GRE over IPSecの練習
本エントリについて
Dynagen、Dynamips を使って、 GRE over IPSecを練習します。
Dynagen、Dynamips の利用環境はすでに整っているものとします。
基本設定
設定コマンドは割愛します。
r1を挟んで、r2 と r3の間でトンネリングの設定をしていきます。
r1#show ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.2.0.254 YES NVRAM up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
Serial1/0 172.16.0.253 YES NVRAM up up
Serial1/1 172.16.1.254 YES NVRAM up up
Serial1/2 unassigned YES NVRAM administratively down down
Serial1/3 unassigned YES NVRAM administratively down down
r1#show cdp neigh
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
r2 Ser 1/0 136 R S I 3725 Ser 1/1
r3 Ser 1/1 138 R S I 3725 Ser 1/0
r1#show ip proto
Routing Protocol is "bgp 65001"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
IGP synchronization is disabled
Automatic route summarization is disabled
Neighbor(s):
Address FiltIn FiltOut DistIn DistOut Weight RouteMap
172.16.0.254
172.16.1.253
Maximum path: 1
Routing Information Sources:
Gateway Distance Last Update
172.16.1.253 20 00:01:26
Distance: external 20 internal 200 local 200
r2#show ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.2.1.254 YES NVRAM up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
Serial1/0 172.16.2.253 YES NVRAM up down
Serial1/1 172.16.0.254 YES NVRAM up up
Serial1/2 unassigned YES NVRAM administratively down down
Serial1/3 unassigned YES NVRAM administratively down down
r2#show cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
r1 Ser 1/1 123 R S I 3725 Ser 1/0
r2#show ip proto
Routing Protocol is "bgp 65002"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
IGP synchronization is disabled
Automatic route summarization is disabled
Neighbor(s):
Address FiltIn FiltOut DistIn DistOut Weight RouteMap
172.16.0.253
Maximum path: 1
Routing Information Sources:
Gateway Distance Last Update
172.16.0.253 20 00:03:34
Distance: external 20 internal 200 local 200
r3#show ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.2.2.254 YES NVRAM up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
Serial1/0 172.16.1.253 YES NVRAM up up
Serial1/1 172.16.3.254 YES NVRAM up down
Serial1/2 unassigned YES NVRAM administratively down down
Serial1/3 unassigned YES NVRAM administratively down down
r3#show cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
r1 Ser 1/0 173 R S I 3725 Ser 1/1
r3#show ip proto
Routing Protocol is "bgp 65003"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
IGP synchronization is disabled
Automatic route summarization is disabled
Neighbor(s):
Address FiltIn FiltOut DistIn DistOut Weight RouteMap
172.16.1.254
Maximum path: 1
Routing Information Sources:
Gateway Distance Last Update
172.16.1.254 20 00:04:50
Distance: external 20 internal 200 local 200
GRE トンネリング
まず、GRE トンネリング単体の練習をします。
r2 で GRE トンネリングの設定をします。
r2(config)#int tun0
r2(config-if)#ip address 192.168.0.2 255.255.255.0
r2(config-if)#tunnel mode gre ip
r2(config-if)#tunnel source 172.16.0.254
r2(config-if)#tunnel destination 172.16.1.253
r2(config-if)#ip route 10.2.2.0 255.255.255.0 tunnel 0
r2#show ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.2.1.254 YES NVRAM up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
Serial1/0 172.16.2.253 YES NVRAM up down
Serial1/1 172.16.0.254 YES NVRAM up up
Serial1/2 unassigned YES NVRAM administratively down down
Serial1/3 unassigned YES NVRAM administratively down down
Tunnel0 192.168.0.2 YES manual up up
r3 でも GRE トンネリングの設定をします。
r3(config)#int tun0
