[[CISCO入門]]
#setlinebreak(on)
[[Moroha's Wiki]]に戻る &br;
バージョン: &Version; &br;
オンラインユーザー数: &online;
閲覧数表示 本日/トータル: &counter(today); / &counter(total); &br;
最終更新:&lastmod();&br;
*GTEトンネル設定 [#pcbbe08b]
**R1 [#w6512b5e]
Router(config)#interface tunnel 0
Router(config-if)#ip address 10.0.0.1 255.255.255.0
Router(config-if)#tunnel source 1.1.1.1
Router(config-if)#tunnel destination 1.1.1.2
Router(config-if)#!
Router(config)#interface loopback 0
Router(config-if)#ip address 10.1.1.254 255.255.255.0
Router(config-if)#no shutdown
Router(config)#router ospf 1
Router(config-router)#network 10.1.1.0 0.0.0.255 area 0
Router(config-router)#network 10.0.0.0 0.0.0.255 area 0
Router(config)#interface FastEthernet1
Router(config-if)# ip address 1.1.1.1 255.255.255.0
**R2 [#o56df9f4]
Router(config)#interface tunnel 0
Router(config-if)#ip address 10.0.0.2 255.255.255.0
Router(config-if)#tunnel source 1.1.1.2
Router(config-if)#tunnel destination 1.1.1.1
Router(config-if)#!
Router(config-if)#router ospf 1
Router(config-router)#network 10.2.2.0 0.0.0.255 area 0
Router(config-router)#network 10.0.0.0 0.0.0.255 area 0
Router(config)#interface fastEthernet 1
Router(config-if)#ip address 1.1.1.2 255.255.255.0
Router(config-if)#no shutdown
Router(config)#interface loopback 0
Router(config-if)#ip address 10.2.2.254 255.255.255.0
Router(config-if)#no shutdown
*GREトンネル + IPSec [#db570b8d]
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 300
R1(config)#crypto isakmp key ROUTE-GRE-IPSec address 1.1.1.2
R1(config)#crypto ipsec transform-set TEST-1 esp-3des esp-sha-hmac
R1(cfg-crypto-trans)#mode transport
R1(config)#crypto map MAP-1 10 ipsec-isakmp
R1(config-crypto-map)#set peer 1.1.1.2
R1(config-crypto-map)#set transform-set TEST-1
R1(config-crypto-map)#match address 100
R1(config)#interface loopback 1
R1(config-if)#ip address 10.10.10.1 255.255.255.0
R1(config-if)#ip nat inside
R1(config-if)#ip virtual-reassembly
R1(config-if)#exit
R1(config)#interface tunnel 0
R1(config-if)#ip address 10.0.0.1 255.255.255.0
R1(config-if)#tunnel source loopback 1
R1(config-if)#tunnel destination 10.20.20.2
R1(config)#interface fastEthernet 1
R1(config-if)#ip access-group 101 in
R1(config-if)#ip nat outside
R1(config-if)#crypto map MAP-1
!
R1(config)#interface Loopback0 (FE0の代わりLAN側Port)
R1(config-if)# ip address 10.1.1.1 255.255.255.0
R1(config-if)# ip nat inside
R1(config)#router eigrp 1
R1(config-router)#network 10.0.0.0 0.0.0.255
R1(config-router)#network 10.1.1.0 0.0.0.255
R1(config-router)#no auto-summary
R1(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.10 (架空?)
R1(config)#ip nat inside source list 102 interface fastEthernet 1 overload
R1(config)#access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
R1(config)#access-list 100 permit gre host 10.10.10.1 host 10.20.20.2
R1(config)#access-list 101 permit esp host 1.1.1.2 host 1.1.1.1
R1(config)#access-list 101 permit udp host 1.1.1.2 host 1.1.1.1 eq isakmp
R1(config)#access-list 101 permit tcp any any eq www
R1(config)#access-list 101 permit tcp any any eq ftp
R1(config)#access-list 101 permit tcp any any eq ftp-data
R1(config)#access-list 101 permit icmp any any
R1(config)#access-list 102 permit ip 10.1.1.0 0.0.0.255 any
R1(config)#access-list 102 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
**R2 [#m3d8029c]
R2(config)#crypto isakmp policy 10
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#group 2
R2(config-isakmp)#lifetime 300
R2(config-isakmp)#!
