■
■R1_3620
conf t
!
crypto isakmp policy 10
encryption 3des
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.2
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
!
crypto map IPSecVPN 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set IPSEC
match address 150
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface Serial1/0
ip address 1.1.1.1 255.255.255.0
clockrate 64000
crypto map IPSecVPN
no shut
!
ip route 0.0.0.0 0.0.0.0 1.1.1.2
!
access-list 150 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
!
end
■R2_3620
conf t
!
crypto isakmp policy 10
encryption 3des
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.1
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
!
crypto map IPSecVPN 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set IPSEC
match address 150
!
interface Loopback0
ip address 10.1.2.1 255.255.255.0
!
interface Serial1/0
ip address 1.1.1.2 255.255.255.0
crypto map IPSecVPN
no shut
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
access-list 150 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!
end
■ISAKMPポリシーを確認する
R1_3620#show crypto isakmp policy
Protection suite of priority 10
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
■IPsecトランスフォームセットを確認する
R1_3620#show crypto ipsec transform-set
Transform set IPSEC: { esp-3des esp-sha-hmac }
will negotiate = { Tunnel, },
■ISAKMP SAを確認する
R1_3620#sh crypto isakmp sa
dst src state conn-id slot
■IPsec SAを確認する
R1_3620#sh crypto ipsec sa
interface: Serial1/0
Crypto map tag: IPSecVPN, local addr. 1.1.1.1
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
current_peer: 1.1.1.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu interface Serial1/0
current outbound spi: 0
inbound esp sas:
inbound ah sas:
outbound esp sas:
outbound ah sas:
■IPsecの通信をスタート
・destination-addressである10.1.2.1に対して拡張ping
・拡張pingのsource-addressを10.1.1.1に指定
・access-list 150に引っかかりIpsec通信のトリガーとなる
R1_3620#ping
Protocol [ip]:
Target IP address: 10.1.2.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 52/52/52 ms
■ISAKMP SAを確認する
R1_3620#sh crypto isakmp sa
dst src state conn-id slot
1.1.1.2 1.1.1.1 QM_IDLE 1 0
■IPsec SAを確認する
R1_3620#sh crypto ipsec sa
interface: Serial1/0
Crypto map tag: IPSecVPN, local addr. 1.1.1.1
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
current_peer: 1.1.1.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu interface Serial1/0
current outbound spi: EBD281CD
inbound esp sas:
spi: 0xAB940552(2878604626)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: IPSecVPN
sa timing: remaining key lifetime (k/sec): (4607999/3558)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
outbound esp sas:
spi: 0xEBD281CD(3956441549)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: IPSecVPN
sa timing: remaining key lifetime (k/sec): (4607999/3558)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
■ISAKMP SAとIPsec SAの概要を確認する。
・一行目(ID1)がISAKMP SAの情報
・二行目(ID2000)がIPsec SA(受信用)
・二行目(ID2001)がIPsec SA(送信用)
R1_3620#sh crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
1
2000 Serial1/0 1.1.1.1 set HMAC_SHA+3DES_56_C 0 4
2001 Serial1/0 1.1.1.1 set HMAC_SHA+3DES_56_C 4 0
■ISAKMP SAとIPsec SAの概要を確認する。
・一行目(ID1)がISAKMP SAの情報
・二行目(ID2000)がIPsec SA(受信用)
・二行目(ID2001)がIPsec SA(送信用)
R2_3620#sh crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Serial1/0 1.1.1.2 set HMAC_SHA+3DES_56_C 0 0
2000 Serial1/0 1.1.1.2 set HMAC_SHA+3DES_56_C 0 4
2001 Serial1/0 1.1.1.2 set HMAC_SHA+3DES_56_C 4 0
