Table of Contents
概要
DMVPNによって、拠点間のIPSec VPNの通信を動的に行うことができるように設定します。マルチポイントGREトンネル上でOSPFを利用してルーティングテーブルを作成します。そして、マルチポイントGREトンネル上の通信をIPSecで暗号化します。
関連記事
より詳しいDMVPNの設定について、以下の記事もあわせてご覧ください。
ネットワーク構成
初期設定
R1
interface Loopback0 ip address 192.168.1.1 255.255.255.0 ! interface FastEthernet0/0.101 encapsulation dot1Q 101 ip address 100.1.1.1 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 100.1.1.100
R2
interface Loopback0 ip address 192.168.2.2 255.255.255.0 ! interface FastEthernet0/0.102 encapsulation dot1Q 102 ip address 100.2.2.2 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 100.2.2.100
R3
interface Loopback0 ip address 192.168.3.3 255.255.255.0 ! interface FastEthernet0/0.102 encapsulation dot1Q 102 ip address 100.3.3.3 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 100.3.3.100
DMVPN設定
R1 DMVPN設定 NHS(Next Hop Server)
crypto isakmp policy 1 encr 3des authentication pre-share crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set DMVPN_TS esp-3des esp-sha-hmac mode transport ! crypto ipsec profile DMVPN set transform-set DMVPN_TS ! interface Loopback0 ip ospf network point-to-point ! interface Tunnel0 ip address 192.168.100.1 255.255.255.0 no ip redirects ip nhrp authentication AAA ip nhrp map multicast dynamic ip nhrp network-id 1000 ip ospf network broadcast tunnel source FastEthernet0/0.101 tunnel mode gre multipoint tunnel key 1000 tunnel protection ipsec profile DMVPN ! router ospf 1 router-id 1.1.1.1 log-adjacency-changes network 192.168.0.0 0.0.255.255 area 0
R2 DMVPN設定
crypto isakmp policy 1 encr 3des authentication pre-share crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set DMVPN_TS esp-3des esp-sha-hmac mode transport ! crypto ipsec profile DMVPN set transform-set DMVPN_TS ! interface Loopback0 ip ospf network point-to-point ! interface Tunnel0 ip address 192.168.100.2 255.255.255.0 no ip redirects ip nhrp authentication AAA ip nhrp map multicast 100.1.1.1 ip nhrp map 192.168.100.1 100.1.1.1 ip nhrp network-id 1000 ip nhrp nhs 192.168.100.1 ip ospf network broadcast ip ospf priority 0 tunnel source FastEthernet0/0.102 tunnel mode gre multipoint tunnel key 1000 tunnel protection ipsec profile DMVPN ! router ospf 1 router-id 2.2.2.2 log-adjacency-changes network 192.168.0.0 0.0.255.255 area 0
R3 DMVPN設定
crypto isakmp policy 1 encr 3des authentication pre-share crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set DMVPN_TS esp-3des esp-sha-hmac mode transport ! crypto ipsec profile DMVPN set transform-set DMVPN_TS ! interface Loopback0 ip ospf network point-to-point ! interface Tunnel0 ip address 192.168.100.3 255.255.255.0 no ip redirects ip nhrp authentication AAA ip nhrp map multicast 100.1.1.1 ip nhrp map 192.168.100.1 100.1.1.1 ip nhrp network-id 1000 ip nhrp nhs 192.168.100.1 ip ospf network broadcast ip ospf priority 0 tunnel source FastEthernet0/0.103 tunnel mode gre multipoint tunnel key 1000 tunnel protection ipsec profile DMVPN ! router ospf 1 router-id 3.3.3.3 log-adjacency-changes network 192.168.0.0 0.0.255.255 area 0
showコマンド
【ルーティングテーブル】
R1 ルーティングテーブル
R1_DMVPN#show ip route
~省略~
Gateway of last resort is 100.1.1.100 to network 0.0.0.0
100.0.0.0/24 is subnetted, 1 subnets
C 100.1.1.0 is directly connected, FastEthernet0/0.101
C 192.168.1.0/24 is directly connected, Loopback0
O 192.168.2.0/24 [110/11112] via 192.168.100.2, 00:12:43, Tunnel0
C 192.168.100.0/24 is directly connected, Tunnel0
O 192.168.3.0/24 [110/11112] via 192.168.100.3, 00:12:43, Tunnel0
S* 0.0.0.0/0 [1/0] via 100.1.1.100
R2 ルーティングテーブル
R2_DMVPN#show ip route
~省略~
Gateway of last resort is 100.2.2.100 to network 0.0.0.0
100.0.0.0/24 is subnetted, 1 subnets
C 100.2.2.0 is directly connected, FastEthernet0/0.102
O 192.168.1.0/24 [110/11112] via 192.168.100.1, 00:12:59, Tunnel0
C 192.168.2.0/24 is directly connected, Loopback0
C 192.168.100.0/24 is directly connected, Tunnel0
O 192.168.3.0/24 [110/11112] via 192.168.100.3, 00:12:59, Tunnel0
S* 0.0.0.0/0 [1/0] via 100.2.2.100
R3 ルーティングテーブル
R3_DMVPN#show ip route
~省略~
Gateway of last resort is 100.3.3.100 to network 0.0.0.0
100.0.0.0/24 is subnetted, 1 subnets
C 100.3.3.0 is directly connected, FastEthernet0/0.103
O 192.168.1.0/24 [110/11112] via 192.168.100.1, 00:15:48, Tunnel0
O 192.168.2.0/24 [110/11112] via 192.168.100.2, 00:15:48, Tunnel0
C 192.168.100.0/24 is directly connected, Tunnel0
C 192.168.3.0/24 is directly connected, Loopback0
S* 0.0.0.0/0 [1/0] via 100.3.3.100
【NHRPキャッシュ】
R1 NHRPキャッシュ(NHS)
R1_DMVPN#show ip nhrp detail 192.168.100.2/32 via 192.168.100.2, Tunnel0 created 02:15:45, expire 01:46:48 Type: dynamic, Flags: authoritative unique registered NBMA address: 100.2.2.2 192.168.100.3/32 via 192.168.100.3, Tunnel0 created 02:15:42, expire 01:47:10 Type: dynamic, Flags: authoritative unique registered NBMA address: 100.3.3.3
R2 NHRPキャッシュ
