概要

DMVPNによって、拠点間のIPSec VPNの通信を動的に行うことができるように設定します。マルチポイントGREトンネル上でOSPFを利用してルーティングテーブルを作成します。そして、マルチポイントGREトンネル上の通信をIPSecで暗号化します。

ネットワーク構成

図 DMVPNネットワーク構成
図 DMVPNネットワーク構成
図 DMVPN 内部ネットワーク構成
図 DMVPN 内部ネットワーク構成

初期設定

R1

interface Loopback0
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0.101
 encapsulation dot1Q 101
 ip address 100.1.1.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 100.1.1.100

R2

interface Loopback0
 ip address 192.168.2.2 255.255.255.0
!
interface FastEthernet0/0.102
 encapsulation dot1Q 102
 ip address 100.2.2.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 100.2.2.100

R3

interface Loopback0
 ip address 192.168.3.3 255.255.255.0
!
interface FastEthernet0/0.102
 encapsulation dot1Q 102
 ip address 100.3.3.3 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 100.3.3.100

DMVPN設定

R1 DMVPN設定 NHS(Next Hop Server)

crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set DMVPN_TS esp-3des esp-sha-hmac 
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set DMVPN_TS 
!
interface Loopback0
 ip ospf network point-to-point
!
interface Tunnel0
 ip address 192.168.100.1 255.255.255.0
 no ip redirects
 ip nhrp authentication AAA
 ip nhrp map multicast dynamic
 ip nhrp network-id 1000
 ip ospf network broadcast
 tunnel source FastEthernet0/0.101
 tunnel mode gre multipoint
 tunnel key 1000
 tunnel protection ipsec profile DMVPN
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 network 192.168.0.0 0.0.255.255 area 0

R2 DMVPN設定

crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set DMVPN_TS esp-3des esp-sha-hmac 
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set DMVPN_TS 
!
interface Loopback0
 ip ospf network point-to-point
!
interface Tunnel0
 ip address 192.168.100.2 255.255.255.0
 no ip redirects
 ip nhrp authentication AAA
 ip nhrp map multicast 100.1.1.1
 ip nhrp map 192.168.100.1 100.1.1.1
 ip nhrp network-id 1000
 ip nhrp nhs 192.168.100.1
 ip ospf network broadcast
 ip ospf priority 0
 tunnel source FastEthernet0/0.102
 tunnel mode gre multipoint
 tunnel key 1000
 tunnel protection ipsec profile DMVPN
!
router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 network 192.168.0.0 0.0.255.255 area 0

R3 DMVPN設定

crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set DMVPN_TS esp-3des esp-sha-hmac 
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set DMVPN_TS 
!
interface Loopback0
 ip ospf network point-to-point
!
interface Tunnel0
 ip address 192.168.100.3 255.255.255.0
 no ip redirects
 ip nhrp authentication AAA
 ip nhrp map multicast 100.1.1.1
 ip nhrp map 192.168.100.1 100.1.1.1
 ip nhrp network-id 1000
 ip nhrp nhs 192.168.100.1
 ip ospf network broadcast
 ip ospf priority 0
 tunnel source FastEthernet0/0.103
 tunnel mode gre multipoint
 tunnel key 1000
 tunnel protection ipsec profile DMVPN
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 192.168.0.0 0.0.255.255 area 0

showコマンド

【ルーティングテーブル】

R1 ルーティングテーブル

R1_DMVPN#show ip route
~省略~

Gateway of last resort is 100.1.1.100 to network 0.0.0.0

     100.0.0.0/24 is subnetted, 1 subnets
C       100.1.1.0 is directly connected, FastEthernet0/0.101
C    192.168.1.0/24 is directly connected, Loopback0
O    192.168.2.0/24 [110/11112] via 192.168.100.2, 00:12:43, Tunnel0
C    192.168.100.0/24 is directly connected, Tunnel0
O    192.168.3.0/24 [110/11112] via 192.168.100.3, 00:12:43, Tunnel0
S*   0.0.0.0/0 [1/0] via 100.1.1.100

R2 ルーティングテーブル

R2_DMVPN#show ip route
~省略~

Gateway of last resort is 100.2.2.100 to network 0.0.0.0

     100.0.0.0/24 is subnetted, 1 subnets
C       100.2.2.0 is directly connected, FastEthernet0/0.102
O    192.168.1.0/24 [110/11112] via 192.168.100.1, 00:12:59, Tunnel0
C    192.168.2.0/24 is directly connected, Loopback0
C    192.168.100.0/24 is directly connected, Tunnel0
O    192.168.3.0/24 [110/11112] via 192.168.100.3, 00:12:59, Tunnel0
S*   0.0.0.0/0 [1/0] via 100.2.2.100

R3 ルーティングテーブル

R3_DMVPN#show ip route
~省略~

Gateway of last resort is 100.3.3.100 to network 0.0.0.0

     100.0.0.0/24 is subnetted, 1 subnets
C       100.3.3.0 is directly connected, FastEthernet0/0.103
O    192.168.1.0/24 [110/11112] via 192.168.100.1, 00:15:48, Tunnel0
O    192.168.2.0/24 [110/11112] via 192.168.100.2, 00:15:48, Tunnel0
C    192.168.100.0/24 is directly connected, Tunnel0
C    192.168.3.0/24 is directly connected, Loopback0
S*   0.0.0.0/0 [1/0] via 100.3.3.100

【NHRPキャッシュ】

R1 NHRPキャッシュ(NHS)

R1_DMVPN#show ip nhrp detail
192.168.100.2/32 via 192.168.100.2, Tunnel0 created 02:15:45, expire 01:46:48
  Type: dynamic, Flags: authoritative unique registered 
  NBMA address: 100.2.2.2 
192.168.100.3/32 via 192.168.100.3, Tunnel0 created 02:15:42, expire 01:47:10
  Type: dynamic, Flags: authoritative unique registered 
  NBMA address: 100.3.3.3

R2 NHRPキャッシュ

R2_DMVPN#show ip nhrp detail
192.168.100.1/32 via 192.168.100.1, Tunnel0 created 02:20:38, never expire
  Type: static, Flags: authoritative used
  NBMA address: 100.1.1.1

R3 NHRPキャッシュ

R3_DMVPN#show ip nhrp detail
192.168.100.1/32 via 192.168.100.1, Tunnel0 created 02:21:14, never expire
  Type: static, Flags: authoritative used
  NBMA address: 100.1.1.1

【IPSec SA】

R1 IPSec SA

R1_DMVPN#show crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 100.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (100.1.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (100.2.2.2/255.255.255.255/47/0)
   current_peer 100.2.2.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 152, #pkts encrypt: 152, #pkts digest: 152
    #pkts decaps: 148, #pkts decrypt: 148, #pkts verify: 148
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 3, #recv errors 0

     local crypto endpt.: 100.1.1.1, remote crypto endpt.: 100.2.2.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.101
     current outbound spi: 0x2B8DE8E(45670030)

     inbound esp sas:
      spi: 0x41AF28EB(1101998315)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2004, flow_id: SW:4, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4472051/2263)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x2B8DE8E(45670030)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2001, flow_id: SW:1, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4472050/2263)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (100.1.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (100.3.3.3/255.255.255.255/47/0)
   current_peer 100.3.3.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 149, #pkts encrypt: 149, #pkts digest: 149
    #pkts decaps: 147, #pkts decrypt: 147, #pkts verify: 147
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 8, #recv errors 0

     local crypto endpt.: 100.1.1.1, remote crypto endpt.: 100.3.3.3
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.101
     current outbound spi: 0x1FD2441F(533873695)

     inbound esp sas:
      spi: 0x1DDD9421(501060641)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2002, flow_id: SW:2, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4533275/2286)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x1FD2441F(533873695)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2003, flow_id: SW:3, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4533274/2286)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

R2 IPSec SA

R2_DMVPN#show crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 100.2.2.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (100.2.2.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (100.1.1.1/255.255.255.255/47/0)
   current_peer 100.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
    #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 100.2.2.2, remote crypto endpt.: 100.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.102
     current outbound spi: 0x2A3C192(44286354)

     inbound esp sas:
      spi: 0x63B72CEF(1672948975)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2001, flow_id: SW:1, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4558452/3530)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x2A3C192(44286354)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2003, flow_id: SW:3, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4558452/3530)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

R3 IPSec SA

R3_DMVPN#show crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 100.3.3.3

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (100.3.3.3/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (100.1.1.1/255.255.255.255/47/0)
   current_peer 100.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 164, #pkts encrypt: 164, #pkts digest: 164
    #pkts decaps: 167, #pkts decrypt: 167, #pkts verify: 167
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 100.3.3.3, remote crypto endpt.: 100.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.103
     current outbound spi: 0x1DDD9421(501060641)

     inbound esp sas:
      spi: 0x1FD2441F(533873695)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2002, flow_id: SW:2, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4557703/2115)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x1DDD9421(501060641)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2001, flow_id: SW:1, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4557703/2115)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas: