TOTAL
Since dec 2006
1'942'871 Visitors
4'218'042 Pages

Nov 2010 Stats
82'909 Visitors
146'476 Pages
196 countries
Full statistics



Help us translate
our tutorials!

JOIN the
OpenManiak Team.
OM TEAM
Director:
Blaise Carrera
Tutorials creation:
Blaise Carrera
Translaters:
Giovanni Fredducci
Angel Chraniotis
Moham. H. Karvan
Alexandro Silva
Blaise Carrera
Andrei Chertolyas
Sergiy Uvarov
Nickola Kolev
Łukasz Nowatkowski
Ivo Raisr
Catalin Bivolaru
Bogdan A. Costea
Kirill Simonov
Oliver Mucafir
JaeYoung Jeon
Seungyoon Lee
Jie Yu & Si Cheng
Tao Wei
YukiAlex
Fumihito Yoshida
Muhammad Takdir
Çağdaş Tülek
Auditors
Leslie Luthi
Joe Anderson
Jennifer Ockwell
Nigel Titley
Alison Rees
Sabrina Barbey
Webmaster:
Blaise Carrera
VYATTA - The Easy Tutorial - Case Study 8 - IPSEC

Vyatta Case 8 - IPSec
Last Change : Dec 07 2010


Tool
Install
Ergonomy
Forum



Details What is Vyatta?
Screenshots
Prerequisites
Tutorial Vyatta
Vyatta & Cisco Commands
Vyatta/Cisco/Quagga Comparison (Quagga section)
Case Study 1 - Static routes (VC 2.0)
Case Study 2 - OSPF simple (VC 2.0)
Case Study 3 - OSPF advanced (VC 2.0)
Case Study 4 - BGP (VC 3.0)
Case Study 5 - VRRP (VC 2.2)
Case Study 6 - NAT (VC 2.0)
Case Study 7 - DHCP (VC 2.2)
Case Study 8 - IPSec (VC 2.2)
Case Study 9 - Packages (VC 3.0)
Case Study 10 - Bridging (VC 3.0)
Case Study 11 - CDP VC 3.0




If you like our tutorials, don't hesitate to support us and visit our sponsors!
Si vous aimez nos tutoriaux, n'hésitez pas à nous supporter et visiter nos sponsors!



1. CASE PRINCIPLE 2. PICTURE 3. CONFIGURATIONS 4. SHOW COMMANDS


1. CASE PRINCIPLE

Vyatta version used: VC 2.2 Aug 30, 2007
The goal of this tutorial is to create a secured tunnel between a Vyatta and a Cisco router with the IPSec protocol.
IPSec is a set of Layer 3 protocols and is typically used to create Virtual Private Networks (VPN) through unsecured networks such as Internet.
To provide the IPSec functionalities, Vyatta has integrated OpenSwan which is a free and open source tool used to create IPSec tunnels on Linux platforms.

We will limit ourselves to give here some key concepts about IPSec and VPNs.

IPSec:

IPSec can be composed of one or both of the following layer 3 protocols:
ESP (IP protocol 50, RFC 2406) and AH (IP protocol 51, RFC 2402). ESP can be used for integrity and confidentiality and AH for integrity only.

Two protocols are closely linked with IPSec: ISAKMP (RFC 2408) and IKE (RFC 2409). ISAKMP (Internet Security Association and Key Management Protocol) is used to establish security associations and IKE (Internet Key Exchange) for automatic key exchange management via the UDP port 500.

Only pre defined traffic, called interesting traffic, can raise a IPSec tunnel.

VPNs:

To be considered as a VPN, a tunnel must respect the following principles:

- Confidentiality or privacy: The data cannot be seen in a readable format.
- Integrity: The data cannot be altered.
- Authentication: The VPN gateways are sure about the identity of the other.

About the case study:

Loopback (or virtual) addresses have been created on Cisco A and Vyatta Routers. The IPSec tunnel will be opened only when traffic comes from a router loopback address towards the other router loopback address.
See below for details about how to raise the tunnel.

Important notice: Vyatta only supports ESP but not AH.


