セキュリティと VPN : IPSec ネゴシエーション/IKE プロトコル

スポーク間の通信における、IPSec ルータ間ハブアンドスポークの設定

2002 年 10 月 1 日 - ライター翻訳版
その他のバージョン: PDFpdf | 機械翻訳版 (2013 年 8 月 21 日) | 英語版 (2007 年 1 月 18 日) | フィードバック

目次


概要

この設定例では、3 台のルータ間のハブアンドスポーク型の IPSec 設計を示します。この構成は、ハブを経由することでスポーク サイト間の通信が確立されるため、その他のハブアンドスポーク構成とは異なります。つまり、2 台のスポーク ルータ間を直接結ぶ IPSec トンネルは存在しません。すべてのパケットは、トンネルを経由してハブ ルータに送信され、さらに他のスポーク ルータと共有する IPSec トンネルに再配送されます。この構成は、bug CSCdp09904 の解決策として実現しました。この解決策は、Cisco IOS(R) ソフトウェア リリース 12.2(5) に統合されているため、そのバージョンがこの構成を実現するための最小要件です。

設定

このセクションには、この文書で説明する機能を設定するための情報を記載します。

注:この文書で使用するコマンドの詳細を調べるには、IOS Command Lookup ツールを使用してください。このツールへのリンクは、この文書の「ツール情報」のセクションにあります。

設定の前提条件または準備ステップ

暗号化は次のように行われます。

  • 172.16.1.0/24(スポーク 1)から 10.1.1.0/24(ハブ)

  • 192.168.1.0/24(スポーク 2)から 10.1.1.0/24(ハブ)

  • 172.16.1.0/24(スポーク 1)から 192.168.1.0/24(スポーク 2)

この構成で使用するコンポーネント

この構成は、次に示すソフトウェアとハードウェアのバージョンを使用して作成およびテストされました。

  • Cisco IOS ソフトウェア リリース 12.2.5(C2500-ik8s-l.122-5.bin)
  • Cisco 2500 ルータ

この文書で紹介する情報は、特定のラボ環境にあるデバイスを使用して作成されました。この文書内で使用するデバイスはすべて、クリアーな状態(デフォルト)から設定作業を始めています。実稼動中のネットワークで作業する場合は、コマンドによって生じる影響について、実行する前に理解しておいてください。

ネットワーク ダイアグラム

設定例

show configuration コマンドは、ルータの実行構成を表示します。

ハブ ルータ
2503#show run

 Building configuration...

 Current configuration : 1466 bytes

 !

 version 12.2

 service timestamps debug uptime

 service timestamps log uptime

 no service password-encryption

 !

 hostname 2503

 !

 enable secret 5 $1$eJhI$vNCHlzfl12/tliFBcAkoG0

 enable password ww

 !

 ip subnet-zero

 !

 ip ssh time-out 120

 ip ssh authentication-retries 3

 !

 crypto isakmp policy 10

 hash md5

 authentication pre-share

 crypto isakmp key cisco123 address 200.1.1.2

 crypto isakmp key cisco123 address 200.1.1.3

 !

 !

 crypto ipsec transform-set myset esp-des esp-md5-hmac

 !

 crypto map mymap 10 ipsec-isakmp

 set peer 200.1.1.2

 set transform-set myset

 match address 110

 crypto map mymap 20 ipsec-isakmp

 set peer 200.1.1.3

 set transform-set myset

 match address 120

 !

 !

 !

 !

 interface Loopback0

 ip address 10.1.1.1 255.255.255.0

 !

 interface Ethernet0

 ip address 200.1.1.1 255.255.255.0

 crypto map mymap

 !

 interface Serial0

 no ip address

 shutdown

 !

 interface Serial1

 no ip address

 shutdown

 !

 interface BRI0

 no ip address

 shutdown

 !

 ip classless

 ip route 172.16.1.0 255.255.255.0 Ethernet0

 ip route 192.168.1.0 255.255.255.0 Ethernet0

 ip http server

 ip pim bidir-enable

 !

 access-list 110 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

 access-list 110 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

 access-list 120 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

 access-list 120 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255

 tftp-server flash:c2500-ik8s-l.122-5.bin

 !

 line con 0

 line aux 0

 line vty 0 4

 password ww

 login

 !

 end

 2503#

 
スポーク 1 ルータ
2509a#show run

 Building configuration...

