[VPN L2L] Problème de VPN
Bonjour à tous,
Suite à vos nombreux conseils sur ce forum, je souhaite dans un premier temps vous remercier
La mise en place de ce projet est imminente. Vous pouvez me sauvez la vie, si vous avez la capacité de m'aider.
Je vous serai très reconnaissant si vous arrivez à résoudre ce casse tête.
Le schéma :
Faire un clique droit, puis afficher l'image pour la voir au complet.
Le problème : Le VPN est bien monté entre les deux boitiers, mais je n'arrive pas à faire communiquer les hôtes du LanSMS avec les hôtes du Vlan103 (et vis versa..).
Les annexes :
La configuration du 5510
ASA Version 7.2(4)
!
hostname ASA
domain-name dr6.xxxx.fr
names
name 10.6.237.0 LanSMS
name 194.xx.237.0 Vlan101 description Vlan101
name 10.6.103.0 Vlan103
!
interface Ethernet0/0
description VLAN101 de la delegation 06 (ASA5510 site dans la salle serveur)
nameif VPN_DR6
security-level 0
ip address 194.xx.237.205 255.255.255.0
!
interface Ethernet0/1
nameif Vlan103
security-level 100
ip address 10.6.103.200 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup VPN_DR6
dns domain-lookup Vlan103
dns server-group DefaultDNS
name-server 194.xx.237.112
domain-name dr6.xxxx.fr
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list DR06_nat0_outbound extended permit ip Vlan101 255.255.255.0 LanSMS 255.255.255.0
access-list DR06_access_in extended permit ip any any
access-list DR06_access_in extended permit udp any any
access-list DR06_access_in remark permettre ICMP
access-list DR06_access_in extended permit icmp any any
access-list DR06_access_in remark permettre ICMP
access-list DR06_access_out extended permit ip any any
access-list DR06_access_out extended permit icmp any any
access-list DR06_20_cryptomap extended permit ip Vlan103 255.255.255.0 LanSMS 255.255.255.0
access-list Test103_access_out extended permit ip any any
access-list Test103_access_in extended permit ip any any
access-list 100 extended permit ip Vlan103 255.255.255.0 LanSMS 255.255.255.0
access-list Test103_nat0_outbound extended permit ip Vlan103 255.255.255.0 LanSMS 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu VPN_DR6 1500
mtu management 1500
mtu Vlan103 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any VPN_DR6
asdm image disk0:/asdm-522.bin
no asdm history enable
arp VPN_DR6 194.xx.237.190 001b.2468.c650 alias
arp timeout 14400
nat-control
nat (Vlan103) 0 access-list Test103_nat0_outbound
static (VPN_DR6,Vlan103) 10.6.103.190 10.6.237.190 netmask 255.255.255.255
access-group DR06_access_in in interface VPN_DR6
access-group DR06_access_out out interface VPN_DR6
access-group Test103_access_in in interface Vlan103
access-group Test103_access_out out interface Vlan103
route VPN_DR6 172.22.106.0 255.255.255.0 172.22.252.17 1
route VPN_DR6 LanSMS 255.255.255.0 194.xx.237.205 1
route VPN_DR6 0.0.0.0 0.0.0.0 194.xx.237.205 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 Vlan103
http 192.168.1.0 255.255.255.0 management
http Vlan101 255.255.255.0 VPN_DR6
snmp-server host VPN_DR6 194.xx.237.129 community dr06
snmp-server host VPN_DR6 194.xx.237.151 community dr06 version 2c
snmp-server location Salle serveur
no snmp-server contact
snmp-server community dr06
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map DR06_map 20 match address DR06_20_cryptomap
crypto map DR06_map 20 set pfs
crypto map DR06_map 20 set peer 172.22.106.200
crypto map DR06_map 20 set transform-set ESP-3DES-SHA
crypto map DR06_map 20 set reverse-route
crypto map DR06_map interface VPN_DR6
crypto isakmp identity address
crypto isakmp enable VPN_DR6
crypto isakmp enable Vlan103
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp disconnect-notify
telnet timeout 5
ssh Vlan101 255.255.255.0 VPN_DR6
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
ntp server 194.xx.237.254
tftp-server VPN_DR6 194.xx.237.124 /
webvpn
auto-signon allow uri * auth-type basic
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
tunnel-group 172.22.106.200 type ipsec-l2l
tunnel-group 172.22.106.200 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:dc767d0a8a0ca25367ef260f7a57664d
: end
La configuration du 5505 :
ASA Version 7.2(3)
!
hostname ASA5505
names
name 194.xx.237.0 Vlan101
name 10.6.237.0 LanSMS
name 10.6.103.0 Vlan103
name 172.22.106.0 Vlan713
!
interface Vlan1
nameif insideSMS
security-level 100
ip address 10.6.237.254 255.255.255.0
!