2. PICTURE

  vyatta cisco case study IPSec Functionalities tested:

(click on the web links to have more details about a protocol)

Interface settings
IPSec
IKE

 


3. CONFIGURATIONS

VYATTA ROUTER VC2.2 Aug 30, 2007
See the entire configuration
 
CISCO ROUTER A 2621 IOS: 12.2(46a)
See the entire configuration
 
edit interfaces ethernet eth0
  set address 100.0.0.1 prefix-length 24
 
interface FastEthernet0/1
  ip address 50.0.0.1 255.255.255.0
  crypto map m1
edit interfaces loopback lo
  set address 10.200.1.1 prefix-length 24
interface Loopback 1
  ip address 10.250.1.1 255.255.255.255
set system host-name Vyatta hostname Cisco-routerA
set service telnet
 
line vty 0 4
  no login
edit system login user vyatta
  set authentification plaintext-password
   password
enable secret password
 
set vpn ipsec
edit vpn ipsec
  set ipsec-interfaces
  edit ipsec-interfaces
    set interface eth0

  set ike-group IKE
  edit ike-group IKE
    set lifetime 7200
  set ike-group IKE proposal 1
  edit ike-group IKE proposal 1
      set encryption 3des
      set hash md5
      set dh-group 2
 
  set esp-group ESP
  edit esp-group ESP
    set lifetime 1800
  set esp-group ESP proposal 1
  edit esp-group ESP proposal 1
      set encryption 3des
      set hash md5

  set site-to-site
  edit site-to-site
    set peer 50.0.0.1
    edit peer 50.0.0.1
    set authentification pre-shared-secret
     teddy
    set ike-group IKE
    set local-ip 100.0.0.1
    set tunnel 1
    edit tunnel 1
      set local-subnet 10.200.0.0/16
      set remote-subnet 10.250.0.0/16
      set esp-group ESP
crypto isakmp policy 1
  encr 3des
  hash md5
  authentification pre-share
  group 2
  lifetime 7200
crypto isakmp key teddy address 100.0.0.1

crypto ipsec transform-set t1 esp-3des
 esp-md5-hmac
crypto ipsec security-association lifetime
 seconds 1800

crypto map m1 110 ipsec-isakmp
  set peer 100.0.0.1
  set transform-set t1
  match address 111

access-list 111 permit ip 10.250.0.0
 0.0.255.255 10.200.0.0 0.0.255.255

set protocols static route 50.0.0.1/32
 next-hop 100.0.0.2
 
ip route 100.0.0.1 255.255.255.255 50.0.0.2

ip route 10.200.1.1 255.255.255.255 100.0.0.1
CISCO ROUTER B 2621 IOS: 12.2(23a)
See the entire configuration
 
interface FastEthernet0/0
  ip address 100.0.0.2 255.255.255.0
interface FastEthernet0/1
  ip address 50.0.0.2 255.255.255.0
hostname Cisco-routerB
line vty 0 4
  no login
enable secret password
 
Top of the page



4. SHOW COMMANDS:

RAISE THE IPSEC TUNNEL:

The interesting traffic has been defined as follows:

On the Cisco router: IP source: 10.250.0.0/16 ; IP destination: 10.200.0.0/16
   access-list 111 permit ip 10.250.0.0 0.0.255.255 10.200.0.0 0.0.255.255

On the Vyatta router: IP source: 10.200.0.0/16 ; IP destination: 10.250.0.0/16
   set local-subnet 10.200.0.0/16
   set remote-subnet 10.250.0.0/16


To raise the IPSec tunnel the packets source and destination IP addresses must be inside the ranges defined by the Vyatta or Cisco routers.

We use the Ping command to generate traffic matching the conditions defined by the Vyatta or Cisco routers. The source IP address must be specified in the ping command, otherwise the source IP address takes the outgoing physical interface IP address.

