IPSecVTI例 のバックアップ(No.2)

• バックアップ一覧
• 差分 を表示
• 現在との差分 を表示
• ソース を表示
• IPSecVTI例 へ行く。
  • 1 (2013-07-17 (水) 10:44:51)
  • 2 (2013-07-17 (水) 11:13:54)

CISCO入門

IPSEC VTI設定例 †

Rotuer1 †

   R1#show running-config
   Building configuration...

   Current configuration : 1333 bytes
   !
   version 12.4
   service timestamps debug datetime msec
   service timestamps log datetime msec
   no service password-encryption
   !
   hostname R1
   !
   boot-start-marker
   boot-end-marker
   !
   !
   no aaa new-model
   ip cef
   !
   !
   ip auth-proxy max-nodata-conns 3
   ip admission max-nodata-conns 3
   !
   !
   !
   !
   !
   !
   !
   !
   !
   !
   crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
   crypto isakmp key cisco address 10.1.1.0 255.255.255.0
   !
   !
   crypto ipsec transform-set VTI-IPSEC esp-3des esp-md5-hmac
   !
   crypto ipsec profile MYPROFILE
    set transform-set VTI-IPSEC
   !
   !
   !
   !
   interface Loopback0
    ip address 172.16.16.1 255.255.255.0
   !
   interface Loopback1
    ip address 192.168.200.1 255.255.255.0
   !
   interface Tunnel0
    ip address 192.168.111.1 255.255.255.0
    tunnel source FastEthernet0
    tunnel destination 10.1.1.2
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile MYPROFILE
   !
   interface Ethernet0
    no ip address
    shutdown
    half-duplex
   !
   interface FastEthernet0
    ip address 10.1.1.1 255.255.255.0
    speed auto
   !
   interface Serial0
    no ip address
    shutdown
   !
   router eigrp 20
    network 172.16.16.0 0.0.0.255
    network 192.168.111.0
    network 192.168.200.0
    no auto-summary
   !
   ip forward-protocol nd
   !
   no ip http server
   no ip http secure-server
   !
   !
   control-plane
   !
   !
   line con 0
    password cisco
    logging synchronous
    login
   line aux 0
   line vty 0 4
   !
   end

• VTIのソース側はFEのIPアドレスでも可能

  R1(conf-if)#tunnel source 10.1.1.1

Rotuer2 †

   2#show running-config
   Building configuration...

   Current configuration : 1304 bytes
   !
   version 12.4
   service timestamps debug datetime msec
   service timestamps log datetime msec
   no service password-encryption
   !
   hostname R2
   !
   boot-start-marker
   boot-end-marker
   !
   !
   no aaa new-model
   ip cef
   !
   !
   ip auth-proxy max-nodata-conns 3
   ip admission max-nodata-conns 3
   !
   !
   !
   !
   !
   !
   !
   !
   !
   !
   crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
   crypto isakmp key cisco address 10.1.1.0 255.255.255.0
   !
   !
   crypto ipsec transform-set VTI-IPSEC esp-3des esp-md5-hmac
   !
   crypto ipsec profile MYPROFILE
    set transform-set VTI-IPSEC
   !
   !
   !
   !
   interface Loopback0
    ip address 172.16.16.2 255.255.255.0
   !
   interface Loopback1
    ip address 192.168.201.1 255.255.255.0
   !
   interface Tunnel0
    ip address 192.168.111.2 255.255.255.0
    tunnel source FastEthernet0
    tunnel destination 10.1.1.1
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile MYPROFILE
   !
   interface Ethernet0
    no ip address
    shutdown
    half-duplex
   !
   interface FastEthernet0
    ip address 10.1.1.2 255.255.255.0
    speed auto
   !
   interface Serial0
    no ip address
    shutdown
    no fair-queue
   !
   router eigrp 20
    network 172.16.16.0 0.0.0.255
    network 192.168.111.0
    network 192.168.201.0
    no auto-summary
   !
   ip forward-protocol nd
   !
   no ip http server
   no ip http secure-server
   !
   !
   control-plane
   !
   !
   line con 0
   line aux 0
   line vty 0 4
   !
   end

showコマンド確認 †

   R2#show crypto isakmp sa
   dst             src             state          conn-id slot status
   10.1.1.1        10.1.1.2        QM_IDLE              1    0 ACTIVE

   R2#

   R2#show crypto ipsec sa

   interface: Tunnel0
       Crypto map tag: Tunnel0-head-0, local addr 10.1.1.2

      protected vrf: (none)
      local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer 10.1.1.1 port 500
        PERMIT, flags={origin_is_acl,}
       #pkts encaps: 160, #pkts encrypt: 160, #pkts digest: 160
       #pkts decaps: 165, #pkts decrypt: 165, #pkts verify: 165
       #pkts compressed: 0, #pkts decompressed: 0
       #pkts not compressed: 0, #pkts compr. failed: 0
       #pkts not decompressed: 0, #pkts decompress failed: 0
       #send errors 0, #recv errors 0

        local crypto endpt.: 10.1.1.2, remote crypto endpt.: 10.1.1.1
        path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
        current outbound spi: 0x369D5142(916279618)

        inbound esp sas:
         spi: 0x540338C6(1409497286)
           transform: esp-3des esp-md5-hmac ,
           in use settings ={Tunnel, }
           conn id: 2001, flow_id: 1, crypto map: Tunnel0-head-0
           sa timing: remaining key lifetime (k/sec): (4580025/2925)
           IV size: 8 bytes
           replay detection support: Y
           Status: ACTIVE

        inbound ah sas:

        inbound pcp sas:

        outbound esp sas:
         spi: 0x369D5142(916279618)
           transform: esp-3des esp-md5-hmac ,
           in use settings ={Tunnel, }
           conn id: 2002, flow_id: 2, crypto map: Tunnel0-head-0
           sa timing: remaining key lifetime (k/sec): (4580026/2924)
           IV size: 8 bytes
           replay detection support: Y
           Status: ACTIVE

        outbound ah sas:

        outbound pcp sas:
   R2#

   R2#show ip route eigrp 20
   D    192.168.200.0/24 [90/297372416] via 192.168.111.1, 00:10:12, Tunnel0

   R2#show ip eigrp neighbors
   IP-EIGRP neighbors for process 20
   H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                               (sec)         (ms)       Cnt Num
   0   192.168.111.1           Tu0               14 00:12:07   28  5000  0  10
   R2#