■ - パソコンとパソコンをつなぐものですね

・IPsecとNATを併用する場合は、NATによる変換後のアドレスを指定してIPsec通信対象トラフィックを定義する。
　(access-list 150 permit ip host 1.1.1.1 10.1.2.0 0.0.0.255によるトリガー定義)
・シスコルーターでの動作
　(1)NATによるアドレス変換
　(2)変換後のアドレスに対してIPsecの処理開始

■R1_3620
conf t
!
crypto isakmp policy 10
encryption 3des
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.2
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
!
crypto map IPSecVPN 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set IPSEC
match address 150
!
interface fastethernet 0/0
ip address 10.1.1.254 255.255.255.0
ip nat inside
no shut
!
interface Serial1/0
ip address 1.1.1.1 255.255.255.0
ip nat outside
clockrate 64000
crypto map IPSecVPN
no shut
!
exit
!
ip nat inside source list 1 interface Serial1/0 overload
!
ip route 0.0.0.0 0.0.0.0 1.1.1.2
!
access-list 1 permit any
access-list 150 permit ip host 1.1.1.1 10.1.2.0 0.0.0.255
!
end

■R2_3620
conf t
!
crypto isakmp policy 10
encryption 3des
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.1
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
!
crypto map IPSecVPN 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set IPSEC
match address 150
!
interface Loopback0
ip address 10.1.2.1 255.255.255.0
!
interface Serial1/0
ip address 1.1.1.2 255.255.255.0
crypto map IPSecVPN
no shut
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
access-list 150 permit ip 10.1.2.0 0.0.0.255 host 1.1.1.1
!
end

■NATテーブルの情報を表示する
R1_3620#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 1.1.1.1:30476 10.1.1.1:30476 10.1.2.1:30476 10.1.2.1:30476

■IPsec SAを確認する
R1_3620#sh crypto ipsec sa

interface: Serial1/0
Crypto map tag: IPSecVPN, local addr. 1.1.1.1

local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
current_peer: 1.1.1.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1933, #pkts encrypt: 1933, #pkts digest 1933
#pkts decaps: 1933, #pkts decrypt: 1933, #pkts verify 1933
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu interface Serial1/0
current outbound spi: 4E9CAA3E

inbound esp sas:
spi: 0xF21A2B7C(4061801340)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: IPSecVPN
sa timing: remaining key lifetime (k/sec): (4607743/1626)
IV size: 8 bytes
replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x4E9CAA3E(1318890046)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: IPSecVPN
sa timing: remaining key lifetime (k/sec): (4607743/1625)
IV size: 8 bytes
replay detection support: Y

outbound ah sas:

outbound pcp sas: