■
・IPsec通信の対象となるのは、ユニキャストのトラフィックである。
・GRE(generic routing encapsulation)プロトコルでパケットをカプセル化すると、そのパケットはユニキャストになる。
・IPsecの対象トラフィックは、GREのトラフィックを指定する。
(access-list 150 permit gre host 192.168.2.1 host 192.168.2.2)
・GREトンネルを通るすべてのトラフィック(ルーティング・アップデートや通常のユニキャストのトラフィック)がIPsecで暗号化される。
■R1_3620
conf t
!
crypto isakmp policy 10
encryption 3des
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.2.2
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
!
crypto map IPSecVPN 10 ipsec-isakmp
set peer 192.168.2.2
set transform-set IPSEC
match address 150
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
ip ospf network point-to-point
!
interface tunnel0
ip address 192.168.4.1 255.255.255.0
tunnel source 192.168.2.1
tunnel destination 192.168.2.2
crypto map IPSecVPN
!
interface Serial1/0
ip address 192.168.2.1 255.255.255.0
clockrate 64000
crypto map IPSecVPN
no shut
!
router ospf 1
network 192.168.1.0 0.0.0.255 area 0
network 192.168.4.0 0.0.0.255 area 0
!
access-list 150 permit gre host 192.168.2.1 host 192.168.2.2
!
end
■R2_3620
conf t
!
crypto isakmp policy 10
encryption 3des
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.2.1
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
!
crypto map IPSecVPN 10 ipsec-isakmp
set peer 192.168.2.1
set transform-set IPSEC
match address 150
!
interface Loopback0
ip address 192.168.3.1 255.255.255.0
ip ospf network point-to-point
!
interface tunnel0
ip address 192.168.4.2 255.255.255.0
tunnel source 192.168.2.2
tunnel destination 192.168.2.1
crypto map IPSecVPN
!
interface Serial1/0
ip address 192.168.2.2 255.255.255.0
crypto map IPSecVPN
no shut
!
router ospf 1
network 192.168.3.0 0.0.0.255 area 0
network 192.168.4.0 0.0.0.255 area 0
!
access-list 150 permit gre host 192.168.2.2 host 192.168.2.1
!
end
■tunnel0インターフェイスの状態を確認する
R1_3620#sh int tunnel0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 192.168.4.1/24
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 192.168.2.1, destination 192.168.2.2
Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled
Checksumming of packets disabled, fast tunneling enabled
Last input 00:00:04, output 00:00:07, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
18 packets input, 1712 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
19 packets output, 1764 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
■ISAKMP SAとIPsec SAの概要を確認する。
R1_3620#show crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
1
2000 Tunnel0 192.168.4.1 set HMAC_SHA+3DES_56_C 0 20
2001 Tunnel0 192.168.4.1 set HMAC_SHA+3DES_56_C 20 0
■R1のルーティングテーブルを確認する
・tunnel0インターフェイスの対向ルータから「192.168.3.0/24」の経路が周知されている。
R1_3620#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.4.0/24 is directly connected, Tunnel0
C 192.168.1.0/24 is directly connected, Loopback0
C 192.168.2.0/24 is directly connected, Serial1/0
O 192.168.3.0/24 [110/11112] via 192.168.4.2, 00:01:32, Tunnel0
