VYATTA - Semplice guida - Caso Studio 8 - IPSEC

Vyatta Case 8 - IPSec
Last Update: Dec 26 2007


Tool
Install
Ergonomy
Forum



Details Cosa è Vyatta?
Screenshots
Prerequisiti
Tutorial Vyatta
Confronto comandi Vyatta & Cisco
Vyatta/Cisco/Quagga confronto (sezione Quagga)
Caso Studio 1 - Static routes (VC 2.0)
Caso Studio 2 - OSPF simple (VC 2.0)
Caso Studio 3 - OSPF advanced (VC 2.0)
Caso Studio 4 - BGP (VC 3.0)
Caso Studio 5 - VRRP (VC 2.2)
Caso Studio 6 - NAT (VC 2.0)
Caso Studio 7 - DHCP (VC 2.2)
Caso Studio 8 - IPSec (VC 2.2)
Caso Studio 9 - Packages (VC 3.0)
Caso Studio 10 - Bridging (VC 3.0)
Caso Studio 11 - CDP (VC 3.0)

Italian translation by Giovanni Fredducci.



⚠️⚠️⚠️
Please check our website about
attractions in Western Switzerland !! (Please use english translation).

⚠️⚠️⚠️
Merci de consulter notre site sur les
activités à faire en Suisse romande !!



1. CASO STUDIATO 2. FIGURA 3. CONFIGURAZIONE 4. COMANDI


1. CASO STUDIATO

Vyatta versione: VC 2.2 Aug 30, 2007
L’obiettivo di questo tutorial sarà creare un tunnel sicuro tra un Vyatta ed un Cisco router con il protocollo IPSec.
IPSec è un insieme di protocolli Layer 3 ed è usato tipicamente per creare Virtual Private Networks (VPN) attravero network non sicuri come Internet.
Per offrire le funzionalità IPSec, Vyatta ha integrato OpenSwan il quale è un strumento free e open source per creare IPSec tunnels su piattaforme Linux.

Qui sono elencate alcune nozioni di base dei protocolli IPSec e delle VPN.

IPSec:

IPSec può essere composto da uno o entrambi protocolli layer 3:
ESP (IP protocol 50, RFC 2406) e AH (IP protocol 51, RFC 2402). ESP può essere usato per l’integrità e confidenzialità mentre AH solo per l’integrità.

I due protocolli sono in stretta relazione con IPSec: ISAKMP (RFC 2408) e IKE (RFC 2409). ISAKMP (Internet Security Association and Key Management Protocol) è usato per stabilire associazioni sicure, mentre IKE (Internet Key Exchange) per uno scambio automatico di chiavi attraverso la porta 500 UDP.

Solo traffico predefinito , chiamato “interesting traffic”, può attivare un tunnel IPSec.

VPNs:

Può essere considerate una VPN, un tunnel che rispetta I seguenti principi:

- Confidenzialità o privacy: I dati non possono essere in un formato leggibile.
- Integrità: I dayi non possono essere alterati.
- Autenticazione: I gateways dalla VPN sono reciprocamente sicuri dell’identità dell’altro.

Premessa caso studio:

Loopback (o virtuali) indirizzi sono stati create sul Cisco e Vyatta Routers. Il tunnel IPSec sarà aperto solo quando proviene da un router con indirizzo di loopback ed è diretto verso un’altro router con indirizzo di loopback.
Sotto è mostrato come si viene a crerare il tunnel.

Nota Importante: Vyatta supporta solo ESP e non AH.


2. FIGURA

  vyatta cisco case study IPSec Funzionalità testate:

(click on the web links to have more details about a protocol)

Interface settings
IPSec
IKE

 


3. CONFIGURAZIONE

VYATTA ROUTER VC2.2 Aug 30, 2007
Vedi l’intera configurazione
 
CISCO ROUTER A 2621 IOS: 12.2(46a)
Vedi l’intera configurazione
 
edit interfaces ethernet eth0
  set address 100.0.0.1 prefix-length 24
 
interface FastEthernet0/1
  ip address 50.0.0.1 255.255.255.0
  crypto map m1
edit interfaces loopback lo
  set address 10.200.1.1 prefix-length 24
interface Loopback 1
  ip address 10.250.1.1 255.255.255.255
set system host-name Vyatta hostname Cisco-routerA
set service telnet
 
line vty 0 4
  no login
edit system login user vyatta
  set authentification plaintext-password
   password
enable secret password
 
set vpn ipsec
edit vpn ipsec
  set ipsec-interfaces
  edit ipsec-interfaces
    set interface eth0

  set ike-group IKE
  edit ike-group IKE
    set lifetime 7200
  set ike-group IKE proposal 1
  edit ike-group IKE proposal 1
      set encryption 3des
      set hash md5
      set dh-group 2
 
  set esp-group ESP
  edit esp-group ESP
    set lifetime 1800
  set esp-group ESP proposal 1
  edit esp-group ESP proposal 1
      set encryption 3des
      set hash md5

  set site-to-site
  edit site-to-site
    set peer 50.0.0.1
    edit peer 50.0.0.1
    set authentification pre-shared-secret
     teddy
    set ike-group IKE
    set local-ip 100.0.0.1
    set tunnel 1
    edit tunnel 1
      set local-subnet 10.200.0.0/16
      set remote-subnet 10.250.0.0/16
      set esp-group ESP
crypto isakmp policy 1
  encr 3des
  hash md5
  authentification pre-share
  group 2
  lifetime 7200
crypto isakmp key teddy address 100.0.0.1

crypto ipsec transform-set t1 esp-3des
 esp-md5-hmac
crypto ipsec security-association lifetime
 seconds 1800

crypto map m1 110 ipsec-isakmp
  set peer 100.0.0.1
  set transform-set t1
  match address 111

access-list 111 permit ip 10.250.0.0
 0.0.255.255 10.200.0.0 0.0.255.255

set protocols static route 50.0.0.1/32
 next-hop 100.0.0.2
 
ip route 100.0.0.1 255.255.255.255 50.0.0.2

ip route 10.200.1.1 255.255.255.255 100.0.0.1
CISCO ROUTER B 2621 IOS: 12.2(23a)
Vedi l’intera configurazione
 
interface FastEthernet0/0
  ip address 100.0.0.2 255.255.255.0
interface FastEthernet0/1
  ip address 50.0.0.2 255.255.255.0
hostname Cisco-routerB
line vty 0 4
  no login
enable secret password
 
Inizio pagina


4. COMANDI:

APRIRE IL TUNNEL IPSEC:

L’ interesting traffic è stato definito come:

Per il Cisco router: IP source: 10.250.0.0/16 ; IP destination: 10.200.0.0/16
   access-list 111 permit ip 10.250.0.0 0.0.255.255 10.200.0.0 0.0.255.255

Per il router Vyatta : IP source: 10.200.0.0/16 ; IP destination: 10.250.0.0/16
   set local-subnet 10.200.0.0/16
   set remote-subnet 10.250.0.0/16


Per aprire il tunnel IPSec I pacchetti sorgenti e di destinazione devono essere definiti dagli indirizzi IP dei router Vyatta o Cisco..

Noi usiamo il comando “ping” per generare il traffico che soddisfa le condizioni definite dal router Vyatta o Cisco. L’ indirizzo IP sorgente deve essere specificato nel commando “ping”, altrimenti l’indirizzo IP scielto esce dall’interfaccia fisica dell’indirizzo IP.