 Current configuration : 1203 bytes

 !

 version 12.2

 service timestamps debug uptime

 service timestamps log uptime

 no service password-encryption

 !

 hostname 2509a

 !

 enable secret 5 $1$DOX3$rIrxEnTVTw/7LNbxi.akz0

 enable password ww

 !

 ip subnet-zero

 no ip domain-lookup

 !

 ip ssh time-out 120

 ip ssh authentication-retries 3

 !

 crypto isakmp policy 10

 hash md5

 authentication pre-share

 crypto isakmp key cisco123 address 200.1.1.1

 !

 !

 crypto ipsec transform-set myset esp-des esp-md5-hmac

 !

 crypto map mymap 10 ipsec-isakmp

 set peer 200.1.1.1

 set transform-set myset

 match address 110

 !

 !

 !

 !

 interface Loopback0

 ip address 172.16.1.1 255.255.255.0

 !

 interface Ethernet0

 ip address 200.1.1.2 255.255.255.0

 crypto map mymap

 !

 interface Serial0

 no ip address

 shutdown

 fair-queue

 !

 interface Serial1

 no ip address

 shutdown

 !

 ip classless

 ip route 10.1.1.0 255.255.255.0 Ethernet0

 ip route 192.168.1.0 255.255.255.0 Ethernet0

 no ip http server

 ip pim bidir-enable

 !

 access-list 110 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255

 access-list 110 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255

 !

 line con 0

 exec-timeout 0 0

 line 1 8

 line aux 0

 transport input all

 line vty 0 4

 exec-timeout 0 0

 password ww

 login

 !

 end

 2509a#

 
スポーク 2 ルータ
VPN2509#show run

 Building configuration...

 Current configuration : 1117 bytes

 !

 version 12.2

 service timestamps debug uptime

 service timestamps log uptime

 service password-encryption

 !

 hostname VPN2509

 !

 no logging rate-limit

 !

 ip subnet-zero

 no ip domain-lookup

 !

 ip ssh time-out 120

 ip ssh authentication-retries 3

 !

 crypto isakmp policy 10

 hash md5

 authentication pre-share

 crypto isakmp key cisco123 address 200.1.1.1

 !

 !

 crypto ipsec transform-set myset esp-des esp-md5-hmac

 !

 crypto map mymap 10 ipsec-isakmp

 set peer 200.1.1.1

 set transform-set myset

 match address 120

 !

 !

 !

 !

 interface Loopback0

 ip address 192.168.1.1 255.255.255.0

 !

 interface Ethernet0

 ip address 200.1.1.3 255.255.255.0

 crypto map mymap

 !

 interface Serial0

 no ip address

 shutdown

 !

 interface Serial1

 no ip address

 shutdown

 !

 ip classless

 ip route 10.1.1.0 255.255.255.0 Ethernet0

 ip route 172.16.0.0 255.255.0.0 Ethernet0

 no ip http server

 ip pim bidir-enable

 !

 access-list 120 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

 access-list 120 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

 !

 line con 0

 exec-timeout 0 0

 line 1 8

 line aux 0

 line vty 0 4

 login

 transport input telnet

 !

 end

 VPN2509#

 

検証

このセクションの情報を使用すると、構成が正常に動作していることを確認できます。

一部の show コマンドは、show コマンド出力の分析を表示する、Output Interpreter ツールでサポートされています。このツールへのリンク先は、この文書の「ツール情報」のセクションにあります。この構成を検証するには、スポーク 1 のループバック インターフェイス アドレスからスポーク 2 のループバック インターフェイス アドレス宛てに、拡張 ping コマンドを実行します。

  • ping - 基本的なネットワークの接続性を診断するのに使用します。
    2509a#ping
    
     Protocol [ip]:
    
     Target IP address: 192.168.1.1
    
     Repeat count [5]:
    
     Datagram size [100]:
    
     Timeout in seconds [2]:
    
     Extended commands [n]: y
    
     Source address or interface: 172.16.1.1
    
     Type of service [0]:
    
     Set DF bit in IP header? [no]:
    
     Validate reply data? [no]:
    
     Data pattern [0xABCD]:
    
     Loose, Strict, Record, Timestamp, Verbose[none]:
    
     Sweep range of sizes [n]:
    
     Type escape sequence to abort.
    
     Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
    
     !!!!!
    
     Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms
    
     

トラブルシューティング

このセクションでは、構成に対してトラブルシューティングを行う方法について説明します。

トラブルシューティングのためのコマンド

一部の show コマンドは、show コマンド出力の分析を表示する、Output Interpreter ツールでサポートされています。このツールへのリンク先は、この文書の「ツール情報」のセクションにあります。

注:debug コマンドを発行する前に、「debug コマンドに関する重要な情報」を参照してください。

  • debug crypto ipsec - フェーズ 2 の IPSec ネゴシエーションを表示します。

  • debug crypto isakmp - フェーズ 1 の ISAKMP ネゴシエーションを表示します。

  • debug crypto engine - 暗号化されているトラフィックを表示します。

  • clear crypto isakmp - フェーズ 1 に関連付けられたセキュリティ結合をクリアーします。.

  • clear crypto sa - フェーズ 2 に関連付けられたセキュリティ結合をクリアーします。.

  • show crypto ipsec sa - 現在の(IPSec)SA で使用されている設定を表示します。

  • show crypto isakmp sa - ピアの現在の IKE セキュリティ結合(SA)すべてを表示します。

  • show crypto engine connection active - 各 IPSec SA に送信されるパケット数を表示します。

次に、debug crypto ipsec および debug crypto isakmp コマンドをハブ ルータ上で実行した出力を示します。

2d23h: ISAKMP (0:0): received packet from 200.1.1.2 (N) NEW SA

 2d23h: ISAKMP: local port 500, remote port 500

 2d23h: ISAKMP (0:5): processing SA payload. message ID = 0

 2d23h: ISAKMP (0:5): found peer pre-shared key matching 200.1.1.2

 2d23h: ISAKMP (0:5): Checking ISAKMP transform 1 against priority 10 policy

 2d23h: ISAKMP: encryption DES-CBC

 2d23h: ISAKMP: hash MD5

 2d23h: ISAKMP: default group 1

 2d23h: ISAKMP: auth pre-share

 2d23h: ISAKMP: life type in seconds

 2d23h: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

 2d23h: ISAKMP (0:5): atts are acceptable. Next payload is 0

 2d23h: ISAKMP (0:5): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

 2d23h: ISAKMP (0:5): sending packet to 200.1.1.2 (R) MM_SA_SETUP

 2d23h: ISAKMP (0:5): received packet from 200.1.1.2 (R) MM_SA_SETUP

 2d23h: ISAKMP (0:5): processing KE payload. message ID = 0

 2d23h: ISAKMP (0:5): processing NONCE payload. message ID = 0

 2d23h: ISAKMP (0:5): found peer pre-shared key matching 200.1.1.2

 2d23h: ISAKMP (0:5): SKEYID state generated

 2d23h: ISAKMP (0:5): processing vendor id payload

 2d23h: ISAKMP (0:5): speaking to another IOS box!

 2d23h: ISAKMP (0:5): sending packet to 200.1.1.2 (R) MM_KEY_EXCH

 2d23h: ISAKMP (0:2): purging SA., sa=3852B8, delme=3852B8

 2d23h: ISAKMP (0:4): purging SA., sa=5BFC10, delme=5BFC10

 2d23h: ISAKMP (0:5): received packet from 200.1.1.2 (R) MM_KEY_EXCH

 2d23h: ISAKMP (0:5): processing ID payload. message ID = 0

 2d23h: ISAKMP (0:5): processing HASH payload. message ID = 0

 2d23h: ISAKMP (0:5): SA has been authenticated with 200.1.1.2

 2d23h: ISAKMP (5): ID payload

 next-payload : 8

 type : 1

 protocol : 17

 port : 500

 length : 8

 2d23h: ISAKMP (5): Total payload length: 12

 2d23h: ISAKMP (0:5): sending packet to 200.1.1.2 (R) QM_IDLE

 2d23h: ISAKMP (0:5): received packet from 200.1.1.2 (R) QM_IDLE

 2d23h: ISAKMP (0:5): processing HASH payload. message ID = 1947840508

 2d23h: ISAKMP (0:5): processing SA payload. message ID = 1947840508

 2d23h: ISAKMP (0:5): Checking IPSec proposal 1

 2d23h: ISAKMP: transform 1, ESP_DES

 2d23h: ISAKMP: attributes in transform:

 2d23h: ISAKMP: encaps is 1

 2d23h: ISAKMP: SA life type in seconds

 2d23h: ISAKMP: SA life duration (basic) of 3600

 2d23h: ISAKMP: SA life type in kilobytes

 2d23h: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

 2d23h: ISAKMP: authenticator is HMAC-MD5

 2d23h: ISAKMP (0:5): atts are acceptable.

 2d23h: IPSEC(validate_proposal_request): proposal part #1,

 (key eng. msg.) INBOUND local= 200.1.1.1, remote= 200.1.1.2,

 local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

 remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),

 protocol= ESP, transform= esp-des esp-md5-hmac ,

 lifedur= 0s and 0kb,

 spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

 2d23h: ISAKMP (0:5): processing NONCE payload. message ID = 1947840508

 2d23h: ISAKMP (0:5): processing ID payload. message ID = 1947840508

 2d23h: ISAKMP (0:5): processing ID payload. message ID = 1947840508

 2d23h: ISAKMP (0:5): asking for 1 spis from ipsec

 2d23h: IPSEC(key_engine): got a queue event...

 2d23h: IPSEC(spi_response): getting spi 473652102 for SA

 from 200.1.1.1 to 200.1.1.2 for prot 3

 2d23h: ISAKMP: received ke message (2/1)

 2d23h: ISAKMP (0:5): sending packet to 200.1.1.2 (R) QM_IDLE

 2d23h: ISAKMP (0:5): received packet from 200.1.1.2 (R) QM_IDLE

 2d23h: ISAKMP (0:5): Creating IPSec SAs

 2d23h: inbound SA from 200.1.1.2 to 200.1.1.1

 (proxy 172.16.1.0 to 192.168.1.0)

 2d23h: has spi 0x1C3B5B86 and conn_id 2000 and flags 4

 2d23h: lifetime of 3600 seconds

 2d23h: lifetime of 4608000 kilobytes

 2d23h: outbound SA from 200.1.1.1 to 200.1.1.2 (proxy 192.168.1.0 to 172.16.1.0 )

 2d23h: has spi 2033448459 and conn_id 2001 and flags C

 2d23h: lifetime of 3600 seconds

 2d23h: lifetime of 4608000 kilobytes

 2d23h: ISAKMP (0:5): deleting node 1947840508 error FALSE reason "quick mode done (await()"

 2d23h: IPSEC(key_engine): got a queue event...