r3(config-if)#ip address 192.168.0.3 255.255.255.0
r3(config-if)#tunnel mode gre ip
r3(config-if)#tunnel source 172.16.1.253
r3(config-if)#tunnel destination 172.16.0.254
r3(config-if)#ip route 10.2.1.0 255.255.255.0 tunnel 0
r3#show ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.2.2.254 YES NVRAM up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
Serial1/0 172.16.1.253 YES NVRAM up up
Serial1/1 172.16.3.254 YES NVRAM up down
Serial1/2 unassigned YES NVRAM administratively down down
Serial1/3 unassigned YES NVRAM administratively down down
Tunnel0 192.168.0.3 YES manual up up
疎通を確認します。
r3#ping 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/36/44 ms
r3#ping 10.2.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/32/40 ms
r2#ping 192.168.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/32/40 ms
r2#ping 10.2.2.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/33/44 ms
OSPF に寄り道
スタティックルート設定を削除して、OSPFの設定を試します。
r2(config)#no ip route 10.2.2.0 255.255.255.0
r2(config)#router ospf 1
r2(config-router)#network 192.168.0.0 0.0.0.255 area 0
r2(config-router)#network 10.2.1.0 0.0.0.255 area 0
r2(config-router)#passive-interface fa0/0
r3(config)#no ip route 10.2.1.0 255.255.255.0
r3(config)#router ospf 1
r3(config-router)#network 192.168.0.0 0.0.0.255 area 0
r3(config-router)#network 10.2.2.0 0.0.0.255 area 0
r3(config-router)#passive-interface fa0/0
状態を確認します。
r3#show ip ospf neigh
Neighbor ID Pri State Dead Time Address Interface
192.168.0.2 0 FULL/ - 00:00:35 192.168.0.2 Tunnel0
r3#show ip ospf int tun0
Tunnel0 is up, line protocol is up
Internet Address 192.168.0.3/24, Area 0
Process ID 1, Router ID 192.168.0.3, Network Type POINT_TO_POINT, Cost: 11111
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:00
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 192.168.0.2
Suppress hello for 0 neighbor(s)
r3#show ip ospf datab
OSPF Router with ID (192.168.0.3) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
192.168.0.2 192.168.0.2 63 0x80000003 0x004A74 3
192.168.0.3 192.168.0.3 49 0x80000002 0x004973 3
r3#show ip route ospf
10.0.0.0/24 is subnetted, 2 subnets
O 10.2.1.0 [110/11121] via 192.168.0.2, 00:00:43, Tunnel0
疎通を確認します。
r3#ping 10.2.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/35/40 ms
r2 でも状態を確認します。
r2#show ip ospf neigh
Neighbor ID Pri State Dead Time Address Interface
192.168.0.3 0 FULL/ - 00:00:35 192.168.0.3 Tunnel0
r2#show ip ospf int tun0
Tunnel0 is up, line protocol is up
Internet Address 192.168.0.2/24, Area 0
Process ID 1, Router ID 192.168.0.2, Network Type POINT_TO_POINT, Cost: 11111
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:06
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 192.168.0.3
Suppress hello for 0 neighbor(s)
r2#show ip ospf datab
OSPF Router with ID (192.168.0.2) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
192.168.0.2 192.168.0.2 109 0x80000003 0x004A74 3
192.168.0.3 192.168.0.3 98 0x80000002 0x004973 3
r2#show ip route ospf
10.0.0.0/24 is subnetted, 2 subnets
O 10.2.2.0 [110/11121] via 192.168.0.3, 00:01:43, Tunnel0
疎通を確認します。
r2#ping 10.2.2.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/34/40 ms
IPSec
つぎに、IPSec単体の練習をします。
OSPFの設定、GREトンネリングの設定を削除して、スタティックルートの設定を追加します。
r3(config)#no router ospf 1
r3(config)#no int tun 0
r3(config)#ip route 10.2.1.0 255.255.255.0 172.16.1.254
r2(config)#no router ospf 1
r2(config)#no int tun0
r2(config)#ip route 10.2.2.0 255.255.255.0 172.16.0.253