Cisco-RouterA#ping

Protocol [ip]:
Target IP address: 10.200.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.250.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.250.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
Vyatta>ping -I 10.200.1.1 -c 4 10.250.1.1

-I: Indirizzo IP sorgente specificato
-c: Numero di pacchetti inviati

PING 10.250.1.1 (10.250.1.1) from 10.200.1.1 : 56(84) bytes of data.
64 bytes from 10.250.1.1: icmp_seq=1 ttl=255 time=3.53 ms
64 bytes from 10.250.1.1: icmp_seq=2 ttl=255 time=3.60 ms
64 bytes from 10.250.1.1: icmp_seq=1 ttl=255 time=3.50 ms
64 bytes from 10.250.1.1: icmp_seq=2 ttl=255 time=3.58 ms

--- 10.250.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 3.502/3.557/3.607/0.039 ms
IKE

Cisco-RouterA#show crypto isakmp policy

Protection suite of priority 1
  encryption algorithm: Three key triple DES
  hash algorithm: Message Digest 5
  authentication method: Pre-Shared Key
  Diffie-Hellman group: #2 (1024 bit)
  lifetime: 7200 seconds, no volume limit
Default protection suite
  encryption algorithm: DES - Data Encryption Standard (56 bit keys).
  hash algorithm: Secure Hash Standard
  authentication method: Rivest-Shamir-Adleman Signature
  Diffie-Hellman group: #1 (768 bit)
  lifetime: 86400 seconds, no volume limit
Cisco-RouterA#show crypto isakmp sa

dst src state conn-id slot
50.0.0.1 100.0.0.1 QM_IDLE 4 0
Cisco-RouterA#show crypto isakmp key

Hostname/Address 100.0.0.1
Preshared Key teddy
Vyatta>show vpn ike status

IKE Process Running

PID: 8366
Vyatta>show vpn ike secrets

Local IP Peer IP Secret
------ ------ ------
100.0.0.1 50.0.0.1 "teddy"
Vyatta>show vpn ike sa

Local IP Peer IP State Encrypt Hash NAT-T A-Time L-Time
-------- ------- ----- ------- ---- ----- ------ ------
100.0.0.1 50.0.0.1 up 3des md5 No 769 7200
IPSEC

Cisco-RouterA#show crypto ipsec transform-set

Transform set t1: { esp-3des esp-md5-hmac }
  will negotiate = { Tunnel, },
Cisco-RouterA#show crypto ipsec security-association-lifetime

Security association lifetime: 4608000 kilobytes/1800 seconds
Cisco-RouterA#show crypto ipsec sa

interface: FastEthernet0/1
    Crypto map tag: m1, local addr. 50.0.0.1
           
  local ident (addr/mask/prot/port): (10.250.0.0/255.255.0.0/0/0)
  remote ident (addr/mask/prot/port): (10.200.0.0/255.255.0.0/0/0)
  current_peer: 100.0.0.1
      PERMIT, flags={origin_is_acl,}
    # pkts encaps: 30, #pkts encrypt: 30, #pkts digest 30
    # pkts decaps: 30, #pkts decrypt: 30, #pkts verify 30
    # pkts compressed: 0, #pkts decompressed: 0
    # pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    # send errors 0, #recv errors 0
           
      local crypto endpt.: 50.0.0.1, remote crypto endpt.: 100.0.0.1
      path mtu 1500, ip mtu 1500, ip mtu interface FastEthernet0/1
      current outbound spi: CA59FF09
           
      inbound esp sas:
        spi: 0xEC0B17CB(3960149963)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel, }
          slot: 0, conn id: 2004, flow_id: 5, crypto map: m1
          sa timing: remaining key lifetime (k/sec): (4607999/1419)
          IV size: 8 bytes
          replay detection support: Y
           
      inbound ah sas:
           
      inbound pcp sas:
           
      outbound esp sas:
        spi: 0xCA59FF09(3394895625)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel, }
          slot: 0, conn id: 2005, flow_id: 6, crypto map: m1
          sa timing: remaining key lifetime (k/sec): (4607999/1419)
          IV size: 8 bytes
          replay detection support: Y
           
      outbound ah sas:
           
      outbound pcp sas:
Cisco-RouterA#show crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt
4 FastEthernet0/1 50.0.0.1 set HMAC_MD5+3DES_56_C 0 0
2004 FastEthernet0/1 50.0.0.1 set HMAC_MD5+3DES_56_C 0 5
2005 FastEthernet0/1 50.0.0.1 set HMAC_MD5+3DES_56_C 5 0
Vyatta>show vpn ipsec status