 2d23h: IPSEC(initialize_sas): ,

 (key eng. msg.) INBOUND local= 200.1.1.1, remote= 200.1.1.2,

 local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

 remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),

 protocol= ESP, transform= esp-des esp-md5-hmac ,

 lifedur= 3600s and 4608000kb,

 spi= 0x1C3B5B86(473652102), conn_id= 2000, keysize= 0, flags= 0x4

 2d23h: IPSEC(initialize_sas): ,

 (key eng. msg.) OUTBOUND local= 200.1.1.1, remote= 200.1.1.2,

 local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

 remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),

 protocol= ESP, transform= esp-des esp-md5-hmac ,

 lifedur= 3600s and 4608000kb,

 spi= 0x7933F60B(2033448459), conn_id= 2001, keysize= 0, flags= 0xC

 2d23h: IPSEC(create_sa): sa created,

 (sa) sa_dest= 200.1.1.1, sa_prot= 50,

 sa_spi= 0x1C3B5B86(473652102),

 sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2000

 2d23h: IPSEC(create_sa): sa created,

 (sa) sa_dest= 200.1.1.2, sa_prot= 50,

 sa_spi= 0x7933F60B(2033448459),

 sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2001

 2d23h: IPSEC(sa_request): ,

 (key eng. msg.) OUTBOUND local= 200.1.1.1, remote= 200.1.1.3,

 local_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),

 remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

 protocol= ESP, transform= esp-des esp-md5-hmac ,

 lifedur= 3600s and 4608000kb,

 spi= 0x9BEE9650(2616104528), conn_id= 0, keysize= 0, flags= 0x400C

 2d23h: ISAKMP: received ke message (1/1)

 2d23h: ISAKMP: local port 500, remote port 500

 2d23h: ISAKMP (0:6): beginning Main Mode exchange

 2d23h: ISAKMP (0:6): sending packet to 200.1.1.3 (I) MM_NO_STATE

 2d23h: ISAKMP (0:6): received packet from 200.1.1.3 (I) MM_NO_STATE

 2d23h: ISAKMP (0:6): processing SA payload. message ID = 0

 2d23h: ISAKMP (0:6): found peer pre-shared key matching 200.1.1.3

 2d23h: ISAKMP (0:6): Checking ISAKMP transform 1 against priority 10 policy

 2d23h: ISAKMP: encryption DES-CBC

 2d23h: ISAKMP: hash MD5

 2d23h: ISAKMP: default group 1

 2d23h: ISAKMP: auth pre-share

 2d23h: ISAKMP: life type in seconds

 2d23h: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

 2d23h: ISAKMP (0:6): atts are acceptable. Next payload is 0

 2d23h: ISAKMP (0:6): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

 2d23h: ISAKMP (0:6): sending packet to 200.1.1.3 (I) MM_SA_SETUP

 2d23h: ISAKMP (0:6): received packet from 200.1.1.3 (I) MM_SA_SETUP

 2d23h: ISAKMP (0:6): processing KE payload. message ID = 0

 2d23h: ISAKMP (0:6): processing NONCE payload. message ID = 0

 2d23h: ISAKMP (0:6): found peer pre-shared key matching 200.1.1.3

 2d23h: ISAKMP (0:6): SKEYID state generated

 2d23h: ISAKMP (0:6): processing vendor id payload

 2d23h: ISAKMP (0:6): speaking to another IOS box!

 2d23h: ISAKMP (6): ID payload

 next-payload : 8

 type : 1

 protocol : 17

 port : 500

 length : 8

 2d23h: ISAKMP (6): Total payload length: 12

 2d23h: ISAKMP (0:6): sending packet to 200.1.1.3 (I) MM_KEY_EXCH

 2d23h: ISAKMP (0:6): received packet from 200.1.1.3 (I) MM_KEY_EXCH

 2d23h: ISAKMP (0:6): processing ID payload. message ID = 0

 2d23h: ISAKMP (0:6): processing HASH payload. message ID = 0

 2d23h: ISAKMP (0:6): SA has been authenticated with 200.1.1.3

 2d23h: ISAKMP (0:6): beginning Quick Mode exchange, M-ID of 1181196416

 2d23h: ISAKMP (0:6): sending packet to 200.1.1.3 (I) QM_IDLE

 2d23h: ISAKMP (0:6): received packet from 200.1.1.3 (I) QM_IDLE

 2d23h: ISAKMP (0:6): processing HASH payload. message ID = 1181196416

 2d23h: ISAKMP (0:6): processing SA payload. message ID = 1181196416

 2d23h: ISAKMP (0:6): Checking IPSec proposal 1

 2d23h: ISAKMP: transform 1, ESP_DES

 2d23h: ISAKMP: attributes in transform:

 2d23h: ISAKMP: encaps is 1

 2d23h: ISAKMP: SA life type in seconds

 2d23h: ISAKMP: SA life duration (basic) of 3600

 2d23h: ISAKMP: SA life type in kilobytes

 2d23h: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

 2d23h: ISAKMP: authenticator is HMAC-MD5

 2d23h: ISAKMP (0:6): atts are acceptable.