Phase1
r2 で設定します。
r2(config)#crypto isakmp policy 1
r2(config-isakmp)#encryption des
r2(config-isakmp)#hash md5
r2(config-isakmp)#authentication pre-share
r2(config-isakmp)#group 2
r2(config-isakmp)#crypto isakmp key cisco address 172.16.1.253
状態を確認します。
r2#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
r3 で設定します。
r3(config)#crypto isakmp policy 1
r3(config-isakmp)#encryption des
r3(config-isakmp)#hash md5
r3(config-isakmp)#authentication pre-share
r3(config-isakmp)#group 2
r3(config-isakmp)#crypto isakmp key cisco address 172.16.0.254
状態を確認します。
r3#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Phase 2
r2 で設定を追加します。
r2(config)#crypto ipsec transform-set IPSEC esp-des esp-md5-hmac
r2(cfg-crypto-trans)#access-list 101 permit ip 10.2.1.0 0.0.0.255 10.2.2.0 0.0.0.255
r2(config)#crypto map MAP-IPSEC 1 ipsec-isakmp
r2(config-crypto-map)#match address 101
r2(config-crypto-map)#set peer 172.16.1.253
r2(config-crypto-map)#set transform-set IPSEC
r2(config-crypto-map)#interface s1/1
r2(config-if)#crypto map MAP-IPSEC
r3 で設定を追加します。
r3(config)#crypto ipsec transform-set IPSEC esp-des esp-md5-hmac
r3(cfg-crypto-trans)#access-list 101 permit ip 10.2.2.0 0.0.0.255 10.2.1.0 0.0.0.255
r3(config)#crypto map MAP-IPSEC 1 ipsec-isakmp
r3(config-crypto-map)#match address 101
r3(config-crypto-map)#set peer 172.16.0.254
r3(config-crypto-map)#set transform-set IPSEC
r3(config-crypto-map)#interface s1/0
r3(config-if)#crypto map MAP-IPSEC
疎通を確認します。
r3#ping
Protocol [ip]:
Target IP address: 10.2.1.254
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.2.2.254
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.254, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/44/64 ms
状態を確認します。
r3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.16.1.253 172.16.0.254 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
r3#show crypto ipsec sa
interface: Serial1/0
Crypto map tag: MAP-IPSEC, local addr 172.16.1.253
protected vrf: (none)
local ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0)
current_peer 172.16.0.254 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.1.253, remote crypto endpt.: 172.16.0.254
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0xE1983530(3784848688)
inbound esp sas:
spi: 0xBE34AE01(3191123457)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: MAP-IPSEC
sa timing: remaining key lifetime (k/sec): (4542266/3479)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xE1983530(3784848688)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: MAP-IPSEC
sa timing: remaining key lifetime (k/sec): (4542266/3479)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
r3#show crypto ipsec transform-set
Transform set IPSEC: { esp-des esp-md5-hmac }
will negotiate = { Tunnel, },
r3#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
F - IKE Fragmentation
Interface: Serial1/0
Uptime: 00:03:00
Session status: UP-ACTIVE
Peer: 172.16.0.254 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 172.16.0.254
Desc: (none)
IKE SA: local 172.16.1.253/500 remote 172.16.0.254/500 Active
Capabilities:D connid:1001 lifetime:23:56:58
IPSEC FLOW: permit ip 10.2.2.0/255.255.255.0 10.2.1.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 9 drop 0 life (KB/Sec) 4542266/3419
Outbound: #pkts enc'ed 9 drop 0 life (KB/Sec) 4542266/3419
r2 から疎通を確認します。
r2#ping
Protocol [ip]:
Target IP address: 10.2.2.254
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.2.1.254