Cisco-RouterA#ping

Protocol [ip]:
Target IP address: 10.200.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.250.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.250.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
Vyatta>ping -I 10.200.1.1 -c 4 10.250.1.1

-I: specify the source IP address
-c: Number of packets sent

PING 10.250.1.1 (10.250.1.1) from 10.200.1.1 : 56(84) bytes of data.
64 bytes from 10.250.1.1: icmp_seq=1 ttl=255 time=3.53 ms
64 bytes from 10.250.1.1: icmp_seq=2 ttl=255 time=3.60 ms
64 bytes from 10.250.1.1: icmp_seq=1 ttl=255 time=3.50 ms
64 bytes from 10.250.1.1: icmp_seq=2 ttl=255 time=3.58 ms

--- 10.250.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 3.502/3.557/3.607/0.039 ms
IKE

Cisco-RouterA#show crypto isakmp policy

Protection suite of priority 1
  encryption algorithm: Three key triple DES
  hash algorithm: Message Digest 5
  authentication method: Pre-Shared Key
  Diffie-Hellman group: #2 (1024 bit)
  lifetime: 7200 seconds, no volume limit
Default protection suite
  encryption algorithm: DES - Data Encryption Standard (56 bit keys).
  hash algorithm: Secure Hash Standard
  authentication method: Rivest-Shamir-Adleman Signature
  Diffie-Hellman group: #1 (768 bit)
  lifetime: 86400 seconds, no volume limit
Cisco-RouterA#show crypto isakmp sa

dst src state conn-id slot
50.0.0.1 100.0.0.1 QM_IDLE 4 0
Cisco-RouterA#show crypto isakmp key

Hostname/Address 100.0.0.1
Preshared Key teddy
Vyatta>show vpn ike status

IKE Process Running

PID: 8366
Vyatta>show vpn ike secrets

Local IP Peer IP Secret
------ ------ ------
100.0.0.1 50.0.0.1 "teddy"
Vyatta>show vpn ike sa

Local IP Peer IP State Encrypt Hash NAT-T A-Time L-Time
-------- ------- ----- ------- ---- ----- ------ ------
100.0.0.1 50.0.0.1 up 3des md5 No 769 7200
IPSEC

Cisco-RouterA#show crypto ipsec transform-set

Transform set t1: { esp-3des esp-md5-hmac }
  will negotiate = { Tunnel, },
Cisco-RouterA#show crypto ipsec security-association-lifetime

Security association lifetime: 4608000 kilobytes/1800 seconds
Cisco-RouterA#show crypto ipsec sa

interface: FastEthernet0/1
    Crypto map tag: m1, local addr. 50.0.0.1
           
  local ident (addr/mask/prot/port): (10.250.0.0/255.255.0.0/0/0)
  remote ident (addr/mask/prot/port): (10.200.0.0/255.255.0.0/0/0)
  current_peer: 100.0.0.1
      PERMIT, flags={origin_is_acl,}
    # pkts encaps: 30, #pkts encrypt: 30, #pkts digest 30
    # pkts decaps: 30, #pkts decrypt: 30, #pkts verify 30
    # pkts compressed: 0, #pkts decompressed: 0
    # pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    # send errors 0, #recv errors 0
           
      local crypto endpt.: 50.0.0.1, remote crypto endpt.: 100.0.0.1
      path mtu 1500, ip mtu 1500, ip mtu interface FastEthernet0/1
      current outbound spi: CA59FF09
           
      inbound esp sas:
        spi: 0xEC0B17CB(3960149963)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel, }
          slot: 0, conn id: 2004, flow_id: 5, crypto map: m1
          sa timing: remaining key lifetime (k/sec): (4607999/1419)
          IV size: 8 bytes
          replay detection support: Y
           
      inbound ah sas:
           
      inbound pcp sas:
           
      outbound esp sas:
        spi: 0xCA59FF09(3394895625)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel, }
          slot: 0, conn id: 2005, flow_id: 6, crypto map: m1
          sa timing: remaining key lifetime (k/sec): (4607999/1419)
          IV size: 8 bytes
          replay detection support: Y
           
      outbound ah sas:
           
      outbound pcp sas:
Cisco-RouterA#show crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt
4 FastEthernet0/1 50.0.0.1 set HMAC_MD5+3DES_56_C 0 0
2004 FastEthernet0/1 50.0.0.1 set HMAC_MD5+3DES_56_C 0 5
2005 FastEthernet0/1 50.0.0.1 set HMAC_MD5+3DES_56_C 5 0
Vyatta>show vpn ipsec status

