セキュリティと VPN : IPSec ネゴシエーション/IKE プロトコル

Cisco ルータへの Cisco VPN 3000 コンセントレータの設定

2002 年 4 月 18 日 - ライター翻訳版
その他のバージョン: PDFpdf | 機械翻訳版 (2013 年 8 月 21 日) | 英語版 (2008 年 3 月 24 日) | フィードバック

?p?????Q??
Configuring the Cisco VPN 3000 Concentrator to a Cisco Router

????


?T?v

???????????????I???ACisco IOS® ?\?t?g?E?F?A?????s???? ???[?^?????????????v???C?x?[?g?l?b?g???[?N?? Cisco VPN 3000 ?R???Z???g???[?^?????????????v???C?x?[?g?l?b?g???[?N???????????????????B ?l?b?g???[?N???f?o?C?X???v???C?x?[?g?A?h???X???g?p?????A???????F?m???????B

?n?[?h?E?F?A???????\?t?g?E?F?A???o?[?W????

???????????A?????\?t?g?E?F?A???????n?[?h?E?F?A???o?[?W???????????? ?J?????????e?X?g?????????B

  • Cisco IOS ?\?t?g?E?F?A ?????[?X c7100-jk9s-mz.122-8.T.bin ?????s???? Cisco 7100 ???[?^
  • Cisco VPN 3000 ?R???Z???g???[?^ 3.5.2

?l?b?g???[?N?_?C?A?O????

network diagram

????

???[?^??????
dude#wr tBuilding configuration...
Current configuration : 2619 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname dude
!
boot system flash:c7100-jk9s-mz.122-8.T.bin
!
ip subnet-zero
!
ip cef
!
!--- IKE ?|???V?[ crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key cisco123 address 200.1.1.2 ! !--- IPSec ?|???V?[ crypto ipsec transform-set to_vpn esp-des esp-md5-hmac ! crypto map to_vpn 10 ipsec-isakmp set peer 200.1.1.2 set transform-set to_vpn !--- ???????????g???t?B?b?N match address 101 ! interface FastEthernet0/0
ip address 203.20.20.2 255.255.255.0
ip nat outside
duplex auto speed auto crypto map to_vpn ! interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
ip nat inside
duplex auto speed auto ! interface Serial1/0 no ip address shutdown fair-queue framing g751 dsu bandwidth 34010 serial restart_delay 0 ! ip nat pool mypool 203.20.20.3 203.20.20.3 netmask 255.255.255.0
ip nat inside source route-map nonat pool mypool overload
ip classless ip route 0.0.0.0 0.0.0.0 203.20.20.1
ip route 172.16.20.0 255.255.255.0 172.16.1.2
ip route 172.16.30.0 255.255.255.0 172.16.1.2
no ip http server ip pim bidir-enable ! !--- ???????????g???t?B?b?N access-list 101 permit ip 172.16.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip 172.16.1.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 101 permit ip 172.16.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 172.16.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip 172.16.20.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 101 permit ip 172.16.20.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 172.16.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip 172.16.30.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 101 permit ip 172.16.30.0 0.0.0.255 192.168.50.0 0.0.0.255
!--- NAT ?v???Z?X???????O???????g???t?B?b?N access-list 110 deny ip 172.16.1.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 110 deny ip 172.16.1.0 0.0.0.255 192.168.40.0 0.0.0.255 access-list 110 deny ip 172.16.1.0 0.0.0.255 192.168.50.0 0.0.0.255 access-list 110 deny ip 172.16.20.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 110 deny ip 172.16.20.0 0.0.0.255 192.168.40.0 0.0.0.255 access-list 110 deny ip 172.16.20.0 0.0.0.255 192.168.50.0 0.0.0.255 access-list 110 deny ip 172.16.30.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 110 deny ip 172.16.30.0 0.0.0.255 192.168.40.0 0.0.0.255 access-list 110 deny ip 172.16.30.0 0.0.0.255 192.168.50.0 0.0.0.255 access-list 110 permit ip 172.16.1.0 0.0.0.255 any route-map nonat permit 10 match ip address 110 ! call rsvp-sync ! mgcp profile default ! line con 0 line aux 0 line vty 0 4 login ! end dude#

VPN ?R???Z???g???[?^??????

?O???t?B?J?? ???[?U ?C???^?[?t?F?C ?X?iGUI?j???????????????????\???????????A?????A?R???\?[???|?[ ?g???????? VPN ?R???Z???g???[?^???A?N?Z?X???A???????????????????????? ?????B

?R???Z???g???[?^?????????????????????????m?F?????????A ???????????s???????B

[Administration]?A[System Reboot]?A[Schedule reboot]?A[Reboot with Factory/Default Configuration] ???????I???????B

???u?[?g?????AVPN ?R???Z???g???[?^?? Quick Configuration ???????A ???????????????????????B

  • Time/Date

  • Interfaces/Masks?F[Configuration]?A[Interfaces] ???????I???ipublic=200.1.1.2/24?Aprivate=192.168.10.1/24?j

  • ?f?t?H???g ?Q?[?g?E?F?C?F[Configuration]?A[System]?A[IP routing]?A [Default_Gateway] ???????I???i200.1.1.1?j