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.254, timeout is 2 seconds:
Packet sent with a source address of 10.2.1.254
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 40/43/48 ms
状態を確認します。
r2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.16.1.253 172.16.0.254 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
r2#show crypto ipsec sa
interface: Serial1/1
Crypto map tag: MAP-IPSEC, local addr 172.16.0.254
protected vrf: (none)
local ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
current_peer 172.16.1.253 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 172.16.0.254, remote crypto endpt.: 172.16.1.253
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/1
current outbound spi: 0xBE34AE01(3191123457)
inbound esp sas:
spi: 0xE1983530(3784848688)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: MAP-IPSEC
sa timing: remaining key lifetime (k/sec): (4497406/3324)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xBE34AE01(3191123457)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: MAP-IPSEC
sa timing: remaining key lifetime (k/sec): (4497406/3324)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
r2#show crypto ipsec transform-set
Transform set IPSEC: { esp-des esp-md5-hmac }
will negotiate = { Tunnel, },
r2#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
F - IKE Fragmentation
Interface: Serial1/1
Uptime: 00:05:02
Session status: UP-ACTIVE
Peer: 172.16.1.253 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 172.16.1.253
Desc: (none)
IKE SA: local 172.16.0.254/500 remote 172.16.1.253/500 Active
Capabilities:(none) connid:1001 lifetime:23:54:57
IPSEC FLOW: permit ip 10.2.1.0/255.255.255.0 10.2.2.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 9 drop 0 life (KB/Sec) 4497406/3297
Outbound: #pkts enc'ed 9 drop 1 life (KB/Sec) 4497406/3297
GRE over IPSec
あらためてGRE over IPSecの練習をします。
いったん IPSec の設定を削除します。
r3(config)#interface s1/0
r3(config-if)#no crypto map MAP-IPSEC
r3(config-if)#no crypto map MAP-IPSEC 1 ipsec-isakmp
r3(config-if)#no access-list 101 permit ip 10.2.2.0 0.0.0.255 10.2.1.0 0.0.0.255
r3(config)#no crypto map MAP-IPSEC 1
r3(config)#no crypto ipsec transform-set IPSEC esp-des esp-md5-hmac
r3(config)#no crypto isakmp policy 1
r3(config)#no ip route 10.2.1.0 255.255.255.0 172.16.1.254
r2(config)#interface s1/1
r2(config-if)#no crypto map MAP-IPSEC
r2(config-if)#no crypto map MAP-IPSEC 1 ipsec-isakmp
r2(config-if)#no access-list 101 permit ip 10.2.1.0 0.0.0.255 10.2.2.0 0.0.0.255
r2(config)#no crypto map MAP-IPSEC 1
r2(config)#no crypto ipsec transform-set IPSEC esp-des esp-md5-hmac
r2(config)#no crypto isakmp policy 1
r2(config)#no ip route 10.2.2.0 255.255.255.0 172.16.0.253
GRE tunnel
GRE tunnel の設定をします。
r2(config)#int tun0
r2(config-if)#ip address 192.168.0.2 255.255.255.0
r2(config-if)#tunnel mode gre ip
r2(config-if)#tunnel source 172.16.0.254
r2(config-if)#tunnel destination 172.16.1.253
r2(config-if)#ip route 10.2.2.0 255.255.255.0 tunnel 0
r3(config)#int tun0
r3(config-if)#ip address 192.168.0.3 255.255.255.0
r3(config-if)#tunnel mode gre ip
r3(config-if)#tunnel source 172.16.1.253
r3(config-if)#tunnel destination 172.16.0.254
r3(config-if)#ip route 10.2.1.0 255.255.255.0 tunnel 0
疎通を確認します。
r3#ping
Protocol [ip]:
Target IP address: 10.2.1.254
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.2.2.254
