目次
概要
IPSec VTI(Virtual Tunnel Interface)によるルートベースのサイトツーサイトIPSec-VPNの設定を行っています。ただし、設定ミスがあり、正常に通信できません。設定ミスの切り分けと修正を行います。
ネットワーク構成
設定条件
- IPSecによる暗号化通信を行うVPNゲートウェイは、R1、R2です。R4、R5は各拠点の内部ルータです。内部ネットワークのルーティングとして、EIGRPを利用します。
- IPSec VPNによって本社と支社1を接続して拠点間の通信ができるように設定します。
- IPSec VPNの設定は、VTIを利用します。R1-R2間をポイントツーポイントトンネルiインタフェースで接続して、トンネルインタフェース経由のパケットを暗号化します。
- 拠点内からインターネットへの接続を可能にします。
初期設定
設定条件に基づいて以下のような設定を行っています。ただし、設定ミスがあり想定通りに通信できません。設定ミスを修正してください。なお、R1とR2のみに設定ミスがあります。その他のルータは正しく設定されています。
R1 Initical Configuration(Click)
! ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ! ! ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco address 2.2.2.2 ! crypto isakmp peer address 2.2.2.2 ! ! crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac mode transport ! crypto ipsec profile IPSEC set transform-set IPSEC ! ! ! ! ! interface Tunnel12 ip address 10.0.0.1 255.255.255.252 ip summary-address eigrp 1 10.1.0.0 255.255.0.0 5 tunnel source 1.1.1.1 tunnel destination 10.2.25.2 tunnel mode ipsec ipv4 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.1 encapsulation dot1Q 1 native ip address 1.1.1.1 255.255.255.0 ip access-group INBOUND in ip access-group OUTBOUND out ip nat outside ip virtual-reassembly ! interface FastEthernet0/0.14 encapsulation dot1Q 14 ip address 10.1.14.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface FastEthernet1/0 no ip address shutdown duplex auto speed auto ! router eigrp 1 redistribute static passive-interface tu12 network 10.0.0.0 no auto-summary ! ip http server no ip http secure-server ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 1.1.1.10 ! ip nat inside source list 1 interface FastEthernet0/0.1 overload ! ! ip access-list extended INBOUND evaluate ref-acl permit esp host 2.2.2.2 host 1.1.1.1 permit udp host 2.2.2.2 host 1.1.1.1 eq isakmp ip access-list extended OUTBOUND permit ip any any reflect ref-acl access-list 1 permit 10.1.0.0 0.0.255.255 ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 privilege level 15 line aux 0 line vty 0 4 login ! ! end
R2 Initical Configuration(Click)
! ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ! ! ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco address 1.1.1.1 ! ! crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac mode transport ! crypto ipsec profile IPSEC set transform-set IPSEC ! ! ! ! ! interface Tunnel12 ip address 10.0.0.6 255.255.255.252 ip summary-address eigrp 1 10.2.0.0 255.255.0.0 5 tunnel source 2.2.2.2 tunnel destination 1.1.1.1 tunnel protection ipsec profile IPSEC tunnel mode ipsec ipv4 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.1 encapsulation dot1Q 2 ip address 2.2.2.2 255.255.255.0 ip access-group OUTBOUND out ip nat inside ip virtual-reassembly ! interface FastEthernet0/0.25 encapsulation dot1Q 25 ip address 10.2.25.2 255.255.255.0 ip nat inside ip virtual-reassembly ! interface FastEthernet1/0 no ip address shutdown duplex auto speed auto ! router eigrp 1 redistribute static network 10.0.0.0 no auto-summary ! ip http server no ip http secure-server ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 2.2.2.10 ! ip nat inside source list 1 interface FastEthernet0/0.1 overload ! ! ip access-list extended INBOUND evaluate ref-acl permit esp host 1.1.1.1 host 2.2.2.2 permit udp host 1.1.1.1 host 2.2.2.2 eq isakmp ip access-list extended OUTBOUND permit ip any any reflect ref-acl access-list 1 permit 10.2.0.0 0.0.255.255 ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 privilege level 15 line aux 0 line vty 0 4 login ! ! end
R4 Initical Configuration(Click)
! ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R4 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ! ! ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 10.1.1.4 255.255.255.0 secondary ip address 10.1.2.4 255.255.255.0 secondary ip address 10.1.3.4 255.255.255.0 secondary ip address 10.1.0.4 255.255.255.0 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.14 encapsulation dot1Q 14 ip address 10.1.14.4 255.255.255.0 ! interface FastEthernet1/0 no ip address shutdown duplex auto speed auto ! router eigrp 1 network 10.0.0.0 no auto-summary ! ip http server no ip http secure-server ! ip forward-protocol nd ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 privilege level 15 line aux 0 line vty 0 4 login ! ! end
R5 Initical Configuration(Click)
! ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R5 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ! ! ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 10.2.1.5 255.255.255.0 secondary ip address 10.2.2.5 255.255.255.0 secondary ip address 10.2.3.5 255.255.255.0 secondary ip address 10.2.0.5 255.255.255.0 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.25 encapsulation dot1Q 25 ip address 10.2.25.5 255.255.255.0 ! interface FastEthernet1/0 no ip address shutdown duplex auto speed auto ! router eigrp 1 network 10.0.0.0 no auto-summary ! ip http server no ip http secure-server ! ip forward-protocol nd ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 privilege level 15 line aux 0 line vty 0 4 login ! ! end
ISP Initical Configuration(Click)
! ! ersion 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname ISP ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ! ! ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 100.1.1.10 255.255.255.0 secondary ip address 100.1.2.10 255.255.255.0 secondary ip address 100.1.3.10 255.255.255.0 secondary ip address 100.1.0.10 255.255.255.0 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.1 encapsulation dot1Q 1 native ip address 1.1.1.10 255.255.255.0 ! interface FastEthernet0/0.2 encapsulation dot1Q 2 ip address 2.2.2.10 255.255.255.0 ! interface FastEthernet0/0.3 encapsulation dot1Q 3 ip address 3.3.3.10 255.255.255.0 ! ip http server no ip http secure-server ! ip forward-protocol nd ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 privilege level 15 line aux 0 line vty 0 4 login ! ! end
IPSec VTI 設定ミスの切り分けと修正
1. R1 tunnel destination
トンネルインタフェースのtunnel destinationの設定を間違えています。そのため、Tunnel12インタフェースで対向のR2と正しく通信できません。
切り分け
R1 切り分け
R1#show run interface tunnel 12 Building configuration... Current configuration : 191 bytes ! interface Tunnel12 ip address 10.0.0.1 255.255.255.252 ip summary-address eigrp 1 10.1.0.0 255.255.0.0 5 tunnel source 1.1.1.1 tunnel destination 10.2.25.2 tunnel mode ipsec ipv4 end R1#show interfaces tunnel 12 Tunnel12 is up, line protocol is down Hardware is Tunnel Internet address is 10.0.0.1/30 MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 1.1.1.1, destination 10.2.25.2 Tunnel protocol/transport IPSEC/IP Tunnel TTL 255 Fast tunneling enabled Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) -- omitted --
設定の修正
R1 設定の修正
interface Tunnel12 tunnel destination 2.2.2.2
2. R1 tunnel protection
R1 Tunnel12でIPSecプロファイルの適用が抜けています。そのため、Tunnel12のIPパケットをIPSecで暗号化できていません。
切り分け
R1 切り分け
R1#show run interface tunnel 12 Building configuration... Current configuration : 191 bytes ! interface Tunnel12 ip address 10.0.0.1 255.255.255.252 ip summary-address eigrp 1 10.1.0.0 255.255.0.0 5 tunnel source 1.1.1.1 tunnel destination 2.2.2.2 tunnel mode ipsec ipv4 end R1#show interfaces tunnel 12 Tunnel12 is up, line protocol is down Hardware is Tunnel Internet address is 10.0.0.1/30 MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 1.1.1.1, destination 2.2.2.2 Tunnel protocol/transport IPSEC/IP Tunnel TTL 255 Fast tunneling enabled Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) -- omitted --
