概要

IPSec VTI(Virtual Tunnel Interface)によるルートベースのサイトツーサイトIPSec-VPNの設定を行っています。ただし、設定ミスがあり、正常に通信できません。設定ミスの切り分けと修正を行います。

ネットワーク構成

図 [演習]サイトツーサイトIPSec-VPN ネットワーク構成
図 [演習]サイトツーサイトIPSec-VPN ネットワーク構成

設定条件

  • IPSecによる暗号化通信を行うVPNゲートウェイは、R1、R2です。R4、R5は各拠点の内部ルータです。内部ネットワークのルーティングとして、EIGRPを利用します。
  • IPSec VPNによって本社と支社1を接続して拠点間の通信ができるように設定します。
  • IPSec VPNの設定は、VTIを利用します。R1-R2間をポイントツーポイントトンネルiインタフェースで接続して、トンネルインタフェース経由のパケットを暗号化します。
  • 拠点内からインターネットへの接続を可能にします。

初期設定

設定条件に基づいて以下のような設定を行っています。ただし、設定ミスがあり想定通りに通信できません。設定ミスを修正してください。なお、R1とR2のみに設定ミスがあります。その他のルータは正しく設定されています。

R1 Initical Configuration(Click)

!

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
! 
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco address 2.2.2.2
!
crypto isakmp peer address 2.2.2.2
!
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac 
 mode transport
!
crypto ipsec profile IPSEC
 set transform-set IPSEC 
!
!
!
!
!
interface Tunnel12
 ip address 10.0.0.1 255.255.255.252
 ip summary-address eigrp 1 10.1.0.0 255.255.0.0 5
 tunnel source 1.1.1.1
 tunnel destination 10.2.25.2
 tunnel mode ipsec ipv4
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 1.1.1.1 255.255.255.0
 ip access-group INBOUND in
 ip access-group OUTBOUND out
 ip nat outside
 ip virtual-reassembly
!
interface FastEthernet0/0.14
 encapsulation dot1Q 14
 ip address 10.1.14.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
router eigrp 1
 redistribute static
 passive-interface tu12
 network 10.0.0.0
 no auto-summary
!
ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.10
!
ip nat inside source list 1 interface FastEthernet0/0.1 overload
!
!
ip access-list extended INBOUND
 evaluate ref-acl 
 permit esp host 2.2.2.2 host 1.1.1.1
 permit udp host 2.2.2.2 host 1.1.1.1 eq isakmp
ip access-list extended OUTBOUND
 permit ip any any reflect ref-acl
access-list 1 permit 10.1.0.0 0.0.255.255
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 privilege level 15
line aux 0
line vty 0 4
 login
!
!
end

R2 Initical Configuration(Click)

!

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
! 
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco address 1.1.1.1
!
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac 
 mode transport
!
crypto ipsec profile IPSEC
 set transform-set IPSEC 
!
!
!
!
!
interface Tunnel12
 ip address 10.0.0.6 255.255.255.252
 ip summary-address eigrp 1 10.2.0.0 255.255.0.0 5
 tunnel source 2.2.2.2
 tunnel destination 1.1.1.1
 tunnel protection ipsec profile IPSEC
 tunnel mode ipsec ipv4
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 encapsulation dot1Q 2
 ip address 2.2.2.2 255.255.255.0
 ip access-group OUTBOUND out
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0.25
 encapsulation dot1Q 25
 ip address 10.2.25.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
router eigrp 1
 redistribute static
 network 10.0.0.0
 no auto-summary
!
ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 2.2.2.10
!
ip nat inside source list 1 interface FastEthernet0/0.1 overload
!
!
ip access-list extended INBOUND
 evaluate ref-acl 
 permit esp host 1.1.1.1 host 2.2.2.2
 permit udp host 1.1.1.1 host 2.2.2.2 eq isakmp
ip access-list extended OUTBOUND
 permit ip any any reflect ref-acl
access-list 1 permit 10.2.0.0 0.0.255.255
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 privilege level 15
line aux 0
line vty 0 4
 login
!
!
end

R4 Initical Configuration(Click)

!

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
! 
!
!
!
!
interface Loopback0
 ip address 10.1.1.4 255.255.255.0 secondary
 ip address 10.1.2.4 255.255.255.0 secondary
 ip address 10.1.3.4 255.255.255.0 secondary
 ip address 10.1.0.4 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.14
 encapsulation dot1Q 14
 ip address 10.1.14.4 255.255.255.0
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
router eigrp 1
 network 10.0.0.0
 no auto-summary
!
ip http server
no ip http secure-server
!
ip forward-protocol nd
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 privilege level 15
line aux 0
line vty 0 4
 login
!
!
end

R5 Initical Configuration(Click)

!