IPSec Process Running PID: 8366

IPsec Interfaces:
   eth0 (100.0.0.1)
Vyatta>show vpn ipsec sa

Peer IP Tunnel# Dir SPI Encrypt Hash NAT-T A-TimeL-Time
------- ------- --- --- ------- ---- ------ ------L-Time
50.0.0.1 1 in e834f47b 3des md5 No 1851800
50.0.0.1 1 out 778ed647 3des No 1851800
ROUTES:

Cisco-RouterA#show ip route

Gateway of last resort is not set
 
  50.0.0.0/24 is subnetted, 1 subnets
C   50.0.0.0 is directly connected, FastEthernet0/1
  100.0.0.0/32 is subnetted, 1 subnets
S   100.0.0.1 [1/0] via 50.0.0.2
  10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C   10.0.0.0/24 is directly connected, FastEthernet0/0
S   10.200.1.1/32 [1/0] via 100.0.0.1
C   10.250.1.1/32 is directly connected, Loopback1
Vyatta#show route

Routes: 4/4, Paths: 4/4
10.200.1.0/24 [connected(0)] > to 10.200.1.1 via lo
50.0.0.1 [static(1)] > to 100.0.0.2 via eth0
100.0.0.0/24 [connected(0)] > to 100.0.0.1 via eth0
127.0.0.0/8 [connected(0)] > to 127.0.0.1 via lo
Vyatta#show route system forward

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use
Iface
50.0.0.1 100.0.0.2 255.255.255.255 UGH 1 0
0
eth0
100.0.0.0 0.0.0.0 255.255.255.0 U 0 0
0
eth0
10.250.0.0 0.0.0.0 255.255.0.0 U 0 0
0
eth0
DEBUGGING:

Cisco-RouterA#debug crypto isakmp

ISAKMP (0:0):     received packet from 100.0.0.1 (N) NEW SA
ISAKMP local   port 500, remote port 500
ISAKMP (0:5):   processing SA payload. message ID = 0
ISAKMP (0:5):   found peer pre-shared key matching 100.0.0.1
ISAKMP (0:5):   Checking ISAKMP transform 0 against priority 1 policy
ISAKMP:     life type in seconds
ISAKMP:     life duration (basic) of 7200
ISAKMP:     encryption 3DES-CBC
ISAKMP:     hash MD5
ISAKMP:     auth pre-share
ISAKMP:     default group 2
ISAKMP (0:5):   atts are acceptable. Next payload is 0
ISAKMP (0:5):   processing vendor id payload
ISAKMP (0:5):   processing vendor id payload
ISAKMP (0:5):   SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (0:5):   sending packet to 100.0.0.1 (R) MM_SA_SETUP
ISAKMP (0:5):   received packet from 100.0.0.1 (R) MM_SA_SETUP
ISAKMP (0:5):   processing KE payload. message ID = 0
ISAKMP (0:5):   processing NONCE payload. message ID = 0
ISAKMP (0:5):   found peer pre-shared key matching 100.0.0.1
ISAKMP (0:5):   SKEYID state generated
ISAKMP (0:5):   sending packet to 100.0.0.1 (R) MM_KEY_EXCH
ISAKMP (0:5):   received packet from 100.0.0.1 (R) MM_KEY_EXCH
ISAKMP (0:5):   processing ID payload. message ID = 0
ISAKMP (0:5):   processing HASH payload. message ID = 0
ISAKMP (0:5):   SA has been authenticated with 100.0.0.1
ISAKMP (5): ID payload
  next-payload : 8
  type : 1
  protocol : 17
  port : 500
  length : 8
ISAKMP (5): Total payload length: 12
ISAKMP (0:5):   sending packet to 100.0.0.1 (R) QM_IDLE
ISAKMP (0:5):   received packet from 100.0.0.1 (R) QM_IDLE
ISAKMP (0:5):   processing HASH payload. message ID = -1931975646
ISAKMP (0:5):   processing SA payload. message ID = -1931975646
ISAKMP (0:5):   Checking IPSec proposal 0
  transform 0, ESP_3DES
    attributes in transform:
      group is 2
      encaps is 1
      SA life type in seconds
      SA life duration (basic) of 1800
      authenticator is HMAC-MD5
ISAKMP (0:5):   atts are acceptable.
ISAKMP (0:5):   processing NONCE payload. message ID = -1931975646
ISAKMP (0:5):   processing KE payload. message ID = -1931975646
ISAKMP (0:5):   processing ID payload. message ID = -1931975646
ISAKMP (0:5):   processing ID payload. message ID = -1931975646
ISAKMP (0:5):   asking for 1 spis from ipsec
  received ke message (2/1)
ISAKMP (0:5):   sending packet to 100.0.0.1 (R) QM_IDLE
ISAKMP (0:5):   received packet from 100.0.0.1 (R) QM_IDLE
ISAKMP (0:5):   Creating IPSec SAs
  inbound SA from 100.0.0.1 to 50.0.0.1
  (proxy 10.200.0.0 to 10.250.0.0)
  has spi 0xE834F47B and conn_id 2006 and flags 25
  lifetime of 1800 seconds
  outbound SA from 50.0.0.1 to 100.0.0.1 (proxy 10.250.0.0 to 10.200.0.0 )
  has spi 2005849671 and conn_id 2007 and flags 2D
  lifetime of 1800 seconds
Cisco-RouterA#debug crypto ipsec