 2d23h: IPSEC(validate_proposal_request): proposal part #1,

 (key eng. msg.) INBOUND local= 200.1.1.1, remote= 200.1.1.3,

 local_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),

 remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

 protocol= ESP, transform= esp-des esp-md5-hmac ,

 lifedur= 0s and 0kb,

 spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

 2d23h: ISAKMP (0:6): processing NONCE payload. message ID = 1181196416

 2d23h: ISAKMP (0:6): processing ID payload. message ID = 1181196416

 2d23h: ISAKMP (0:6): processing ID payload. message ID = 1181196416

 2d23h: ISAKMP (0:6): Creating IPSec SAs

 2d23h: inbound SA from 200.1.1.3 to 200.1.1.1

 (proxy 192.168.1.0 to 172.16.1.0)

 2d23h: has spi 0x9BEE9650 and conn_id 2002 and flags 4

 2d23h: lifetime of 3600 seconds

 2d23h: lifetime of 4608000 kilobytes

 2d23h: outbound SA from 200.1.1.1 to 200.1.1.3 (proxy 172.16.1.0 to 192.168.1.0 )

 2d23h: has spi -678458332 and conn_id 2003 and flags C

 2d23h: lifetime of 3600 seconds

 2d23h: lifetime of 4608000 kilobytes

 2d23h: ISAKMP (0:6): sending packet to 200.1.1.3 (I) QM_IDLE

 2d23h: ISAKMP (0:6): deleting node 1181196416 error FALSE reason ""

 2d23h: IPSEC(key_engine): got a queue event...

 2d23h: IPSEC(initialize_sas): ,

 (key eng. msg.) INBOUND local= 200.1.1.1, remote= 200.1.1.3,

 local_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),

 remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

 protocol= ESP, transform= esp-des esp-md5-hmac ,

 lifedur= 3600s and 4608000kb,

 spi= 0x9BEE9650(2616104528), conn_id= 2002, keysize= 0, flags= 0x4

 2d23h: IPSEC(initialize_sas): ,

 (key eng. msg.) OUTBOUND local= 200.1.1.1, remote= 200.1.1.3,

 local_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),

 remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

 protocol= ESP, transform= esp-des esp-md5-hmac ,

 lifedur= 3600s and 4608000kb,

 spi= 0xD78F8C24(3616508964), conn_id= 2003, keysize= 0, flags= 0xC

 2d23h: IPSEC(create_sa): sa created,

 (sa) sa_dest= 200.1.1.1, sa_prot= 50,

 sa_spi= 0x9BEE9650(2616104528),

 sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2002

 2d23h: IPSEC(create_sa): sa created,

 (sa) sa_dest= 200.1.1.3, sa_prot= 50,

 sa_spi= 0xD78F8C24(3616508964),

 sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2003

 

次に、debug crypto ipsec および debug crypto isakmp コマンドをスポーク 1 ルータ上で実行した出力を示します。

1d21h: IPSEC(sa_request): ,

 (key eng. msg.) OUTBOUND local= 200.1.1.2, remote= 200.1.1.1,

 local_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),

 remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

 protocol= ESP, transform= esp-des esp-md5-hmac ,

 lifedur= 3600s and 4608000kb,

 spi= 0x6968ABC8(1768467400), conn_id= 0, keysize= 0, flags= 0x400C

 1d21h: ISAKMP: received ke message (1/1)

 1d21h: ISAKMP: local port 500, remote port 500

 1d21h: ISAKMP (0:2): beginning Main Mode exchange

 1d21h: ISAKMP (0:2): sending packet to 200.1.1.1 (I) MM_NO_STATE..