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
! 
!
!
!
!
interface Loopback0
 ip address 10.2.1.5 255.255.255.0 secondary
 ip address 10.2.2.5 255.255.255.0 secondary
 ip address 10.2.3.5 255.255.255.0 secondary
 ip address 10.2.0.5 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.25
 encapsulation dot1Q 25
 ip address 10.2.25.5 255.255.255.0
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
router eigrp 1
 network 10.0.0.0
 no auto-summary
!
ip http server
no ip http secure-server
!
ip forward-protocol nd
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 privilege level 15
line aux 0
line vty 0 4
 login
!
!
end

ISP Initical Configuration(Click)

!
!
ersion 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISP
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
! 
!
!
!
!
interface Loopback0
 ip address 100.1.1.10 255.255.255.0 secondary
 ip address 100.1.2.10 255.255.255.0 secondary
 ip address 100.1.3.10 255.255.255.0 secondary
 ip address 100.1.0.10 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 1.1.1.10 255.255.255.0
!
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip address 2.2.2.10 255.255.255.0
!
interface FastEthernet0/0.3
 encapsulation dot1Q 3
 ip address 3.3.3.10 255.255.255.0
!
ip http server
no ip http secure-server
!
ip forward-protocol nd
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 privilege level 15
line aux 0
line vty 0 4
 login
!
!
end

IPSec VTI 設定ミスの切り分けと修正

1.      R1 tunnel destination

トンネルインタフェースのtunnel destinationの設定を間違えています。そのため、Tunnel12インタフェースで対向のR2と正しく通信できません。

切り分け

R1 切り分け

R1#show run interface tunnel 12
Building configuration...

Current configuration : 191 bytes
!
interface Tunnel12
 ip address 10.0.0.1 255.255.255.252
 ip summary-address eigrp 1 10.1.0.0 255.255.0.0 5
 tunnel source 1.1.1.1
 tunnel destination 10.2.25.2
 tunnel mode ipsec ipv4
end

R1#show interfaces tunnel 12
Tunnel12 is up, line protocol is down
  Hardware is Tunnel
  Internet address is 10.0.0.1/30
  MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 1.1.1.1, destination 10.2.25.2
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Fast tunneling enabled
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
-- omitted --

設定の修正

R1 設定の修正

interface Tunnel12
 tunnel destination 2.2.2.2

2. R1 tunnel protection

R1 Tunnel12でIPSecプロファイルの適用が抜けています。そのため、Tunnel12のIPパケットをIPSecで暗号化できていません。

切り分け

R1 切り分け

R1#show run interface tunnel 12
Building configuration...

Current configuration : 191 bytes
!
interface Tunnel12
 ip address 10.0.0.1 255.255.255.252
 ip summary-address eigrp 1 10.1.0.0 255.255.0.0 5
 tunnel source 1.1.1.1
 tunnel destination 2.2.2.2
 tunnel mode ipsec ipv4
end

R1#show interfaces tunnel 12
Tunnel12 is up, line protocol is down
  Hardware is Tunnel
  Internet address is 10.0.0.1/30
  MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 1.1.1.1, destination 2.2.2.2
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Fast tunneling enabled
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
-- omitted --

設定の修正

R1 設定の修正

interface Tunnel12
 tunnel protection ipsec profile IPSEC

3.R1 passive interface

Tunnel12をpassive-interfaceにしています。そのため、Tunnel12上でEIGRPネイバーを確立できません。

切り分け

R1 切り分け

R1#show running-config | section router eigrp
router eigrp 1
 redistribute static
 passive-interface Tunnel12
 network 10.0.0.0
 no auto-summary
R1#show ip eigrp interfaces
IP-EIGRP interfaces for process 1
                        Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Fa0/0.14           1        0/0       810       0/1         3996           0
R1#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   10.1.14.4               Fa0/0.14          13 00:05:23  810  4860  0  3

設定の修正

R1 設定の修正

router eigrp 1
 no passive-interface tu12

4.R2 IPアドレス

R2でTunnel12のIPアドレスの設定を間違えています。R1と同一ネットワークではなくなってしまい、EIGRPネイバーになれません。

切り分け

R2 切り分け

R2#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  up                    up
FastEthernet0/0.1          2.2.2.2         YES NVRAM  up                    up
FastEthernet0/0.25         10.2.25.2       YES NVRAM  up                    up
FastEthernet1/0            unassigned      YES NVRAM  administratively down down
NVI0                       unassigned      NO  unset  up                    up
Tunnel12                   10.0.0.6        YES NVRAM  up                    up
R2#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   10.2.25.5               Fa0/0.25          12 00:03:52  796  4776  0  3

設定の修正

R2 設定の修正

interface Tunnel12
 ip address 10.0.0.2 255.255.255.252

5.R2 NAT

R2 Fa0/0.1をNAT内部ネットワークにしています。Fa0/0.1は外部ネットワークのはずです。拠点1からインターネットへの通信を行うときにNAT変換されずに通信できません。

切り分け

R2 切り分け

R2#show run interface FastEthernet 0/0.1
Building configuration...