IPSEC(sa_aging): lifetime expiring,
  (sa) sa_dest= 50.0.0.1, sa_prot= 50,
    sa_spi= 0xEC0B17CB(3960149963),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2004,
  (identity) local= 50.0.0.1, remote= 100.0.0.1,
    local_proxy= 10.250.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 10.200.0.0/255.255.0.0/0/0 (type=4)
IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 50.0.0.1, sa_prot= 50,
    sa_spi= 0xEC0B17CB(3960149963),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2004
IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 100.0.0.1, sa_prot= 50,
    sa_spi= 0xCA59FF09(3394895625),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2005
Vyatta>show vpn debug

000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 10.200.1.1
000 interface eth0/eth0 100.0.0.1
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128,keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128,keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36}trans={0,2,336} attrs={0,2,224}
000
000 "peer-50.0.0.1-tunnel-1":10.200.0.0/16===100.0.0.1...50.0.0.1===10.250.0.0/16; erouted; eroute owner:#2
000 "peer-50.0.0.1-tunnel-1": srcip=unset; dstip=unset; srcup=ipsec_updown; dstup=ipsec _updown;
000 "peer-50.0.0.1-tunnel-1": ike_life: 7200s; ipsec_life: 1800s;rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "peer-50.0.0.1-tunnel-1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 16,16;interface: eth0;
000 "peer-50.0.0.1-tunnel-1": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "peer-50.0.0.1-tunnel-1": IKE algorithms wanted: 5_000-1-2, flags=strict
000 "peer-50.0.0.1-tunnel-1": IKE algorithms found: 5_192-1_128-2,
000 "peer-50.0.0.1-tunnel-1": IKE algorithm newest:3DES_CBC_192-MD5-MODP1024
000 "peer-50.0.0.1-tunnel-1": ESP algorithms wanted: 3_000-1, flags=strict
000 "peer-50.0.0.1-tunnel-1": ESP algorithms loaded: 3_000-1, flags=strict
000 "peer-50.0.0.1-tunnel-1": ESP algorithm newest: 3DES_0-HMAC_MD5;pfsgroup=
000
000 #2: "peer-50.0.0.1-tunnel-1":500 STATE_QUICK_I2 (sent QI2, IPsec SAestablished); EVENT_SA_REPLACE in 526s; newest IPSEC; eroute owner
000 #2: "peer-50.0.0.1-tunnel-1" esp.e834f47b@50.0.0.1 esp.778ed647@100.0.0.1tun.0@50.0.0.1 tun.0@100.0.0.1
000 #1: "peer-50.0.0.1-tunnel-1":500 STATE_MAIN_I4 (ISAKMP SA established);EVENT_SA_REPLACE in 6418s; newest ISAKMP; nodpd
000
CONNECTIVITY CHECKS:

