IT備忘録

Cisco
GRE over IPsecのコンフィグ

IPsecはマルチキャストには対応していません。拠点1と拠点2でマルチキャスト通信をする場合は、元パケットをGREでカプセル化した上でIPsecのESPパケット化することで通信可能になります。ここではGRE over IPsecのコンフィグを記載します。




構成図

構成図


コンフィグについて

  • 拠点1と拠点2でOSPFでダイナミックルーティングできることで、マルチキャスト通信ができていることを確認します。




RT-1コンフィグ

RT-2コンフィグ

※黄色文字はPPPoE+NAT+ACLのコンフィグからの変更箇所です。


RT-1#show run

version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
service sequence-numbers
no service dhcp
!
hostname RT-1
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 512000
enable secret 5 $1$UZ.d$263eCd7jDVJHAqwgfcFNL0
!
no aaa new-model
clock timezone JST 9 0
!
!
!
no ip bootp server
no ip domain lookup
ip domain name free-ne.com
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp
ip cef
no ipv6 cef
!
!
!
multilink bundle-name authenticated
!
!
!
no spanning-tree vlan 1
username admin secret 5 $1$ztjJ$yET4V3rcbtkvdA9yjTJin.
!
!
!
ip ssh version 2
! 
!
crypto isakmp policy 110
 encr aes
 hash sha256
 authentication pre-share
 group 2
 lifetime 1800
crypto isakmp key PS-key address 22.22.22.22
crypto isakmp keepalive 30 periodic
!
!
crypto ipsec transform-set TS-name esp-aes esp-sha256-hmac
 mode transport
!
!
!
crypto map MAP-name 160 ipsec-isakmp
 set peer 22.22.22.22
 set security-association lifetime seconds 1200
 set transform-set TS-name
 set pfs group14
 match address GRE
!
!
!
interface Tunnel0
 ip address 10.3.1.11 255.255.255.0
 ip tcp adjust-mss 1350
 ip ospf 1 area 0
 tunnel source Dialer1
 tunnel destination 22.22.22.22
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Vlan1
 ip address 10.1.1.11 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Async3
 no ip address
 encapsulation slip
!
interface Dialer1
 ip address negotiated
 ip access-group Internet-ACL in
 ip mtu 1492
 ip nat outside
 ip inspect CBAC out
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 10
 ppp authentication chap callin
 ppp chap hostname user1
 ppp chap password 0 cisco
 no cdp enable
 crypto map MAP-name
!
router ospf 1
 network 10.1.1.0 0.0.0.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list Internet-PAT interface Dialer1 overload
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list standard Internet-PAT
 permit 10.1.1.0 0.0.0.255
ip access-list standard SSH-ACL
 permit 10.1.1.0 0.0.0.255
!
!
ip access-list extended GRE
 permit gre host 11.11.11.11 host 22.22.22.22
ip access-list extended Internet-ACL
 permit udp host 9.9.9.1 eq ntp host 11.11.11.11 eq ntp
 permit icmp any host 11.11.11.11
 permit udp host 22.22.22.22 eq isakmp host 11.11.11.11 eq isakmp
 permit esp host 22.22.22.22 host 11.11.11.11
!
!
dialer-list 10 protocol ip permit
no cdp run
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
line con 0
 exec-timeout 60 0
 logging synchronous
 no modem enable
line aux 0
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 access-class SSH-ACL in
 exec-timeout 60 0
 logging synchronous
 login local
 transport input ssh
!
scheduler allocate 20000 1000
ntp server 9.9.9.1
!
end
RT-2#show run