設定の修正
R1 設定の修正
interface Tunnel12 tunnel protection ipsec profile IPSEC
3.R1 passive interface
Tunnel12をpassive-interfaceにしています。そのため、Tunnel12上でEIGRPネイバーを確立できません。
切り分け
R1 切り分け
R1#show running-config | section router eigrp router eigrp 1 redistribute static passive-interface Tunnel12 network 10.0.0.0 no auto-summary R1#show ip eigrp interfaces IP-EIGRP interfaces for process 1 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Fa0/0.14 1 0/0 810 0/1 3996 0 R1#show ip eigrp neighbors IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 10.1.14.4 Fa0/0.14 13 00:05:23 810 4860 0 3
設定の修正
R1 設定の修正
router eigrp 1 no passive-interface tu12
4.R2 IPアドレス
R2でTunnel12のIPアドレスの設定を間違えています。R1と同一ネットワークではなくなってしまい、EIGRPネイバーになれません。
切り分け
R2 切り分け
R2#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES NVRAM up up FastEthernet0/0.1 2.2.2.2 YES NVRAM up up FastEthernet0/0.25 10.2.25.2 YES NVRAM up up FastEthernet1/0 unassigned YES NVRAM administratively down down NVI0 unassigned NO unset up up Tunnel12 10.0.0.6 YES NVRAM up up R2#show ip eigrp neighbors IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 10.2.25.5 Fa0/0.25 12 00:03:52 796 4776 0 3
設定の修正
R2 設定の修正
interface Tunnel12 ip address 10.0.0.2 255.255.255.252
5.R2 NAT
R2 Fa0/0.1をNAT内部ネットワークにしています。Fa0/0.1は外部ネットワークのはずです。拠点1からインターネットへの通信を行うときにNAT変換されずに通信できません。
切り分け
R2 切り分け
R2#show run interface FastEthernet 0/0.1 Building configuration... Current configuration : 160 bytes ! interface FastEthernet0/0.1 encapsulation dot1Q 2 ip address 2.2.2.2 255.255.255.0 ip access-group OUTBOUND out ip nat inside ip virtual-reassembly end
設定の修正
R2 設定の修正
interface FastEthernet0/0.1 ip nat outside
正常な設定ファイル
R1 Correct Configuration(Click)
! ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ! ! ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco address 2.2.2.2 ! ! crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac ! crypto ipsec profile IPSEC set transform-set IPSEC ! ! ! ! ! interface Tunnel12 ip address 10.0.0.1 255.255.255.252 ip summary-address eigrp 1 10.1.0.0 255.255.0.0 5 tunnel source 1.1.1.1 tunnel destination 2.2.2.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.1 encapsulation dot1Q 1 native ip address 1.1.1.1 255.255.255.0 ip access-group INBOUND in ip access-group OUTBOUND out ip nat outside ip virtual-reassembly ! interface FastEthernet0/0.14 encapsulation dot1Q 14 ip address 10.1.14.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface FastEthernet1/0 no ip address shutdown duplex auto speed auto ! router eigrp 1 redistribute static network 10.0.0.0 no auto-summary ! ip http server no ip http secure-server ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 1.1.1.10 ! ip nat inside source list 1 interface FastEthernet0/0.1 overload ! ! ip access-list extended INBOUND evaluate ref-acl permit esp host 2.2.2.2 host 1.1.1.1 permit udp host 2.2.2.2 host 1.1.1.1 eq isakmp ip access-list extended OUTBOUND permit ip any any reflect ref-acl access-list 1 permit 10.1.0.0 0.0.255.255 ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 privilege level 15 line aux 0 line vty 0 4 login ! ! end
R2 Correct Configuration(Click)
! ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ! ! ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco address 1.1.1.1 ! ! crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac ! crypto ipsec profile IPSEC set transform-set IPSEC ! ! ! ! ! interface Tunnel12 ip address 10.0.0.2 255.255.255.252 ip summary-address eigrp 1 10.2.0.0 255.255.0.0 5 tunnel source 2.2.2.2 tunnel destination 1.1.1.