Tâche #25550
Mis à jour par Fabrice Barconnière il y a plus de 5 ans
La sortie de @ipsec statusall@ peut ne pas comporter de connexion passthrough. Il faut traiter ce cas.
* Avec :
<pre>
[...]
Connections:
passthrough-10.1.1.0/24-10.1.15.0/24: %any...%any IKEv1/2, dpddelay=120s
passthrough-10.1.1.0/24-10.1.15.0/24: local: uses public key authentication
passthrough-10.1.1.0/24-10.1.15.0/24: remote: uses public key authentication
passthrough-10.1.1.0/24-10.1.15.0/24: child: 10.1.1.0/24 === 10.1.15.0/24 PASS, dpdaction=restart
passthrough-10.1.1.0/24-10.1.16.0/24: child: 10.1.1.0/24 === 10.1.16.0/24 PASS, dpdaction=restart
passthrough-10.1.1.0/24-10.1.2.0/24: child: 10.1.1.0/24 === 10.1.2.0/24 PASS, dpdaction=restart
passthrough-10.1.1.0/24-10.1.21.0/24: child: 10.1.1.0/24 === 10.1.21.0/24 PASS, dpdaction=restart
passthrough-10.1.1.0/24-10.1.22.0/24: child: 10.1.1.0/24 === 10.1.22.0/24 PASS, dpdaction=restart
passthrough-10.1.1.0/24-10.1.3.0/24: child: 10.1.1.0/24 === 10.1.3.0/24 PASS, dpdaction=restart
[...]
etb1.amon-default-2.7.0-aca.eolebase-default-2.7.0_1-RW1-T1: 192.168.0.31...%any IKEv1/2, dpddelay=120s
etb1.amon-default-2.7.0-aca.eolebase-default-2.7.0_1-RW1-T1: local: [C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=etb1.amon.ac-test.fr] uses public key authentication
etb1.amon-default-2.7.0-aca.eolebase-default-2.7.0_1-RW1-T1: cert: "C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=etb1.amon.ac-test.fr"
etb1.amon-default-2.7.0-aca.eolebase-default-2.7.0_1-RW1-T1: remote: [C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=aca.eolebase.ac-test.fr] uses public key authentication
etb1.amon-default-2.7.0-aca.eolebase-default-2.7.0_1-RW1-T1: child: 10.1.1.0/24 === dynamic TUNNEL, dpdaction=restart
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T4: 192.168.0.31...192.168.0.11 IKEv1/2, dpddelay=120s
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T4: local: [C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=etb1.amon.ac-test.fr] uses public key authentication
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T4: cert: "C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=etb1.amon.ac-test.fr"
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T4: remote: [C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=sphynx] uses public key authentication
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T4: child: 10.1.15.0/24 10.1.16.0/24 === 10.0.0.0/8 TUNNEL, dpdaction=restart
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T2: child: 10.1.3.0/24 === 172.30.101.0/24 TUNNEL, dpdaction=restart
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T1: child: 10.1.1.0/24 === 172.30.101.0/24 TUNNEL, dpdaction=restart
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T3: child: 10.1.1.0/24 === 10.0.0.0/8 TUNNEL, dpdaction=restart
[...]
Shunted Connections:
passthrough-10.1.1.0/24-10.1.15.0/24: 10.1.1.0/24 === 10.1.15.0/24 PASS
passthrough-10.1.1.0/24-10.1.16.0/24: 10.1.1.0/24 === 10.1.16.0/24 PASS
passthrough-10.1.1.0/24-10.1.2.0/24: 10.1.1.0/24 === 10.1.2.0/24 PASS
passthrough-10.1.1.0/24-10.1.21.0/24: 10.1.1.0/24 === 10.1.21.0/24 PASS
passthrough-10.1.1.0/24-10.1.22.0/24: 10.1.1.0/24 === 10.1.22.0/24 PASS
passthrough-10.1.1.0/24-10.1.3.0/24: 10.1.1.0/24 === 10.1.3.0/24 PASS
passthrough-10.1.1.0/24-10.1.17.0/24: 10.1.1.0/24 === 10.1.17.0/24 PASS
[...]
