サイト間IPSec VPN(GRE)の構成・設定

Dynamips/Dynagenを使用して、GREトンネルを使用したサイト間IPSec VPN(GRE over IPSec)を設定します。IPSecトンネルではユニキャストパケットしか転送できないため、OSPFのようなマルチキャス通信を使用するプロトコルは使用できません。そこでマルチキャストパケットを転送可能なGREトンネルをIPSecトンネル内に作成し、暗号化された状態でOSPFによるサイト間のルーティングを行います。

• Cisco IPSec VPN Topology
  
  
  
  
• Configuration Settings Overview
  
  
  1. サイト間の通信
     HQ-Branch1間、HQ-Bransh2間、Branch1-Branch2間で通信可能とする。
     
     
  2. IPSec通信対象セグメント
     各サイト間のIPSec通信は以下のセグメント間で可能とする。
     
     HQ : 192.168.0.0/20
     Branch1 : 192.168.16.0/20
     Branch2 : 192.168.32.0/20
     
     
     
  3. GREトンネル設定
     HQ1:

     interface Tunnel0
      ip unnumbered FastEthernet3/0
      tunnel source 10.0.0.2
      tunnel destination 20.0.0.2
     

     interface Tunnel1
      ip unnumbered FastEthernet3/0
      tunnel source 10.0.0.2
      tunnel destination 30.0.0.2
     

     BR11:

     interface Tunnel0
      ip unnumbered FastEthernet3/0
      tunnel source 20.0.0.2
      tunnel destination 10.0.0.2
     

     BR12:

     interface Tunnel0
      ip unnumbered FastEthernet3/0
      tunnel source 30.0.0.2
      tunnel destination 10.0.0.2
     

  4. IPSec通信対象トラフィック
     IPSec通信対象としてGREプロトコルを指定する。
     HQ1:

     access-list 101 permit gre host 10.0.0.2 host 20.0.0.2
     access-list 102 permit gre host 10.0.0.2 host 30.0.0.2
     

     BR11:

     access-list 100 permit gre host 20.0.0.2 host 10.0.0.2
     

     BR21:

     access-list 100 permit ip host 30.0.0.2 host 10.0.0.2
     

     
     
     
     
     
  5. ルータHQ1,BR11,BR21のIPSec関連設定

     3.1 IKE Policy
       3.1.1 HQ
         iskakmp policy 10
           encryption     : des
           hash           : md5
           authentication : pre-share
           DH group       : group 1
     
         isakmp policy 20
           encryption     : 3des
           hash           : md5
           authentication : pre-share
           DH group       : group 2
     
         isakmp policy 30
           encryption     : aes
           hash           : sha
           authentication : pre-share
           DH group       : group 2
     
         pre-shared key   : cisco123(address: 20.0.0.2)
         pre-shared key   : cisco456(address: 30.0.0.2)
     
       3.1.2 Branch1
         isakmp policy 10
           encryption     : 3des
           hash           : md5
           authentication : pre-share
           DH group       : group 2
     
         pre-shared key   : cisco123(address 10.0.0.2)
     
       3.1.3 Branch2
         isakmp policy 10
           encryption     : aes
           hash           : sha
           authentication : pre-share
           DH group       : group 2
     
         pre-shared key   : cisco456(address 10.0.0.2)
     
     3.2 IPSec Transform Set
       3.2.1 HQ
         ipsec transform-set Trset10
           protocol   : esp
           encryption : des
           hash       : md5-hmac
     
         ipsec transform-set Trset20
           protocol   : esp
           encryption : 3des
           hash       : md5-hmac
     
         ipsec transform-set Trset30
           protocol   : esp
           encryption : aes
           hash       : sha-hmac
     
       3.2.2 Branch1
         ipsec transform-set Trset10
           protocol   : esp
           encryption : 3des
           hash       : md5-hmac
     
       3.2.3 Branch2
         ipsec transform-set Trset10
           protocol   : esp
           encryption : aes
           hash       : sha-hmac
     
     3.3 Crypto Map
       3.3.1 HQ
         crypto map ToBR 10 ipsec-isakmp
           set peer 20.0.0.2
           set transform-set Trset20
           match address 101
         crypto map ToBR 20 ipsec-isakmp
           set peer 30.0.0.2
           set transform-set Trset30
           match address 102
     
       3.3.2 Branch1
         crypto map ToHQ ipsec-isakmp
           set peer 10.0.0.2
           set transform-set Trset10
           match address 100
     
       3.3.3 Branch2
         crypto map ToHQ ipsec-isakmp
           set peer 10.0.0.2
           set transform-set Trset10
           match address 100
     
     3.4 IPSec VPN access-list
       3.4.1 HQ
         HQ To Branch1
           access-list 101 permit gre host 10.0.0.2 host 20.0.0.2
     
         HQ To Branch2
           access-list 102 permit gre host 10.0.0.2 host 30.0.0.2
     
       3.4.2 Branch1
         Branch1 To HQ
           access-list 100 permit gre host 20.0.0.2 host 10.0.0.2
     
       3.4.3 Branch2
         Bracnch2 To HQ
           access-list 100 permit gre host 30.0.0.2 host 10.0.0.2
     

• Dynagen Config File / Router Config

  (1)  Dynagen .net file
  
  (2)  HQ1
  
  (3)  HQ2
  
  (4)  HQHOST
  
  (5)  BR11
  
  (6)  BR12
  
  (7)  BR1HOST
  
  (8)  BR21
  
  (9)  BR22
  
  (10) BR2HOST
  
  (11) R1
  

• show command

  HQ1 :
    sh crypto isakmp sa
    sh crypto engine connections active
  BR11 :
    sh crypto isakmp sa
    sh crypto engine connections active
  BR21 :
    sh crypto isakmp sa
    sh crypto engine connections active
  
  (1)  HQ1
  
  (2)  BR11
  
  (3)  BR12