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.1 encapsulation dot1Q 2 ip address 2.2.2.2 255.255.255.0 ip access-group INBOUND in ip access-group OUTBOUND out ip nat outside ip virtual-reassembly ! interface FastEthernet0/0.25 encapsulation dot1Q 25 ip address 10.2.25.2 255.255.255.0 ip nat inside ip virtual-reassembly ! interface FastEthernet1/0 no ip address shutdown duplex auto speed auto ! router eigrp 1 redistribute static network 10.0.0.0 no auto-summary ! ip http server no ip http secure-server ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 2.2.2.10 ! ip nat inside source list 1 interface FastEthernet0/0.1 overload ! ! ip access-list extended INBOUND evaluate ref-acl permit esp host 1.1.1.1 host 2.2.2.2 permit udp host 1.1.1.1 host 2.2.2.2 eq isakmp ip access-list extended OUTBOUND permit ip any any reflect ref-acl access-list 1 permit 10.2.0.0 0.0.255.255 ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 privilege level 15 line aux 0 line vty 0 4 login ! ! end
R4 Correct Configuration(Click)
! ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R4 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ! ! ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 10.1.1.4 255.255.255.0 secondary ip address 10.1.2.4 255.255.255.0 secondary ip address 10.1.3.4 255.255.255.0 secondary ip address 10.1.0.4 255.255.255.0 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.14 encapsulation dot1Q 14 ip address 10.1.14.4 255.255.255.0 ! interface FastEthernet1/0 no ip address shutdown duplex auto speed auto ! router eigrp 1 network 10.0.0.0 no auto-summary ! ip http server no ip http secure-server ! ip forward-protocol nd ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 privilege level 15 line aux 0 line vty 0 4 login ! ! end
R5 Correct Configuration(Click)
! ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R5 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ! ! ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 10.2.1.5 255.255.255.0 secondary ip address 10.2.2.5 255.255.255.0 secondary ip address 10.2.3.5 255.255.255.0 secondary ip address 10.2.0.5 255.255.255.0 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.25 encapsulation dot1Q 25 ip address 10.2.25.5 255.255.255.0 ! interface FastEthernet1/0 no ip address shutdown duplex auto speed auto ! router eigrp 1 network 10.0.0.0 no auto-summary ! ip http server no ip http secure-server ! ip forward-protocol nd ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 privilege level 15 line aux 0 line vty 0 4 login ! ! end
ISP Correct Configuration(Click)
! ! ! ersion 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname ISP ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ! ! ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 100.1.1.10 255.255.255.0 secondary ip address 100.1.2.10 255.255.255.0 secondary ip address 100.1.3.10 255.255.255.0 secondary ip address 100.1.0.10 255.255.255.0 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.1 encapsulation dot1Q 1 native ip address 1.1.1.10 255.255.255.0 ! interface FastEthernet0/0.2 encapsulation dot1Q 2 ip address 2.2.2.10 255.255.255.0 ! interface FastEthernet0/0.3 encapsulation dot1Q 3 ip address 3.3.3.10 255.255.255.0 ! ip http server no ip http secure-server ! ip forward-protocol nd ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 privilege level 15 line aux 0 line vty 0 4 login ! ! end
関連記事
関連記事
インターネットVPN
- インターネットVPNの概要
- インターネットへの接続形態
- VPNサービスとは?
- NordVPN ~セキュアなVPNサービスを手軽に利用しよう~
- IPSecの概要
- IKE ~SAの生成と管理~
- IPSec サイト間VPNの動作
- IPSec サイト間VPNの設定 ~crypto mapによる設定~
- IPSec サイト間VPNの設定例
- [演習]サイトツーサイトIPSec-VPN(crypto map)
- [演習]サイトツーサイトIPSec-VPN(VTI)
- [演習]サイトツーサイトIPSec-VPN(VTI) トラブルシューティング
- IPSec 設定ミスの切り分けと修正 Part1
- IPSec 設定ミスの切り分けと修正 Part2
- IPSec 設定ミスの切り分けと修正 Part3
- DMVPNの設定例
- DMVPN設定演習[Cisco] NHRP Phase1
- DMVPN設定演習[Cisco] NHRP Phase2
- DMVPN設定演習[Cisco] NHRP Phase3
- SSL-VPNの実現方式
- SSL-VPN(クライアントレス)の設定例 (Cisco)