IT備忘録

Cisco
IPsec(アグレッシブモード)のコンフィグ

IPsec+PPPoE+NAT+ACLのコンフィグでは、RT-1とRT-2はメインモードでIPsecを設定していますが、ここではRT-1のグローバルIPアドレス(11.11.11.11)は動的、RT-2(22.22.22.22)は静的になっていると想定してアグレッシブモードで設定したコンフィグを記載します。




構成図

構成図


コンフィグについて

  • メインモードで対向機器を識別するIDデータはグローバルIPアドレスを使用していましたが、アグレッシブモードで動的IPアドレスの機器(RT-1)はIPアドレスではなく文字列での識別になります。文字列は一致すれば何でも良く、ホスト名やFQDNである必要はありません。コンフィグで"Hoge"と設定してる箇所です。


  • RT-1のグローバルIPアドレスは動的と想定しているため、アクセスリスト"Internet-ACL"(インターネットからのアクセス制限)がRT-1とRT-2ともに脆弱になっています。RT-1のグローバルIPアドレス(11.11.11.11)で制限していた箇所をanyに変更しています。




RT-1コンフィグ
(動的グローバルIPアドレス)

RT-2コンフィグ
(静的グローバルIPアドレス)

※黄色文字はPPPoE+NAT+ACLのコンフィグからの変更箇所です。


RT-1#show run

version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
service sequence-numbers
no service dhcp
!
hostname RT-1
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 512000
enable secret 5 $1$UZ.d$263eCd7jDVJHAqwgfcFNL0
!
no aaa new-model
clock timezone JST 9 0
!
!
!
no ip bootp server
no ip domain lookup
ip domain name free-ne.com
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp
ip cef
no ipv6 cef
!
!
!
multilink bundle-name authenticated
!
!
!
no spanning-tree vlan 1
username admin secret 5 $1$ztjJ$yET4V3rcbtkvdA9yjTJin.
!
!
!
ip ssh version 2
!
!
crypto isakmp policy 110
 encr aes
 hash sha256
 authentication pre-share
 group 2
 lifetime 1800
!
crypto isakmp keepalive 30 periodic
!
crypto isakmp peer address 22.22.22.22
 set aggressive-mode password PS-key
 set aggressive-mode client-endpoint fqdn Hoge
!
crypto ipsec transform-set TS-name esp-aes esp-sha256-hmac
 mode tunnel
!
!
!
crypto map MAP-name 160 ipsec-isakmp
 set peer 22.22.22.22
 set security-association lifetime seconds 1200
 set transform-set TS-name
 set pfs group14
 match address IPsec
!
!
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Vlan1
 ip address 10.1.1.11 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1350
!
interface Async3
 no ip address
 encapsulation slip
!
interface Dialer1
 ip address negotiated
 ip access-group Internet-ACL in
 ip mtu 1492
 ip nat outside
 ip inspect CBAC out
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 10
 ppp authentication chap callin
 ppp chap hostname user1
 ppp chap password 0 cisco
 no cdp enable
 crypto map MAP-name
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list Internet-PAT interface Dialer1 overload
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list standard SSH-ACL
 permit 10.1.1.0 0.0.0.255
!
!
ip access-list extended IPsec
 permit ip 10.1.1.0 0.0.0.255 10.2.1.0 0.0.0.255
ip access-list extended Internet-ACL
 permit udp host 9.9.9.1 eq ntp any eq ntp
 permit icmp any any
 permit udp host 22.22.22.22 eq isakmp any eq isakmp
 permit esp host 22.22.22.22 any
!
ip access-list extended Internet-PAT
 deny   ip 10.1.1.0 0.0.0.255 10.2.1.0 0.0.0.255
 permit ip 10.1.1.0 0.0.0.255 any
!
dialer-list 10 protocol ip permit
no cdp run
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
line con 0
 exec-timeout 60 0
 logging synchronous
 no modem enable
line aux 0
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 access-class SSH-ACL in
 exec-timeout 60 0
 logging synchronous
 login local
 transport input ssh
!
scheduler allocate 20000 1000
ntp server 9.9.9.1
!
end
RT-2#show run

version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
service sequence-numbers
no service dhcp
!
hostname RT-2
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 512000
enable secret 5 $1$RBil$/zAAQLKQrekcrMgQIHCwW1
!
no aaa new-model
clock timezone JST 9 0
!
!
!
no ip bootp server
no ip domain lookup
ip domain name free-ne.com
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp
ip cef
no ipv6 cef
!
!
!
multilink bundle-name authenticated
!
!
!
no spanning-tree vlan 1
username admin secret 5 $1$hwGG$LTC0VpW218k/mT9dMrcO.0
!
!
!
ip ssh version 2
!
!
crypto isakmp policy 110
 encr aes
 hash sha256
 authentication pre-share
 group 2
 lifetime 1800
crypto isakmp key PS-key hostname Hoge
crypto isakmp keepalive 30 periodic
!
!
!
!
!
crypto ipsec transform-set TS-name esp-aes esp-sha256-hmac
 mode tunnel
!
!
!
crypto dynamic-map DMAP-name 210
 set security-association lifetime seconds 1200
 set transform-set TS-name
 set pfs group14
 match address IPsec
!
!
crypto map MAP-name 160 ipsec-isakmp dynamic DMAP-name
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Vlan1
 ip address 10.2.1.22 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1350
!
interface Async3
 no ip address
 encapsulation slip
!
interface Dialer1
 ip address negotiated
 ip access-group Internet-ACL in
 ip mtu 1492
 ip nat outside
 ip inspect CBAC out
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 10
 ppp authentication chap callin
 ppp chap hostname user1
 ppp chap password 0 cisco
 no cdp enable
 crypto map MAP-name
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list Internet-PAT interface Dialer1 overload
ip nat inside source static tcp 10.2.1.2 80 22.22.22.22 80 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list standard SSH-ACL
 permit 10.2.1.0 0.0.0.255
 permit 10.1.1.0 0.0.0.255
!
ip access-list extended IPsec
 permit ip 10.2.1.0 0.0.0.255 10.1.1.0 0.0.0.255
ip access-list extended Internet-ACL
 permit udp host 9.9.9.1 eq ntp host 22.22.22.22 eq ntp
 permit icmp any host 22.22.22.22
 permit tcp any host 22.22.22.22 eq www
 permit udp any eq isakmp host 22.22.22.22 eq isakmp
 permit esp any host 22.22.22.22
ip access-list extended Internet-PAT
 deny   ip 10.2.1.0 0.0.0.255 10.1.1.0 0.0.0.255
 permit ip 10.2.1.0 0.0.0.255 any
!
dialer-list 10 protocol ip permit
no cdp run
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
line con 0
 exec-timeout 60 0
 logging synchronous
 no modem enable
line aux 0
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 access-class SSH-ACL in
 exec-timeout 60 0
 logging synchronous
 login local
 transport input ssh
!
scheduler allocate 20000 1000
ntp server 9.9.9.1
!
end