interface Vlan2
nameif VPN
security-level 0
ip address 172.22.106.200 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name dr6.xxxx.fr
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list insideSMS_access_in extended permit ip any any
access-list insideSMS_access_in extended permit icmp any any
access-list insideSMS_nat0_outbound extended permit ip LanSMS 255.255.255.0 Vlan101
255.255.255.0
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list insideSMS_access_out extended permit ip any any
access-list insideSMS_access_out extended permit icmp any any
access-list outside_access_out extended permit ip any any
access-list outside_access_out extended permit icmp any any
access-list outside_1_cryptomap extended permit ip LanSMS 255.255.255.0 Vlan103 255.255.255.0
access-list 100 extended permit ip LanSMS 255.255.255.0 Vlan103 255.255.255.0
access-list nonat extended permit ip LanSMS 255.255.255.0 Vlan103 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu insideSMS 1500
mtu VPN 1500
ip verify reverse-path interface insideSMS
ip verify reverse-path interface VPN
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (VPN) 1 interface
nat (insideSMS) 0 access-list nonat
access-group insideSMS_access_in in interface insideSMS
access-group insideSMS_access_out out interface insideSMS
access-group outside_access_in in interface VPN
access-group outside_access_out out interface VPN
route insideSMS Vlan103 255.255.255.0 10.6.237.254 1
route VPN 172.22.252.16 255.255.255.252 172.22.106.254 1
route VPN Vlan101 255.255.255.0 172.22.252.18 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http Vlan101 255.255.255.0 VPN
http LanSMS 255.255.255.0 insideSMS
http Vlan713 255.255.255.0 VPN
snmp-server host VPN 194.xx.237.124 community dr06
snmp-server host VPN 194.xx.237.129 community dr06
snmp-server host VPN 194.xx.237.151 community dr06
snmp-server location CMS
no snmp-server contact
snmp-server community dr06
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 194.xx.237.205
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface VPN
crypto isakmp identity address
crypto isakmp enable insideSMS
crypto isakmp enable VPN
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp disconnect-notify
telnet timeout 5
ssh Vlan713 255.255.255.0 VPN
ssh Vlan101 255.255.255.0 VPN
ssh timeout 5
ssh version 2
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
ntp server 172.22.106.254
tftp-server VPN 194.xx.237.124 /
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or
due to some specific group policy, you do not have permission to use any of the VPN features.
Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
tunnel-group 194.xx.237.205 type ipsec-l2l
tunnel-group 194.xx.237.205 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:08fa3490a6ea86edddf80308b400deed
: end
PS : Si vous souhaitez avoir le résultat d'une ou plusieurs commande, n'hésitez pas à m'en faire part.
Cordialement,
GiLe46
- Vous devez vous identifier ou créer un compte pour écrire des commentaires
... et un peut de pub pour payer l'hébergement ;)
Bonjour, EDIT :Depuis
Bonjour,
EDIT :Depuis mon premier post, j'ai modifié le Vlan103 en Vlan107 : 10.6.107.0/24
Après avoir fait un packet tracert voici le résultat :
Pour le sénario : 10.6.107.170 vers 10.6.237.190 => Aucune erreur
Pour le sénario : 10.6.237.190 vers 10.6.107.170 = > Aucune erreur
Et enfin le résultat de la commande : Sow crypto isakmp sa
Pour le petit ASA5505
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 194.xx.237.205
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Pour le ASA5510
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.22.106.200
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Enfin le résultat de la commande : Show crypto ike sa
Pour le ASA5505 :
Result of the command: "sh crypt ipsec sa"
interface: VPN
Crypto map tag: VPN_map, seq num: 1, local addr: 172.22.106.200
access-list VPN_1_cryptomap permit ip LanSMS 255.255.255.0 Vlan107 255.255.255.0
local ident (addr/mask/prot/port): (LanSMS/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (Vlan107/255.255.255.0/0/0)
current_peer: 193.55.237.205
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 7, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.22.106.200, remote crypto endpt.: 194.xx.237.205
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: D00C9FE9
inbound esp sas:
spi: 0xB10A8EAC (2970259116)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 4096, crypto-map: VPN_map
sa timing: remaining key lifetime (kB/sec): (3915000/25638)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xD00C9FE9 (3490488297)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 4096, crypto-map: VPN_map
sa timing: remaining key lifetime (kB/sec): (3914999/25638)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Pour le ASA5510 :
Result of the command: "sh
crypt ipsec sa"
interface: VPN_DR6
Crypto map tag: VPN_DR6_map, seq num: 1, local addr:
194.xx.237.205
access-list VPN_DR6_1_cryptomap permit ip 10.6.107.0 255.255.255.0 LanSMS
255.255.255.0
local ident (addr/mask/prot/port):
(10.6.107.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port):
(LanSMS/255.255.255.0/0/0)
current_peer: 172.22.106.200
#pkts
encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify:
7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0,
#pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0,
#fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated
frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local
crypto endpt.: 194.xx.237.205, remote crypto endpt.: 172.22.106.200
path
mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: B10A8EAC
inbound esp sas:
spi: 0xD00C9FE9 (3490488297)
transform: esp-3des
esp-sha-hmac no compression
in use settings ={L2L, Tunnel,
PFS Group 1, }
slot: 0, conn_id: 4096,
crypto-map: VPN_DR6_map
sa timing: remaining key
lifetime (kB/sec): (4373999/25735)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000000FF
outbound esp sas:
spi: 0xB10A8EAC (2970259116)
transform: esp-3des
esp-sha-hmac no compression
in use settings ={L2L, Tunnel,
PFS Group 1, }
slot: 0, conn_id: 4096,
crypto-map: VPN_DR6_map
sa timing: remaining key
lifetime (kB/sec): (4374000/25735)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Salut , pour commencer :
Salut ,
pour commencer : sh isakmp sa et sh ipsec sa
ca permettra de voir dans quel état est le vpn.
"Le problème : Le VPN est
"Le problème : Le VPN est bien monté entre les deux boitiers, mais je n'arrive pas à faire communiquer les hôtes du LanSMS avec les hôtes du Vlan103 (et vis versa..)."
"Cela peut donc provenir des ACL sur les interfaces inside ou bien des crypto MAP. ou des fixup ... Donc le mieux :
-> Tu devrais simuler le trafic voulu avec packer tracer dans L'ASDM afin de voir a quel étape cela coince.
Exmple en ligne de commande:
packet-tracer input outside icmp 172.22.1.6 8 0 172.16.10.1 detailed
En GUI: http://blogs.techrepublic.com.com/networking/?p=1482
H. Benattar