charon[5113]: 06[IKE] 192.0.2.66 is initiating an IKE_SA May 02 20:07:36 TLS charon[5113]: 06[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_521 May 02 20:07:36 TLS charon[5113]: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(CHDLESS_SUP) N(MULT_AUTH) ] May 02 20:07:36 TLS charon[5113]: 06[NET] sending packet: from 192.0.2.34[500] to 192.0.2.66[500] (316 bytes) May 02 20:07:36 TLS charon[5113]: 07[NET] received packet: from 192.0.2.66[500] to 192.0.2.34[500] (651 bytes) May 02 20:07:36 TLS charon[5113]: 07[ENC] unknown attribute type (28692) May 02 20:07:36 TLS charon[5113]: 07[ENC] parsed IKE_AUTH request 1 [ V IDi AUTH CPRQ(DNS DNS NBNS NBNS SUBNET DNS6 SUBNET6 VER U_SPLITDNS U_BANNER (28692) U_BKPSRV U_DEFDOM) SA TSi TSr N(INIT_CONTACT) N(USE_TRANSP) N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ] May 02 20:07:36 TLS charon[5113]: 07[CFG] looking for peer configs matching 192.0.2.34[%any]...192.0.2.66[192.0.2.66] May 02 20:07:36 TLS charon[5113]: 07[CFG] selected peer config 'GLA' May 02 20:07:36 TLS charon[5113]: 07[IKE] authentication of '192.0.2.66' with pre-shared key successful May 02 20:07:36 TLS charon[5113]: 07[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding May 02 20:07:36 TLS charon[5113]: 07[CFG] no IDr configured, fall back on IP address May 02 20:07:36 TLS charon[5113]: 07[IKE] authentication of '192.0.2.34' (myself) with pre-shared key May 02 20:07:36 TLS charon[5113]: 07[IKE] IKE_SA GLA[5] established between 192.0.2.34[192.0.2.34]...192.0.2.66[192.0.2.66] May 02 20:07:36 TLS charon[5113]: 07[IKE] IKE_SA GLA[5] established between 192.0.2.34[192.0.2.34]...192.0.2.66[192.0.2.66] May 02 20:07:36 TLS charon[5113]: 07[IKE] scheduling reauthentication in 9940s May 02 20:07:36 TLS charon[5113]: 07[IKE] maximum IKE_SA lifetime 10480s May 02 20:07:36 TLS charon[5113]: 07[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ May 02 20:07:36 TLS charon[5113]: 07[IKE] CHILD_SA GLA{155} established with SPIs c881e27d_i 2d8b089d_o and TS 192.0.2.34/32[gre] === 192.0.2.66/32[gre] May 02 20:07:36 TLS charon[5113]: 07[IKE] CHILD_SA GLA{155} established with SPIs c881e27d_i 2d8b089d_o and TS 192.0.2.34/32[gre] === 192.0.2.66/32[gre] May 02 20:07:36 TLS vpn[5245]: + 192.0.2.66 192.0.2.66 -- 192.0.2.34 May 02 20:07:36 TLS charon[5113]: 07[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(USE_TRANSP) SA TSi TSr ] May 02 20:07:36 TLS charon[5113]: 07[NET] sending packet: from 192.0.2.34[500] to 192.0.2.66[500] (241 bytes) ```