version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
service sequence-numbers
no service dhcp
!
hostname RT-2
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 512000
enable secret 5 $1$RBil$/zAAQLKQrekcrMgQIHCwW1
!
no aaa new-model
clock timezone JST 9 0
!
!
!
no ip bootp server
no ip domain lookup
ip domain name free-ne.com
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp
ip cef
no ipv6 cef
!
!
!
multilink bundle-name authenticated
!
!
!
no spanning-tree vlan 1
username admin secret 5 $1$m9Qc$PRKkep3gWJR3N4D9OOnBO.
!
!
!
ip ssh version 2
! 
!
crypto isakmp policy 110
 encr aes
 hash sha256
 authentication pre-share
 group 2
 lifetime 1800
crypto isakmp key PS-key address 11.11.11.11
crypto isakmp keepalive 30 periodic
!
!
crypto ipsec transform-set TS-name esp-aes esp-sha256-hmac
 mode transport
!
!
!
crypto map MAP-name 160 ipsec-isakmp
 set peer 11.11.11.11
 set security-association lifetime seconds 1200
 set transform-set TS-name
 set pfs group14
 match address GRE
!
!
!
interface Tunnel0
 ip address 10.3.1.22 255.255.255.0
 ip tcp adjust-mss 1350
 ip ospf 1 area 0
 tunnel source Dialer1
 tunnel destination 11.11.11.11
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Vlan1
 ip address 10.2.1.22 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Async3
 no ip address
 encapsulation slip
!
interface Dialer1
 ip address negotiated
 ip access-group Internet-ACL in
 ip mtu 1492
 ip nat outside
 ip inspect CBAC out
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 10
 ppp authentication chap callin
 ppp chap hostname user1
 ppp chap password 0 cisco
 no cdp enable
 crypto map MAP-name
!
router ospf 1
 network 10.2.1.0 0.0.0.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list Internet-PAT interface Dialer1 overload
ip nat inside source static tcp 10.2.1.2 80 22.22.22.22 80 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list standard Internet-PAT
 permit 10.2.1.0 0.0.0.255
ip access-list standard SSH-ACL
 permit 10.2.1.0 0.0.0.255
 permit 10.1.1.0 0.0.0.255
!
ip access-list extended GRE
 permit gre host 22.22.22.22 host 11.11.11.11
ip access-list extended Internet-ACL
 permit udp host 9.9.9.1 eq ntp host 22.22.22.22 eq ntp
 permit icmp any host 22.22.22.22
 permit tcp any host 22.22.22.22 eq www
 permit udp host 11.11.11.11 eq isakmp host 22.22.22.22 eq isakmp
 permit esp host 11.11.11.11 host 22.22.22.22
!
dialer-list 10 protocol ip permit
no cdp run
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
line con 0
 exec-timeout 60 0
 logging synchronous
 no modem enable
line aux 0
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 access-class SSH-ACL in
 exec-timeout 60 0
 logging synchronous
 login local
 transport input ssh
!
scheduler allocate 20000 1000
ntp server 9.9.9.1
!
end



IPsecの状態確認

RT-2#show crypto engine connections active
Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
    3  IPsec   AES+SHA256                0       36       36 22.22.22.22
    4  IPsec   AES+SHA256               52        0        0 22.22.22.22
 2001  IKE     SHA256+AES                0        0        0 22.22.22.22

RT-2#
RT-2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
22.22.22.22     11.11.11.11     QM_IDLE           2001 ACTIVE

IPv6 Crypto ISAKMP SA

RT-2#
RT-2#show crypto ipsec sa

interface: Dialer1
    Crypto map tag: MAP-name, local addr 22.22.22.22

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (22.22.22.22/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/47/0)
   current_peer 11.11.11.11 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 398, #pkts encrypt: 398, #pkts digest: 398
    #pkts decaps: 382, #pkts decrypt: 382, #pkts verify: 382
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 22.22.22.22, remote crypto endpt.: 11.11.11.11
     plaintext mtu 1442, path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
     current outbound spi: 0x38A478E(59393934)
     PFS (Y/N): Y, DH group: group14

     inbound esp sas:
      spi: 0xBF68324D(3211276877)
        transform: esp-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 3, flow_id: Onboard VPN:3, sibling_flags 80000000, crypto map: MAP-name
        sa timing: remaining key lifetime (k/sec): (4266414/1126)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x38A478E(59393934)
        transform: esp-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 4, flow_id: Onboard VPN:4, sibling_flags 80000000, crypto map: MAP-name
        sa timing: remaining key lifetime (k/sec): (4266405/1126)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
RT-2#



OSPFの動作確認

RT-2#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Dialer1
      2.0.0.0/32 is subnetted, 1 subnets
C        2.2.2.2 is directly connected, Dialer1
      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O        10.1.1.0/24 [110/1001] via 10.3.1.11, 00:18:16, Tunnel0
C        10.2.1.0/24 is directly connected, Vlan1
L        10.2.1.22/32 is directly connected, Vlan1
C        10.3.1.0/24 is directly connected, Tunnel0
L        10.3.1.22/32 is directly connected, Tunnel0
      22.0.0.0/32 is subnetted, 1 subnets
C        22.22.22.22 is directly connected, Dialer1
RT-2#



MSS

MSSは余裕を持たせた値にしています。

ちなみに、この環境でのMSSの最大値は以下です。


GRE over IPsecパケットフォーマット図

ヘッダについてはMTU/MSS確認用フレームフォーマット図に記載しています。