サイト間IPSec VPN(crypto map)の構成・設定

Dynamips/Dynagenを使用して、サイト間IPSec VPN(crypto map)を設定します。

Cisco IPSec VPN Topology

Configuration Settings Overview

サイト間の通信
HQ-Branch1間、HQ-Bransh2間、Branch1-Branch2間で通信可能とする。
IPSec通信対象セグメント
各サイト間のIPSec通信は以下のセグメント間でのみ可能とする。

HQ : 192.168.0.0/20
Branch1 : 192.168.16.0/20
Branch2 : 192.168.32.0/20

スタティックルート
IPSec通信対象に対して以下のスタティックルートを設定する。
HQ1:

ip route 192.168.16.0 255.255.240.0 Serial1/0
ip route 192.168.32.0 255.255.240.0 Serial1/0

BR11:

ip route 192.168.0.0 255.255.240.0 Serial1/0
ip route 192.168.32.0 255.255.240.0 Serial1/0

BR21:

ip route 192.168.0.0 255.255.240.0 Serial1/0
ip route 192.168.16.0 255.255.240.0 Serial1/0

ルータHQ1,BR11,BR21のIPSec関連設定

3.1 IKE Policy
  3.1.1 HQ
    iskakmp policy 10
      encryption     : des
      hash           : md5
      authentication : pre-share
      DH group       : group 1

    isakmp policy 20
      encryption     : 3des
      hash           : md5
      authentication : pre-share
      DH group       : group 2

    isakmp policy 30
      encryption     : aes
      hash           : sha
      authentication : pre-share
      DH group       : group 2

    pre-shared key   : cisco123(address: 20.0.0.2)
    pre-shared key   : cisco456(address: 30.0.0.2)

  3.1.2 Branch1
    isakmp policy 10
      encryption     : 3des
      hash           : md5
      authentication : pre-share
      DH group       : group 2

    pre-shared key   : cisco123(address 10.0.0.2)

  3.1.3 Branch2
    isakmp policy 10
      encryption     : aes
      hash           : sha
      authentication : pre-share
      DH group       : group 2

    pre-shared key   : cisco456(address 10.0.0.2)

3.2 IPSec Transform Set
  3.2.1 HQ
    ipsec transform-set Trset10
      protocol   : esp
      encryption : des
      hash       : md5-hmac

    ipsec transform-set Trset20
      protocol   : esp
      encryption : 3des
      hash       : md5-hmac

    ipsec transform-set Trset30
      protocol   : esp
      encryption : aes
      hash       : sha-hmac

  3.2.2 Branch1
    ipsec transform-set Trset10
      protocol   : esp
      encryption : 3des
      hash       : md5-hmac

  3.2.3 Branch2
    ipsec transform-set Trset10
      protocol   : esp
      encryption : aes
      hash       : sha-hmac

3.3 Crypto Map
  3.3.1 HQ
    crypto map ToBR 10 ipsec-isakmp
      set peer 20.0.0.2
      set transform-set Trset20
      match address 101
    crypto map ToBR 20 ipsec-isakmp
      set peer 30.0.0.2
      set transform-set Trset30
      match address 102

  3.3.2 Branch1
    crypto map ToHQ ipsec-isakmp
      set peer 10.0.0.2
      set transform-set Trset10
      match address 100

  3.3.3 Branch2
    crypto map ToHQ ipsec-isakmp
      set peer 10.0.0.2
      set transform-set Trset10
      match address 100

3.4 IPSec VPN access-list
  3.4.1 HQ
    HQ To Branch1
      access-list 101 permit ip 192.168.0.0 0.0.15.255 192.168.16.0 0.0.15.255
      access-list 101 permit ip 192.168.32.0 0.0.15.255 192.168.16.0 0.0.15.255

    HQ To Branch2
      access-list 102 permit ip 192.168.0.0 0.0.15.255 192.168.32.0 0.0.15.255
      access-list 102 permit ip 192.168.16.0 0.0.15.255 192.168.32.0 0.0.15.255

  3.4.2 Branch1
    Branch1 To HQ
      access-list 100 permit ip 192.168.16.0 0.0.15.255 192.168.0.0 0.0.15.255
      access-list 100 permit ip 192.168.16.0 0.0.15.255 192.168.32.0 0.0.15.255

  3.4.3 Branch2
    Bracnch2 To HQ
      access-list 100 permit ip 192.168.32.0 0.0.15.255 192.168.0.0 0.0.15.255
      access-list 100 permit ip 192.168.32.0 0.0.15.255 192.168.16.0 0.0.15.255

Dynagen Config File / Router Config

(1)  Dynagen .net file

(2)  HQ1

(3)  HQ2

(4)  HQHOST

(5)  BR11

(6)  BR12

(7)  BR1HOST

(8)  BR21

(9)  BR22

(10) BR2HOST

(11) R1

show command

HQ1 :
  sh crypto isakmp sa
  sh crypto engine connections active
BR11 :
  sh crypto isakmp sa
  sh crypto engine connections active
BR21 :
  sh crypto isakmp sa
  sh crypto engine connections active

(1)  HQ1

(2)  BR11

(3)  BR21

Dynalconf HOME