IPSec Process Running PID: 8366

IPsec Interfaces:
   eth0 (100.0.0.1)
Vyatta>show vpn ipsec sa

Peer IP Tunnel# Dir SPI Encrypt Hash NAT-T A-TimeL-Time
------- ------- --- --- ------- ---- ------ ------L-Time
50.0.0.1 1 in e834f47b 3des md5 No 1851800
50.0.0.1 1 out 778ed647 3des No 1851800
ROUTES:

Cisco-RouterA#show ip route

Gateway of last resort is not set
 
  50.0.0.0/24 is subnetted, 1 subnets
C   50.0.0.0 is directly connected, FastEthernet0/1
  100.0.0.0/32 is subnetted, 1 subnets
S   100.0.0.1 [1/0] via 50.0.0.2
  10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C   10.0.0.0/24 is directly connected, FastEthernet0/0
S   10.200.1.1/32 [1/0] via 100.0.0.1
C   10.250.1.1/32 is directly connected, Loopback1
Vyatta#show route

Routes: 4/4, Paths: 4/4
10.200.1.0/24 [connected(0)] > to 10.200.1.1 via lo
50.0.0.1 [static(1)] > to 100.0.0.2 via eth0
100.0.0.0/24 [connected(0)] > to 100.0.0.1 via eth0
127.0.0.0/8 [connected(0)] > to 127.0.0.1 via lo
Vyatta#show route system forward

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use
Iface
50.0.0.1 100.0.0.2 255.255.255.255 UGH 1 0
0
eth0
100.0.0.0 0.0.0.0 255.255.255.0 U 0 0
0
eth0
10.250.0.0 0.0.0.0 255.255.0.0 U 0 0
0
eth0
DEBUGGING:

Cisco-RouterA#debug crypto isakmp

ISAKMP (0:0):     received packet from 100.0.0.1 (N) NEW SA
ISAKMP local   port 500, remote port 500
ISAKMP (0:5):   processing SA payload. message ID = 0
ISAKMP (0:5):   found peer pre-shared key matching 100.0.0.1
ISAKMP (0:5):   Checking ISAKMP transform 0 against priority 1 policy
ISAKMP:     life type in seconds
ISAKMP:     life duration (basic) of 7200
ISAKMP:     encryption 3DES-CBC
ISAKMP:     hash MD5
ISAKMP:     auth pre-share
ISAKMP:     default group 2
ISAKMP (0:5):   atts are acceptable. Next payload is 0
ISAKMP (0:5):   processing vendor id payload
ISAKMP (0:5):   processing vendor id payload
ISAKMP (0:5):   SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (0:5):   sending packet to 100.0.0.1 (R) MM_SA_SETUP
ISAKMP (0:5):   received packet from 100.0.0.1 (R) MM_SA_SETUP
ISAKMP (0:5):   processing KE payload. message ID = 0
ISAKMP (0:5):   processing NONCE payload. message ID = 0
ISAKMP (0:5):   found peer pre-shared key matching 100.0.0.1
ISAKMP (0:5):   SKEYID state generated
ISAKMP (0:5):   sending packet to 100.0.0.1 (R) MM_KEY_EXCH
ISAKMP (0:5):   received packet from 100.0.0.1 (R) MM_KEY_EXCH
ISAKMP (0:5):   processing ID payload. message ID = 0
ISAKMP (0:5):   processing HASH payload. message ID = 0
ISAKMP (0:5):   SA has been authenticated with 100.0.0.1
ISAKMP (5): ID payload
  next-payload : 8
  type : 1
  protocol : 17
  port : 500
  length : 8
ISAKMP (5): Total payload length: 12
ISAKMP (0:5):   sending packet to 100.0.0.1 (R) QM_IDLE
ISAKMP (0:5):   received packet from 100.0.0.1 (R) QM_IDLE
ISAKMP (0:5):   processing HASH payload. message ID = -1931975646
ISAKMP (0:5):   processing SA payload. message ID = -1931975646
ISAKMP (0:5):   Checking IPSec proposal 0
  transform 0, ESP_3DES
    attributes in transform:
      group is 2
      encaps is 1
      SA life type in seconds
      SA life duration (basic) of 1800
      authenticator is HMAC-MD5
ISAKMP (0:5):   atts are acceptable.
ISAKMP (0:5):   processing NONCE payload. message ID = -1931975646
ISAKMP (0:5):   processing KE payload. message ID = -1931975646
ISAKMP (0:5):   processing ID payload. message ID = -1931975646
ISAKMP (0:5):   processing ID payload. message ID = -1931975646
ISAKMP (0:5):   asking for 1 spis from ipsec
  received ke message (2/1)
ISAKMP (0:5):   sending packet to 100.0.0.1 (R) QM_IDLE
ISAKMP (0:5):   received packet from 100.0.0.1 (R) QM_IDLE
ISAKMP (0:5):   Creating IPSec SAs
  inbound SA from 100.0.0.1 to 50.0.0.1
  (proxy 10.200.0.0 to 10.250.0.0)
  has spi 0xE834F47B and conn_id 2006 and flags 25
  lifetime of 1800 seconds
  outbound SA from 50.0.0.1 to 100.0.0.1 (proxy 10.250.0.0 to 10.200.0.0 )
  has spi 2005849671 and conn_id 2007 and flags 2D
  lifetime of 1800 seconds
Cisco-RouterA#debug crypto ipsec

