![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
[[CISCO入門]] #setlinebreak(on) バージョン: &Version; &br; オンラインユーザー数: &online; 閲覧数表示 本日/トータル: &counter(today); / &counter(total); &br; 最終更新:&lastmod();&br; *IPSEC VTI設定例 [#ybb82e1e] **Rotuer1 [#kdd1ac7f] R1#show running-config Building configuration... Current configuration : 1333 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco address 10.1.1.0 255.255.255.0 ! ! crypto ipsec transform-set VTI-IPSEC esp-3des esp-md5-hmac ! crypto ipsec profile MYPROFILE set transform-set VTI-IPSEC ! ! ! ! interface Loopback0 ip address 172.16.16.1 255.255.255.0 ! interface Loopback1 ip address 192.168.200.1 255.255.255.0 ! interface Tunnel0 ip address 192.168.111.1 255.255.255.0 tunnel source FastEthernet0 tunnel destination 10.1.1.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile MYPROFILE ! interface Ethernet0 no ip address shutdown half-duplex ! interface FastEthernet0 ip address 10.1.1.1 255.255.255.0 speed auto ! interface Serial0 no ip address shutdown ! router eigrp 20 network 172.16.16.0 0.0.0.255 network 192.168.111.0 network 192.168.200.0 no auto-summary ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ! control-plane ! ! line con 0 password cisco logging synchronous login line aux 0 line vty 0 4 ! end -VTIのソース側はFEのIPアドレスでも可能 R1(conf-if)#tunnel source 10.1.1.1 **Rotuer2 [#fc79a468] 2#show running-config Building configuration... Current configuration : 1304 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco address 10.1.1.0 255.255.255.0 ! ! crypto ipsec transform-set VTI-IPSEC esp-3des esp-md5-hmac ! crypto ipsec profile MYPROFILE set transform-set VTI-IPSEC ! ! ! ! interface Loopback0 ip address 172.16.16.2 255.255.255.0 ! interface Loopback1 ip address 192.168.201.1 255.255.255.0 ! interface Tunnel0 ip address 192.168.111.2 255.255.255.0 tunnel source FastEthernet0 tunnel destination 10.1.1.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile MYPROFILE ! interface Ethernet0 no ip address shutdown half-duplex ! interface FastEthernet0 ip address 10.1.1.2 255.255.255.0 speed auto ! interface Serial0 no ip address shutdown no fair-queue ! router eigrp 20 network 172.16.16.0 0.0.0.255 network 192.168.111.0 network 192.168.201.0 no auto-summary ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 ! end **showコマンド確認 [#ed55cbec] R2#show crypto isakmp sa dst src state conn-id slot status 10.1.1.1 10.1.1.2 QM_IDLE 1 0 ACTIVE R2# R2#show crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 10.1.1.2 protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 10.1.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 160, #pkts encrypt: 160, #pkts digest: 160 #pkts decaps: 165, #pkts decrypt: 165, #pkts verify: 165 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 10.1.1.2, remote crypto endpt.: 10.1.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0 current outbound spi: 0x369D5142(916279618) inbound esp sas: spi: 0x540338C6(1409497286) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: 1, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4580025/2925) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x369D5142(916279618) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: 2, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4580026/2924) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R2# R2#show ip route eigrp 20 D 192.168.200.0/24 [90/297372416] via 192.168.111.1, 00:10:12, Tunnel0 R2#show ip eigrp neighbors IP-EIGRP neighbors for process 20 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.111.1 Tu0 14 00:12:07 28 5000 0 10 R2#