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.254, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/41/52 ms
r3#show int tun0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 192.168.0.3/24
MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 172.16.1.253, destination 172.16.0.254
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:55, output 00:00:55, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
5 packets input, 620 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
5 packets output, 620 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
r2 からも疎通を確認します。
r2#ping
Protocol [ip]:
Target IP address: 10.2.2.254
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.2.1.254
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.254, timeout is 2 seconds:
Packet sent with a source address of 10.2.1.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/39/44 ms
r2#show int tun 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 192.168.0.2/24
MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 172.16.0.254, destination 172.16.1.253
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:04, output 00:00:04, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 1 packets/sec
5 minute output rate 0 bits/sec, 1 packets/sec
10 packets input, 1240 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
10 packets output, 1240 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
IPSec
Phase1
r2 で設定をします。
r2(config)#crypto isakmp policy 1
r2(config-isakmp)#encryption des
r2(config-isakmp)#hash md5
r2(config-isakmp)#authentication pre-share
r2(config-isakmp)#group 2
r2(config-isakmp)#crypto isakmp key cisco address 192.168.0.3
状態を確認します。
r2#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
r3 で設定をします。
r3(config)#crypto isakmp policy 1
r3(config-isakmp)#encryption des
r3(config-isakmp)#hash md5
r3(config-isakmp)#authentication pre-share
r3(config-isakmp)#group 2
r3(config-isakmp)#crypto isakmp key cisco address 192.168.0.2
状態を確認します。
r3#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Phase2
r2 で設定をします。
r2(config)#crypto ipsec transform-set IPSEC esp-des esp-md5-hmac
r2(cfg-crypto-trans)#access-list 101 permit ip 10.2.1.0 0.0.0.255 10.2.2.0 0.0.0.255
r2(config)#crypto map MAP-IPSEC 1 ipsec-isakmp
r2(config-crypto-map)#match address 101
r2(config-crypto-map)#set peer 192.168.0.3
r2(config-crypto-map)#set transform-set IPSEC
r2(config-crypto-map)#interface tun0
r2(config-if)#crypto map MAP-IPSEC
r3 で設定をします。
r3(config)#crypto ipsec transform-set IPSEC esp-des esp-md5-hmac
r3(cfg-crypto-trans)#access-list 101 permit ip 10.2.2.0 0.0.0.255 10.2.1.0 0.0.0.255
r3(config)#crypto map MAP-IPSEC 1 ipsec-isakmp
r3(config-crypto-map)#match address 101
r3(config-crypto-map)#set peer 192.168.0.2
r3(config-crypto-map)#set transform-set IPSEC
r3(config-crypto-map)#interface tun0
r3(config-if)#crypto map MAP-IPSEC
状態を確認します。
r3#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: MAP-IPSEC, local addr 172.16.1.253
protected vrf: (none)
local ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0)
current_peer 192.168.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.1.253, remote crypto endpt.: 192.168.0.2
path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
疎通を確認します。
r3#ping
Protocol [ip]:
Target IP address: 10.2.1.254
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.2.2.254
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.254, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.254
.....