Current configuration : 160 bytes
!
interface FastEthernet0/0.1
 encapsulation dot1Q 2
 ip address 2.2.2.2 255.255.255.0
 ip access-group OUTBOUND out
 ip nat inside
 ip virtual-reassembly
end

設定の修正

R2 設定の修正

interface FastEthernet0/0.1
 ip nat outside

正常な設定ファイル

R1 Correct Configuration(Click)

!

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
! 
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco address 2.2.2.2
!
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac 
!
crypto ipsec profile IPSEC
 set transform-set IPSEC 
!
!
!
!
!
interface Tunnel12
 ip address 10.0.0.1 255.255.255.252
 ip summary-address eigrp 1 10.1.0.0 255.255.0.0 5
 tunnel source 1.1.1.1
 tunnel destination 2.2.2.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 1.1.1.1 255.255.255.0
 ip access-group INBOUND in
 ip access-group OUTBOUND out
 ip nat outside
 ip virtual-reassembly
!
interface FastEthernet0/0.14
 encapsulation dot1Q 14
 ip address 10.1.14.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
router eigrp 1
 redistribute static
 network 10.0.0.0
 no auto-summary
!
ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.10
!
ip nat inside source list 1 interface FastEthernet0/0.1 overload
!
!
ip access-list extended INBOUND
 evaluate ref-acl 
 permit esp host 2.2.2.2 host 1.1.1.1
 permit udp host 2.2.2.2 host 1.1.1.1 eq isakmp
ip access-list extended OUTBOUND
 permit ip any any reflect ref-acl
access-list 1 permit 10.1.0.0 0.0.255.255
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 privilege level 15
line aux 0
line vty 0 4
 login
!
!
end

R2 Correct Configuration(Click)

!

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
! 
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco address 1.1.1.1
!
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac 
!
crypto ipsec profile IPSEC
 set transform-set IPSEC 
!
!
!
!
!
interface Tunnel12
 ip address 10.0.0.2 255.255.255.252
 ip summary-address eigrp 1 10.2.0.0 255.255.0.0 5
 tunnel source 2.2.2.2
 tunnel destination 1.1.1.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 encapsulation dot1Q 2
 ip address 2.2.2.2 255.255.255.0
 ip access-group INBOUND in
 ip access-group OUTBOUND out
 ip nat outside
 ip virtual-reassembly
!
interface FastEthernet0/0.25
 encapsulation dot1Q 25
 ip address 10.2.25.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
router eigrp 1
 redistribute static
 network 10.0.0.0
 no auto-summary
!
ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 2.2.2.10
!
ip nat inside source list 1 interface FastEthernet0/0.1 overload
!
!
ip access-list extended INBOUND
 evaluate ref-acl 
 permit esp host 1.1.1.1 host 2.2.2.2
 permit udp host 1.1.1.1 host 2.2.2.2 eq isakmp
ip access-list extended OUTBOUND
 permit ip any any reflect ref-acl
access-list 1 permit 10.2.0.0 0.0.255.255
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 privilege level 15
line aux 0
line vty 0 4
 login
!
!
end

R4 Correct Configuration(Click)

!

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
! 
!
!
!
!
interface Loopback0
 ip address 10.1.1.4 255.255.255.0 secondary
 ip address 10.1.2.4 255.255.255.0 secondary
 ip address 10.1.3.4 255.255.255.0 secondary
 ip address 10.1.0.4 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.14
 encapsulation dot1Q 14
 ip address 10.1.14.4 255.255.255.0
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
router eigrp 1
 network 10.0.0.0
 no auto-summary
!
ip http server
no ip http secure-server
!
ip forward-protocol nd
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 privilege level 15
line aux 0
line vty 0 4
 login
!
!
end

R5 Correct Configuration(Click)

!

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
! 
!
!
!
!
interface Loopback0
 ip address 10.2.1.5 255.255.255.0 secondary
 ip address 10.2.2.5 255.255.255.0 secondary
 ip address 10.2.3.5 255.255.255.0 secondary
 ip address 10.2.0.5 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.25
 encapsulation dot1Q 25
 ip address 10.2.25.5 255.255.255.0
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
router eigrp 1
 network 10.0.0.0
 no auto-summary
!
ip http server
no ip http secure-server
!
ip forward-protocol nd
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 privilege level 15
line aux 0
line vty 0 4
 login
!
!
end

ISP Correct Configuration(Click)

!
!
!
ersion 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISP
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
! 
!
!
!
!
interface Loopback0
 ip address 100.1.1.10 255.255.255.0 secondary
 ip address 100.1.2.10 255.255.255.0 secondary
 ip address 100.1.3.10 255.255.255.0 secondary
 ip address 100.1.0.10 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 1.1.1.10 255.255.255.0
!
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip address 2.2.2.10 255.255.255.0
!
interface FastEthernet0/0.3
 encapsulation dot1Q 3
 ip address 3.3.3.10 255.255.255.0
!
ip http server
no ip http secure-server
!
ip forward-protocol nd
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 privilege level 15
line aux 0
line vty 0 4
 login
!
!
end

関連記事

関連記事