R2(config)#crypto isakmp key ROUTE-GRE-IPSec address 1.1.1.1
R2(config)#crypto ipsec transform-set TEST-1 esp-3des esp-sha-hmac
R2(cfg-crypto-trans)#mode transport
R2(cfg-crypto-trans)#!
R2(config)#crypto map MAP-1 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#set peer 1.1.1.21
R2(config-crypto-map)#set transform-set TEST-1
R2(config-crypto-map)#match address 100
R2(config-crypto-map)#!
R2(config)#interface loopback 2
R2(config-if)#ip nat inside
R2(config-if)#ip virtual-reassembly
R2(config-if)#exit
R2(config)#interface tunnel 0
R2(config-if)#ip address 10.0.0.2 255.255.255.0
R2(config-if)#tunnel source loopback 2
R2(config-if)#tunnel destination 10.10.10.1
R2(config-if)#!
R2(config)#interface fastEthernet 1
R2(config-if)#ip access-group 101 in
R2(config-if)#ip nat outside
R2(config-if)#crypto map MAP-1
R2(config)#interface Loopback0 (FE0の代わりLAN側Port)
R2(config-if)#ip address 10.2.2.2 255.255.255.0
R2(config-if)#ip nat inside
R2(config-if)#router eigrp 1
R2(config-router)#network 10.0.0.0 0.0.0.255
R2(config-router)#network 10.2.2.0 0.0.0.255
R2(config-router)#no auto-summary
R2(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.10 (1.1.1.2から出力させる?)
R2(config)#ip nat inside source list 102 interface fastEthernet 1 overload
R2(config)#access-list 100 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
R2(config)#access-list 100 permit gre host 10.20.20.2 host 10.10.10.1
R2(config)#access-list 101 permit esp host 1.1.1.1 host 1.1.1.2
R2(config)#access-list 101 permit udp host 1.1.1.1 host 1.1.1.2 eq isakmp
R2(config)#access-list 101 permit tcp any any eq www
R2(config)#access-list 101 permit tcp any any eq ftp
R2(config)#access-list 101 permit tcp any any eq ftp-data
R2(config)#access-list 101 permit icmp any any
R2(config)#access-list 102 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
R2(config)#access-list 102 permit ip 10.2.2.0 0.0.0.255 any
**確認 [#vc87a77f]
R2#show crypto map
Crypto Map IPv4 "MAP-1" 10 ipsec-isakmp
Peer = 1.1.1.1
Extended IP access list 100
access-list 100 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit gre host 10.20.20.2 host 10.10.10.1
Current peer: 1.1.1.1
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TEST-1: { esp-3des esp-sha-hmac } ,
}
Interfaces using crypto map MAP-1:
FastEthernet1
R2#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: FastEthernet1
Session status: UP-NO-IKE
Peer: 1.1.1.1 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 10.2.2.0/255.255.255.0 10.1.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
IPSEC FLOW: permit 47 host 10.20.20.2 host 10.10.10.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 123 drop 0 life (KB/Sec) 4603548/3103
Outbound: #pkts enc'ed 122 drop 1 life (KB/Sec) 4603548/3103
R2#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.0.0.1 Tu0 11 00:07:03 4 1434 0 3
R2#show ip route
Gateway of last resort is 1.1.1.10 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 1.1.1.10
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/24 is directly connected, FastEthernet1
L 1.1.1.2/32 is directly connected, FastEthernet1
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
C 10.0.0.0/24 is directly connected, Tunnel0
L 10.0.0.2/32 is directly connected, Tunnel0
D 10.1.1.0/24 [90/27008000] via 10.0.0.1, 00:07:18, Tunnel0
C 10.2.2.0/24 is directly connected, Loopback0
L 10.2.2.2/32 is directly connected, Loopback0
C 10.20.20.0/24 is directly connected, Loopback2
L 10.20.20.2/32 is directly connected, Loopback2
R2#traceroute 10.1.1.1 source 10.2.2.2
Type escape sequence to abort.
Tracing the route to 10.1.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.0.1 0 msec * 0 msec
R2#
![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