???????_???A?????l?b?g???[?N???? HTML ???????? VPN ?R???Z???g???[?^???A?N?Z?X?????????B

???F?O???????R???Z???g???[?^???????????? ???????A?????I?????s???K?v???????????B

  • [Configuration]?A[Interfaces]?A[2-public]?A[Select IP Filter]?A[1 Private]?i?f?t?H???g?j ???????I???????B

  • ?O???}?l?[?W???? IP ?A?h???X???????????????A [Administration]?A[Access Rights]?A[Access Control List]?A[Add Manager Workstation] ???????I???????B

???????AVPN ?R???Z???g???[?^???O???????????????????????? ???s?v???????????B

  1. GUI ???n???????A[Configuration]?A[Interfaces] ???????I?? ?????C???^?[?t?F?C?X?????`?F?b?N?????B

    screen capture - VPN 3000 Concentrator Series Manager

  2. [Configuration]?A[System]?A[IP Routing]?A[Default Gateways] ???????I???????A?v???C?x?[?g?l?b?g???[?N???????T?u?l?b?g?????B???????? ?? IPSec ?? [Default?i?C???^?[?l?b?g?jGateway] ?????? [Tunnel Default?i?????jGateway] ???????????B

    screen capture - VPN 3000 Concentrator Series Manager

  3. [Configuration]?A[Policy Management]?A[Network Lists] ???????I???????A???????????g???t?B?b?N?????`?????l?b?g???[?N ???X?g???????????B

    ???[?J?? ?l?b?g???[?N??????

    screen capture - VPN 3000 Concentrator Series Manager

    ?????[?g ?l?b?g???[?N??????

    screen capture - VPN 3000 Concentrator Series Manager

  4. ???????????A2 ?????l?b?g???[?N ???X?g?????????????B

    screen capture - VPN 3000 Concentrator Series Manager

  5. [Configuration]?A[System]?A[Tunneling Protocols]?A[IPSec LAN-to-LAN] ???????I???????ALAN-to-LAN ?g???l???????`?????B

    screen capture - VPN 3000 Concentrator Series Manager screen capture - VPN 3000 Concentrator Series Manager

  6. [Apply] ???N???b?N???????ALAN-to-LAN ?g???l?????????? ?????????????I???????????????????????????????????????????\???????????B

    screen capture - VPN 3000 Concentrator Series Manager

    ?????????????? LAN-to-LAN IPSec ?p?????[?^???A [Configuration]?A[System]?A[Tunneling Protocols]?A[IPSec LAN-to-LAN] ???????I???????A?\?????????C???????????B

    screen capture - VPN 3000 Concentrator Series Manager

  7. [Configuration]?A[System]?A[Tunneling Protocols]?A[IPSec]?A [IKE Proposals] ???????I???????A?A?N?e?B?u IKE ?v???|?[?U?????m?F?????B

    screen capture - VPN 3000 Concentrator Series Manager

  8. [Configuration]?A[Policy Management]?A[Traffic Management]?A[Security Associations] ???????I???????ASA?????X?g???\???????B

    screen capture - VPN 3000 Concentrator Series Manager

  9. SA???m?F?????????A[Security Association Name]?A[Modify] ???????N???b?N???????B

    screen capture - VPN 3000 Concentrator Series Manager

debug ?????? show ?R?}???h

???[?^???????s

debug ?R?}???h?????s?O???A?f ?o?b?O ?R?}???h?????????d?v???????Q???????????????B

  • debug crypto engine?F?????????????g???t?B?b?N???\?? ?????B

  • debug crypto ipsec?F?t?F?[?Y 2 ?? IPSec ?l?S?V?G?[?V???? ???m?F?????B

  • debug crypto isakmp ?F?t?F?[?Y 1 ?? ISAKMP ?l?S ?V?G?[?V???????m?F?????B

  • show crypto ipsec sa?F?????? SA ???g?p?????? ???????????\???????B

  • show crypto isakmp sa?F?s?A?????????? IKE SA???????????\???????B

  • show crypto engine connection active?F???????????????G?? ?W???????????????A?N?e?B?u???????????????Z?b?V???????????\???????B

IOS ?R?}???h ???b?N?A?b?v ?c?[?? ???g?p???????????R?}???h?????????????????m ?F?????????B?????c?[?????g?p?????????A?o?^???[?U?????????O?C???????K?v???? ???????B

IOS ?R?}???h ???b?N?A?b?v

VPN ?R???Z???g???[?^???????s

???M???O???I?????????????A[Configuration]?A[System]?A[Events]?A [Classes]?A[Modify] ???????I?????????B?????I?v?V?? ???????p?????????B

  • IKE
  • IKEDBG
  • IKEDECODE
  • IPSEC
  • IPSECDBG
  • IPSECDECODE

???O?????d???x = 1 ?` 13

?R???\?[???????d???x = 1 ?` 3

[Monitoring]?A[Event Log] ???????I???????A?C?x???g ???O???? ???????????B


関連するシスコ サポート コミュニティ ディスカッション

シスコ サポート コミュニティは、どなたでも投稿や回答ができる情報交換スペースです。


???A????


Updated: Apr 18, 2002Document ID: 14102
Document ID: 14102