サイト間IPSec VPN(GRE)の構成・設定 |
Dynalconf HOME |
Dynamips/Dynagenを使用して、GREトンネルを使用したサイト間IPSec VPN(GRE over IPSec)を設定します。IPSecトンネルではユニキャストパケットしか転送できないため、OSPFのようなマルチキャス通信を使用するプロトコルは使用できません。そこでマルチキャストパケットを転送可能なGREトンネルをIPSecトンネル内に作成し、暗号化された状態でOSPFによるサイト間のルーティングを行います。
interface Tunnel0 ip unnumbered FastEthernet3/0 tunnel source 10.0.0.2 tunnel destination 20.0.0.2
interface Tunnel1 ip unnumbered FastEthernet3/0 tunnel source 10.0.0.2 tunnel destination 30.0.0.2
interface Tunnel0 ip unnumbered FastEthernet3/0 tunnel source 20.0.0.2 tunnel destination 10.0.0.2
interface Tunnel0 ip unnumbered FastEthernet3/0 tunnel source 30.0.0.2 tunnel destination 10.0.0.2
access-list 101 permit gre host 10.0.0.2 host 20.0.0.2 access-list 102 permit gre host 10.0.0.2 host 30.0.0.2
access-list 100 permit gre host 20.0.0.2 host 10.0.0.2
access-list 100 permit ip host 30.0.0.2 host 10.0.0.2
3.1 IKE Policy 3.1.1 HQ iskakmp policy 10 encryption : des hash : md5 authentication : pre-share DH group : group 1 isakmp policy 20 encryption : 3des hash : md5 authentication : pre-share DH group : group 2 isakmp policy 30 encryption : aes hash : sha authentication : pre-share DH group : group 2 pre-shared key : cisco123(address: 20.0.0.2) pre-shared key : cisco456(address: 30.0.0.2) 3.1.2 Branch1 isakmp policy 10 encryption : 3des hash : md5 authentication : pre-share DH group : group 2 pre-shared key : cisco123(address 10.0.0.2) 3.1.3 Branch2 isakmp policy 10 encryption : aes hash : sha authentication : pre-share DH group : group 2 pre-shared key : cisco456(address 10.0.0.2) 3.2 IPSec Transform Set 3.2.1 HQ ipsec transform-set Trset10 protocol : esp encryption : des hash : md5-hmac ipsec transform-set Trset20 protocol : esp encryption : 3des hash : md5-hmac ipsec transform-set Trset30 protocol : esp encryption : aes hash : sha-hmac 3.2.2 Branch1 ipsec transform-set Trset10 protocol : esp encryption : 3des hash : md5-hmac 3.2.3 Branch2 ipsec transform-set Trset10 protocol : esp encryption : aes hash : sha-hmac 3.3 Crypto Map 3.3.1 HQ crypto map ToBR 10 ipsec-isakmp set peer 20.0.0.2 set transform-set Trset20 match address 101 crypto map ToBR 20 ipsec-isakmp set peer 30.0.0.2 set transform-set Trset30 match address 102 3.3.2 Branch1 crypto map ToHQ ipsec-isakmp set peer 10.0.0.2 set transform-set Trset10 match address 100 3.3.3 Branch2 crypto map ToHQ ipsec-isakmp set peer 10.0.0.2 set transform-set Trset10 match address 100 3.4 IPSec VPN access-list 3.4.1 HQ HQ To Branch1 access-list 101 permit gre host 10.0.0.2 host 20.0.0.2 HQ To Branch2 access-list 102 permit gre host 10.0.0.2 host 30.0.0.2 3.4.2 Branch1 Branch1 To HQ access-list 100 permit gre host 20.0.0.2 host 10.0.0.2 3.4.3 Branch2 Bracnch2 To HQ access-list 100 permit gre host 30.0.0.2 host 10.0.0.2
(1) Dynagen .net file (2) HQ1 (3) HQ2 (4) HQHOST (5) BR11 (6) BR12 (7) BR1HOST (8) BR21 (9) BR22 (10) BR2HOST (11) R1
HQ1 : sh crypto isakmp sa sh crypto engine connections active BR11 : sh crypto isakmp sa sh crypto engine connections active BR21 : sh crypto isakmp sa sh crypto engine connections active (1) HQ1 (2) BR11 (3) BR12
Dynalconf HOME |