Security Associations (1 up, 0 connecting):
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T4[1]: ESTABLISHED 13 seconds ago, 192.168.0.31[C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=etb1.amon.ac-test.fr]...192.168.0.11[C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=sphynx]
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T4[1]: IKEv2 SPIs: df488ae94af7ad3e_i* 67e08dea39f282ce_r, public key reauthentication in 2 hours
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T4[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T4{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cfef0a24_i c08f7b7a_o
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T4{1}: AES_GCM_16_128, 0 bytes_i, 0 bytes_o, rekeying in 46 minutes
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T4{1}: 10.1.15.0/24 10.1.16.0/24 === 10.0.0.0/8
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T2{2}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c5f532ce_i c4c8a197_o
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T2{2}: AES_GCM_16_128, 0 bytes_i, 0 bytes_o, rekeying in 42 minutes
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T2{2}: 10.1.3.0/24 === 172.30.101.0/24
</pre>
* Sans :
<pre>
[...]
Connections:
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-admin-agriates: 192.168.0.31...192.168.0.11 IKEv1/2, dpddelay=120s
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-admin-agriates: local: [C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=etb1.amon-default-2.7.0.ac-test.fr] uses public key authentication
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-admin-agriates: cert: "C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=etb1.amon-default-2.7.0.ac-test.fr"
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-admin-agriates: remote: [C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=sphynx] uses public key authentication
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-admin-agriates: child: 10.1.1.0/24 === 172.30.101.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-admin-agriates[7]: ESTABLISHED 78 minutes ago, 192.168.0.31[C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=etb1.amon-default-2.7.0.ac-test.fr]...192.168.0.11[C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=sphynx]
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-admin-agriates[7]: IKEv2 SPIs: 9ff63a684d680a9f_i* c8c9237a997f5351_r, public key reauthentication in 76 minutes
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-admin-agriates[7]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-admin-agriates{26}: INSTALLED, TUNNEL, reqid 7, ESP SPIs: c50c5252_i c2a7e9fb_o
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-admin-agriates{26}: AES_GCM_16_128, 0 bytes_i, 0 bytes_o, rekeying in 6 minutes
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-admin-agriates{26}: 10.1.1.0/24 === 172.30.101.0/24
</pre>
* Avec :
<pre>
[...]
Connections:
passthrough-10.1.1.0/24-10.1.15.0/24: %any...%any IKEv1/2, dpddelay=120s
passthrough-10.1.1.0/24-10.1.15.0/24: local: uses public key authentication
passthrough-10.1.1.0/24-10.1.15.0/24: remote: uses public key authentication
passthrough-10.1.1.0/24-10.1.15.0/24: child: 10.1.1.0/24 === 10.1.15.0/24 PASS, dpdaction=restart
passthrough-10.1.1.0/24-10.1.16.0/24: child: 10.1.1.0/24 === 10.1.16.0/24 PASS, dpdaction=restart
passthrough-10.1.1.0/24-10.1.2.0/24: child: 10.1.1.0/24 === 10.1.2.0/24 PASS, dpdaction=restart
passthrough-10.1.1.0/24-10.1.21.0/24: child: 10.1.1.0/24 === 10.1.21.0/24 PASS, dpdaction=restart
passthrough-10.1.1.0/24-10.1.22.0/24: child: 10.1.1.0/24 === 10.1.22.0/24 PASS, dpdaction=restart
passthrough-10.1.1.0/24-10.1.3.0/24: child: 10.1.1.0/24 === 10.1.3.0/24 PASS, dpdaction=restart
[...]