Il Cisco Router A e Vyatta router devono essere in grado di trovarsi reciprocamente sui rispettivi indirizzi WAN.
Cisco-Router A indirizzo WAN : 50.0.0.1
Vyatta indirizzo WAN: 100.0.0.1

Cisco-RouterA#traceroute 100.0.0.1

Type escape sequence to abort.
Tracing the route to 100.0.0.1

   1 50.0.0.2 0 msec 0 msec 0 msec
   2 100.0.0.1 4 msec 0 msec 4 msec
Vyatta>traceroute 50.0.0.1

traceroute to 50.0.0.1 (50.0.0.1), 30 hops max, 40 byte packets
1 100.0.0.2 (100.0.0.2) 1.870 0.872 0.875
2 50.0.0.1 (50.0.0.1) 1.988 * 1.203
   ---------------------------------------------------------------------

Se un router IPSec prova a pingare o un traceroute l’altro router sull’ indirizzo di loopback, non ci sarà risposta perche l’indirizzo di loopback non è routato sulla WAN.
Il traceroute o il ping non aprono il tunnel sul loro indirizzo IP perché non rispettano le condizioni definite dallo IPSec routers.

Cisco-RouterA#ping 10.200.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.1.1, timeout is 2 seconds:
U.U.U

Success rate is 0 percent (0/5)
Vyatta>ping 10.250.1.1 -c 4

PING 10.250.1.1 (10.250.1.1) 56(84) bytes of data.
From 100.0.0.1 icmp_seq=2 Destination Host Unreachable
From 100.0.0.1 icmp_seq=3 Destination Host Unreachable
From 100.0.0.1 icmp_seq=4 Destination Host Unreachable

--- 10.250.1.1 ping statistics ---
4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2999ms, pipe 3
Cisco-RouterA#traceroute 10.200.1.1

Type escape sequence to abort.
Tracing the route to 100.0.0.1

   1 50.0.0.2 0 msec 0 msec 0 msec
   2 50.0.0.2 !H !H *
Vyatta>traceroute 10.250.1.1

traceroute to 10.250.1.1 (10.250.1.1), 30 hops max, 40 byte packets
1 100.0.0.1 (100.0.0.1) 3002.304 ms !H 3003.655 ms !H 3003.975 ms !H
   ---------------------------------------------------------------------

Perchè I router possano comunicare tra loro e aprire il tunnel IPSec Vyatta o Cisco router devono pingare o effettuare il traceroute dal loro indirizzo di loopback verso l’indirizzo IP della WAN dell’altro router.
Di default, l’indirizzo IP sorgente è esterno all’ interfaccia fisica.

Cisco-RouterA#ping

Protocol [ip]:
Target IP address: 10.200.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.250.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.250.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
Vyatta>ping -I 10.200.1.1 -c 4 10.250.1.1

-I: Indirizzo IP sorgente specificato
-c: Numero di pacchetti inviati

PING 10.250.1.1 (10.250.1.1) from 10.200.1.1 : 56(84) bytes of data.
64 bytes from 10.250.1.1: icmp_seq=1 ttl=255 time=3.53 ms
64 bytes from 10.250.1.1: icmp_seq=2 ttl=255 time=3.60 ms
64 bytes from 10.250.1.1: icmp_seq=1 ttl=255 time=3.50 ms
64 bytes from 10.250.1.1: icmp_seq=2 ttl=255 time=3.58 ms

--- 10.250.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 3.502/3.557/3.607/0.039 ms
Cisco-RouterA#traceroute

Target IP address: 10.200.1.1
Source address: 10.250.1.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
MaximumTime to Live [1]:
Port number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.200.1.1

   1 10.200.1.1 4 msec 0 msec 4 msec
Inizio pagina