R2_DMVPN#show ip nhrp detail 192.168.100.1/32 via 192.168.100.1, Tunnel0 created 02:20:38, never expire Type: static, Flags: authoritative used NBMA address: 100.1.1.1
R3 NHRPキャッシュ
R3_DMVPN#show ip nhrp detail 192.168.100.1/32 via 192.168.100.1, Tunnel0 created 02:21:14, never expire Type: static, Flags: authoritative used NBMA address: 100.1.1.1
【IPSec SA】
R1 IPSec SA
R1_DMVPN#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 100.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (100.1.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (100.2.2.2/255.255.255.255/47/0)
current_peer 100.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 152, #pkts encrypt: 152, #pkts digest: 152
#pkts decaps: 148, #pkts decrypt: 148, #pkts verify: 148
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 3, #recv errors 0
local crypto endpt.: 100.1.1.1, remote crypto endpt.: 100.2.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.101
current outbound spi: 0x2B8DE8E(45670030)
inbound esp sas:
spi: 0x41AF28EB(1101998315)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2004, flow_id: SW:4, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4472051/2263)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2B8DE8E(45670030)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2001, flow_id: SW:1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4472050/2263)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (100.1.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (100.3.3.3/255.255.255.255/47/0)
current_peer 100.3.3.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 149, #pkts encrypt: 149, #pkts digest: 149
#pkts decaps: 147, #pkts decrypt: 147, #pkts verify: 147
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 8, #recv errors 0
local crypto endpt.: 100.1.1.1, remote crypto endpt.: 100.3.3.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.101
current outbound spi: 0x1FD2441F(533873695)
inbound esp sas:
spi: 0x1DDD9421(501060641)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2002, flow_id: SW:2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4533275/2286)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1FD2441F(533873695)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2003, flow_id: SW:3, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4533274/2286)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R2 IPSec SA
R2_DMVPN#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 100.2.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (100.2.2.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (100.1.1.1/255.255.255.255/47/0)
current_peer 100.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 100.2.2.2, remote crypto endpt.: 100.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.102
current outbound spi: 0x2A3C192(44286354)
inbound esp sas:
spi: 0x63B72CEF(1672948975)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2001, flow_id: SW:1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4558452/3530)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2A3C192(44286354)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2003, flow_id: SW:3, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4558452/3530)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R3 IPSec SA
R3_DMVPN#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 100.3.3.3
protected vrf: (none)
local ident (addr/mask/prot/port): (100.3.3.3/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (100.1.1.1/255.255.255.255/47/0)
current_peer 100.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 164, #pkts encrypt: 164, #pkts digest: 164
#pkts decaps: 167, #pkts decrypt: 167, #pkts verify: 167
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 100.3.3.3, remote crypto endpt.: 100.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.103
current outbound spi: 0x1DDD9421(501060641)
inbound esp sas:
spi: 0x1FD2441F(533873695)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2002, flow_id: SW:2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4557703/2115)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1DDD9421(501060641)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2001, flow_id: SW:1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4557703/2115)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
インターネットVPN
- インターネットVPNの概要
- インターネットへの接続形態
- VPNサービスとは?
- NordVPN ~セキュアなVPNサービスを手軽に利用しよう~
- IPSecの概要
- IKE ~SAの生成と管理~
- IPSec サイト間VPNの動作
- IPSec サイト間VPNの設定 ~crypto mapによる設定~
- IPSec サイト間VPNの設定例
- [演習]サイトツーサイトIPSec-VPN(crypto map)
- [演習]サイトツーサイトIPSec-VPN(VTI)
- [演習]サイトツーサイトIPSec-VPN(VTI) トラブルシューティング
- IPSec 設定ミスの切り分けと修正 Part1
- IPSec 設定ミスの切り分けと修正 Part2
- IPSec 設定ミスの切り分けと修正 Part3
- DMVPNの設定例
- DMVPN設定演習[Cisco] NHRP Phase1
- DMVPN設定演習[Cisco] NHRP Phase2
- DMVPN設定演習[Cisco] NHRP Phase3
- SSL-VPNの実現方式
- SSL-VPN(クライアントレス)の設定例 (Cisco)