etb1.amon-default-2.7.0-aca.eolebase-default-2.7.0_1-RW1-T1: 192.168.0.31...%any IKEv1/2, dpddelay=120s
etb1.amon-default-2.7.0-aca.eolebase-default-2.7.0_1-RW1-T1: local: [C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=etb1.amon.ac-test.fr] uses public key authentication
etb1.amon-default-2.7.0-aca.eolebase-default-2.7.0_1-RW1-T1: cert: "C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=etb1.amon.ac-test.fr"
etb1.amon-default-2.7.0-aca.eolebase-default-2.7.0_1-RW1-T1: remote: [C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=aca.eolebase.ac-test.fr] uses public key authentication
etb1.amon-default-2.7.0-aca.eolebase-default-2.7.0_1-RW1-T1: child: 10.1.1.0/24 === dynamic TUNNEL, dpdaction=restart
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T4: 192.168.0.31...192.168.0.11 IKEv1/2, dpddelay=120s
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T4: local: [C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=etb1.amon.ac-test.fr] uses public key authentication
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T4: cert: "C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=etb1.amon.ac-test.fr"
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T4: remote: [C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=sphynx] uses public key authentication
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T4: child: 10.1.15.0/24 10.1.16.0/24 === 10.0.0.0/8 TUNNEL, dpdaction=restart
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T2: child: 10.1.3.0/24 === 172.30.101.0/24 TUNNEL, dpdaction=restart
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T1: child: 10.1.1.0/24 === 172.30.101.0/24 TUNNEL, dpdaction=restart
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T3: child: 10.1.1.0/24 === 10.0.0.0/8 TUNNEL, dpdaction=restart
[...]
Shunted Connections:
passthrough-10.1.1.0/24-10.1.15.0/24: 10.1.1.0/24 === 10.1.15.0/24 PASS
passthrough-10.1.1.0/24-10.1.16.0/24: 10.1.1.0/24 === 10.1.16.0/24 PASS
passthrough-10.1.1.0/24-10.1.2.0/24: 10.1.1.0/24 === 10.1.2.0/24 PASS
passthrough-10.1.1.0/24-10.1.21.0/24: 10.1.1.0/24 === 10.1.21.0/24 PASS
passthrough-10.1.1.0/24-10.1.22.0/24: 10.1.1.0/24 === 10.1.22.0/24 PASS
passthrough-10.1.1.0/24-10.1.3.0/24: 10.1.1.0/24 === 10.1.3.0/24 PASS
passthrough-10.1.1.0/24-10.1.17.0/24: 10.1.1.0/24 === 10.1.17.0/24 PASS
[...]
Security Associations (1 up, 0 connecting):
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T4[1]: ESTABLISHED 13 seconds ago, 192.168.0.31[C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=etb1.amon.ac-test.fr]...192.168.0.11[C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=sphynx]
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T4[1]: IKEv2 SPIs: df488ae94af7ad3e_i* 67e08dea39f282ce_r, public key reauthentication in 2 hours
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T4[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T4{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cfef0a24_i c08f7b7a_o
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T4{1}: AES_GCM_16_128, 0 bytes_i, 0 bytes_o, rekeying in 46 minutes
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T4{1}: 10.1.15.0/24 10.1.16.0/24 === 10.0.0.0/8
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T2{2}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c5f532ce_i c4c8a197_o
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T2{2}: AES_GCM_16_128, 0 bytes_i, 0 bytes_o, rekeying in 42 minutes
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-AS-T2{2}: 10.1.3.0/24 === 172.30.101.0/24
</pre>
* Sans :
<pre>
[...]
Connections:
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-admin-agriates: 192.168.0.31...192.168.0.11 IKEv1/2, dpddelay=120s
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-admin-agriates: local: [C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=etb1.amon-default-2.7.0.ac-test.fr] uses public key authentication
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-admin-agriates: cert: "C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=etb1.amon-default-2.7.0.ac-test.fr"
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-admin-agriates: remote: [C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=sphynx] uses public key authentication
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-admin-agriates: child: 10.1.1.0/24 === 172.30.101.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-admin-agriates[7]: ESTABLISHED 78 minutes ago, 192.168.0.31[C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=etb1.amon-default-2.7.0.ac-test.fr]...192.168.0.11[C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, CN=sphynx]
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-admin-agriates[7]: IKEv2 SPIs: 9ff63a684d680a9f_i* c8c9237a997f5351_r, public key reauthentication in 76 minutes
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-admin-agriates[7]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-admin-agriates{26}: INSTALLED, TUNNEL, reqid 7, ESP SPIs: c50c5252_i c2a7e9fb_o
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-admin-agriates{26}: AES_GCM_16_128, 0 bytes_i, 0 bytes_o, rekeying in 6 minutes
etb1.amon-default-2.7.0-aca.sphynx-default-2.7.0_1-admin-agriates{26}: 10.1.1.0/24 === 172.30.101.0/24
</pre>