IPSEC(sa_aging): lifetime expiring,
  (sa) sa_dest= 50.0.0.1, sa_prot= 50,
    sa_spi= 0xEC0B17CB(3960149963),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2004,
  (identity) local= 50.0.0.1, remote= 100.0.0.1,
    local_proxy= 10.250.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 10.200.0.0/255.255.0.0/0/0 (type=4)
IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 50.0.0.1, sa_prot= 50,
    sa_spi= 0xEC0B17CB(3960149963),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2004
IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 100.0.0.1, sa_prot= 50,
    sa_spi= 0xCA59FF09(3394895625),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2005
Vyatta>show vpn debug

000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 10.200.1.1
000 interface eth0/eth0 100.0.0.1
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128,keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128,keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36}trans={0,2,336} attrs={0,2,224}
000
000 "peer-50.0.0.1-tunnel-1":10.200.0.0/16===100.0.0.1...50.0.0.1===10.250.0.0/16; erouted; eroute owner:#2
000 "peer-50.0.0.1-tunnel-1": srcip=unset; dstip=unset; srcup=ipsec_updown; dstup=ipsec _updown;
000 "peer-50.0.0.1-tunnel-1": ike_life: 7200s; ipsec_life: 1800s;rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "peer-50.0.0.1-tunnel-1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 16,16;interface: eth0;
000 "peer-50.0.0.1-tunnel-1": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "peer-50.0.0.1-tunnel-1": IKE algorithms wanted: 5_000-1-2, flags=strict
000 "peer-50.0.0.1-tunnel-1": IKE algorithms found: 5_192-1_128-2,
000 "peer-50.0.0.1-tunnel-1": IKE algorithm newest:3DES_CBC_192-MD5-MODP1024
000 "peer-50.0.0.1-tunnel-1": ESP algorithms wanted: 3_000-1, flags=strict
000 "peer-50.0.0.1-tunnel-1": ESP algorithms loaded: 3_000-1, flags=strict
000 "peer-50.0.0.1-tunnel-1": ESP algorithm newest: 3DES_0-HMAC_MD5;pfsgroup=
000
000 #2: "peer-50.0.0.1-tunnel-1":500 STATE_QUICK_I2 (sent QI2, IPsec SAestablished); EVENT_SA_REPLACE in 526s; newest IPSEC; eroute owner
000 #2: "peer-50.0.0.1-tunnel-1" esp.e834f47b@50.0.0.1 esp.778ed647@100.0.0.1tun.0@50.0.0.1 tun.0@100.0.0.1
000 #1: "peer-50.0.0.1-tunnel-1":500 STATE_MAIN_I4 (ISAKMP SA established);EVENT_SA_REPLACE in 6418s; newest ISAKMP; nodpd
000


CONNECTIVITY CHECKS:

The Cisco-RouterA and Vyatta routers must be able to reach each other on their WAN address.
Cisco-RouterA WAN address: 50.0.0.1
Vyatta WAN address: 100.0.0.1

Cisco-RouterA#traceroute 100.0.0.1

Type escape sequence to abort.
Tracing the route to 100.0.0.1

   1 50.0.0.2 0 msec 0 msec 0 msec
   2 100.0.0.1 4 msec 0 msec 4 msec
Vyatta>traceroute 50.0.0.1

traceroute to 50.0.0.1 (50.0.0.1), 30 hops max, 40 byte packets
1 100.0.0.2 (100.0.0.2) 1.870 0.872 0.875
2 50.0.0.1 (50.0.0.1) 1.988 * 1.203
   ---------------------------------------------------------------------

If an IPSec router tries to ping or traceroute the other router loopback address, it will receive no answer because the routers loopback addresses are not routed on the WAN.
The traceroute or the ping will not raise the tunnel as their source IP addresses do not match the conditions defined by the IPSec routers.

Cisco-RouterA#ping 10.200.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.1.1, timeout is 2 seconds:
U.U.U

Success rate is 0 percent (0/5)
Vyatta>ping 10.250.1.1 -c 4

PING 10.250.1.1 (10.250.1.1) 56(84) bytes of data.
From 100.0.0.1 icmp_seq=2 Destination Host Unreachable
From 100.0.0.1 icmp_seq=3 Destination Host Unreachable
From 100.0.0.1 icmp_seq=4 Destination Host Unreachable

--- 10.250.1.1 ping statistics ---
4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2999ms, pipe 3
Cisco-RouterA#traceroute 10.200.1.1

Type escape sequence to abort.
Tracing the route to 100.0.0.1

   1 50.0.0.2 0 msec 0 msec 0 msec
   2 50.0.0.2 !H !H *
Vyatta>traceroute 10.250.1.1

traceroute to 10.250.1.1 (10.250.1.1), 30 hops max, 40 byte packets
1 100.0.0.1 (100.0.0.1) 3002.304 ms !H 3003.655 ms !H 3003.975 ms !H
   ---------------------------------------------------------------------

To reach each other on their loopback address and thus raise the IPSec tunnel, the Vyatta or Cisco Routers must ping or traceroute from their loopback IP addresses.
By default, the source IP address is the outgoing physical interface IP address.

Cisco-RouterA#ping

Protocol [ip]:
Target IP address: 10.200.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.250.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.250.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
Vyatta>ping -I 10.200.1.1 -c 4 10.250.1.1

-I: specify the source IP address
-c: Number of packets sent

PING 10.250.1.1 (10.250.1.1) from 10.200.1.1 : 56(84) bytes of data.
64 bytes from 10.250.1.1: icmp_seq=1 ttl=255 time=3.53 ms
64 bytes from 10.250.1.1: icmp_seq=2 ttl=255 time=3.60 ms
64 bytes from 10.250.1.1: icmp_seq=1 ttl=255 time=3.50 ms
64 bytes from 10.250.1.1: icmp_seq=2 ttl=255 time=3.58 ms

--- 10.250.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 3.502/3.557/3.607/0.039 ms
Cisco-RouterA#traceroute

Target IP address: 10.200.1.1
Source address: 10.250.1.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
MaximumTime to Live [1]:
Port number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.200.1.1

   1 10.200.1.1 4 msec 0 msec 4 msec
Top of the page





If you liked our tutorials, don't hesitate to support us and visit our sponsors!
Si vous aimez nos tutoriaux, n'hésitez pas à nous supporter et visiter nos sponsors!