Success rate is 0 percent (0/5)
r3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.0.2 172.16.1.253 QM_IDLE 1002 0 ACTIVE
IPv6 Crypto ISAKMP SA
設定を修正します。
r2(config)#interface tun0
r2(config-if)#no crypto map MAP-IPSEC
r2(config-if)#interface s1/1
r2(config-if)#crypto map MAP-IPSEC
r3(config)#interface tun0
r3(config-if)#no crypto map MAP-IPSEC
r3(config-if)#interface s1/0
r3(config-if)#crypto map MAP-IPSEC
再度、疎通を確認します。
r3#ping
Protocol [ip]:
Target IP address: 10.2.1.254
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.2.2.254
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.254, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/34/40 ms
r3#
r3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.0.2 172.16.1.253 QM_IDLE 1002 0 ACTIVE
IPv6 Crypto ISAKMP SA
状態を確認します。
r3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.0.2 172.16.1.253 QM_IDLE 1002 0 ACTIVE
IPv6 Crypto ISAKMP SA
r3#show crypto ipsec sa
interface: Serial1/0
Crypto map tag: MAP-IPSEC, local addr 172.16.1.253
protected vrf: (none)
local ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0)
current_peer 192.168.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.1.253, remote crypto endpt.: 192.168.0.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
r3#show crypto ipsec transform-set
Transform set IPSEC: { esp-des esp-md5-hmac }
will negotiate = { Tunnel, },
r3#
r3#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
F - IKE Fragmentation
Interface: Serial1/0
Session status: UP-IDLE
Peer: 192.168.0.2 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 192.168.0.2
Desc: (none)
IKE SA: local 172.16.1.253/500 remote 192.168.0.2/500 Active
Capabilities:D connid:1002 lifetime:23:46:27
IPSEC FLOW: permit ip 10.2.2.0/255.255.255.0 10.2.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
r2 でも状態を確認します。
r2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.0.2 172.16.1.253 QM_IDLE 1002 0 ACTIVE
IPv6 Crypto ISAKMP SA
r2#show crypto ipsec sa
interface: Serial1/1
Crypto map tag: MAP-IPSEC, local addr 172.16.0.254
protected vrf: (none)
local ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
current_peer 192.168.0.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.0.254, remote crypto endpt.: 192.168.0.3
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/1
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
r2#show crypto ipsec transform-set
Transform set IPSEC: { esp-des esp-md5-hmac }
will negotiate = { Tunnel, },
r2#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
F - IKE Fragmentation
Interface: Serial1/1
Session status: DOWN
Peer: 192.168.0.3 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 10.2.1.0/255.255.255.0 10.2.2.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Interface: Tunnel0
Session status: UP-IDLE
Peer: 172.16.1.253 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 172.16.1.253
Desc: (none)
IKE SA: local 192.168.0.2/500 remote 172.16.1.253/500 Active
Capabilities:(none) connid:1002 lifetime:23:44:57
OSPF に寄り道
スタティックルートを削除して、OSPFの設定を追加します。
r2(config)#no ip route 10.2.2.0 255.255.255.0
r2(config)#router ospf 1
r2(config-router)#network 192.168.0.0 0.0.0.255 area 0
r2(config-router)#network 10.2.1.0 0.0.0.255 area 0
r3(config)#no ip route 10.2.1.0 255.255.255.0
r3(config)#router ospf 1
r3(config-router)#network 192.168.0.0 0.0.0.255 area 0
r3(config-router)#network 10.2.2.0 0.0.0.255 area 0
状態を確認します。
r3#show ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
192.168.0.2 0 FULL/ - 00:00:34 192.168.0.2 Tunnel0
r3#show ip ospf datab
OSPF Router with ID (192.168.0.3) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
192.168.0.2 192.168.0.2 47 0x80000002 0x004C73 3
192.168.0.3 192.168.0.3 59 0x80000003 0x004774 3
r3#show ip route ospf
10.0.0.0/24 is subnetted, 2 subnets
O 10.2.1.0 [110/11121] via 192.168.0.2, 00:00:51, Tunnel0
r2 でも状態を確認します。
r2#show ip ospf neig
Neighbor ID Pri State Dead Time Address Interface
192.168.0.3 0 FULL/ - 00:00:33 192.168.0.3 Tunnel0
r2#
r2#show ip ospf datab
OSPF Router with ID (192.168.0.2) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
192.168.0.2 192.168.0.2 82 0x80000002 0x004C73 3
192.168.0.3 192.168.0.3 95 0x80000003 0x004774 3
r2#show ip route ospf
10.0.0.0/24 is subnetted, 2 subnets
O 10.2.2.0 [110/11121] via 192.168.0.3, 00:01:37, Tunnel0
疎通を確認します。
r2#ping
Protocol [ip]:
Target IP address: 10.2.2.254
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.2.1.254
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.254, timeout is 2 seconds:
Packet sent with a source address of 10.2.1.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/38/44 ms
まとめ
Dynagen、Dynamips を使って、 GRE over IPSecを練習しました。
Discussion