 1d21h: ISAKMP (0:2): received packet from 200.1.1.1 (I) MM_NO_STATE

 1d21h: ISAKMP (0:2): processing SA payload. message ID = 0

 1d21h: ISAKMP (0:2): found peer pre-shared key matching 200.1.1.1

 1d21h: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 10 policy

 1d21h: ISAKMP: encryption DES-CBC

 1d21h: ISAKMP: hash MD5

 1d21h: ISAKMP: default group 1

 1d21h: ISAKMP: auth pre-share

 1d21h: ISAKMP: life type in seconds

 1d21h: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

 1d21h: ISAKMP (0:2): atts are acceptable. Next payload is 0

 1d21h: ISAKMP (0:2): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

 1d21h: ISAKMP (0:2): sending packet to 200.1.1.1 (I) MM_SA_SETUP.

 1d21h: ISAKMP (0:2): received packet from 200.1.1.1 (I) MM_SA_SETUP

 1d21h: ISAKMP (0:2): processing KE payload. message ID = 0

 1d21h: ISAKMP (0:2): processing NONCE payload. message ID = 0

 1d21h: ISAKMP (0:2): found peer pre-shared key matching 200.1.1.1

 1d21h: ISAKMP (0:2): SKEYID state generated

 1d21h: ISAKMP (0:2): processing vendor id payload

 1d21h: ISAKMP (0:2): speaking to another IOS box!

 1d21h: ISAKMP (2): ID payload

 next-payload : 8

 type : 1

 protocol : 17

 port : 500

 length : 8

 1d21h: ISAKMP (2): Total payload length: 12

 1d21h: ISAKMP (0:2): sending packet to 200.1.1.1 (I) MM_KEY_EXCH

 1d21h: ISAKMP (0:2): received packet from 200.1.1.1 (I) MM_KEY_EXCH

 1d21h: ISAKMP (0:2): processing ID payload. message ID = 0

 1d21h: ISAKMP (0:2): processing HASH payload. message ID = 0

 1d21h: ISAKMP (0:2): SA has been authenticated with 200.1.1.1

 1d21h: ISAKMP (0:2): beginning Quick Mode exchange, M-ID of -78115175

 1d21h: ISAKMP (0:2): sending.!

 Success rate is 20 percent (1/5), round-trip min/avg/max = 68/68/68 m packet to 200.1.1.1(I) QM_IDLE

 1d21h: ISAKMP (0:2): received packet from 200.1.1.1 (I) QM_IDLE

 1d21h: ISAKMP (0:2): processing HASH payload. message ID = -78115175

 1d21h: ISAKMP (0:2): processing SA payload. message ID = -78115175

 1d21h: ISAKMP (0:2): Checking IPSec proposal 1

 1d21h: ISAKMP: transform 1, ESP_DES

 1d21h: ISAKMP: attributes in transform:

 1d21h: ISAKMP: encaps is 1

 1d21h: ISAKMP: SA life type in seconds

 1d21h: ISAKMP: SA life duration (basic) of 3600

 1d21h: ISAKMP: SA life type in kilobytes

 1d21h: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

 1d21h: ISAKMP: authenticator is HMAC-MD5

 1d21h: ISAKMP (0:2): atts are acceptable.

 1d21h: IPSEC(validate_proposal_request): proposal part #1,

 (key eng. msg.) INBOUND local= 200.1.1.2, remote= 200.1.1.1,

 local_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),

 remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

 protocol= ESP, transform= esp-des esp-md5-hmac ,

 lifedur= 0s and 0kb,

 spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

 1d21h: ISAKMP (0:2): processing NONCE payload. message ID = -78115175

 1d21h: ISAKMP (0:2): processing ID payload. message ID = -78115175

 1d21h: ISAKMP (0:2): processing ID payload. message ID = -78115175

 1d21h: ISAKMP (0:2): Creating IPSec SAs

 1d21h: inbound SA from 200.1.1.1 to 200.1.1.2

 (proxy 192.168.1.0 to 172.16.1.0)

 1d21h: has spi 0x6968ABC8 and conn_id 2000 and flags 4

 1d21h: lifetime of 3600 seconds

 1d21h: lifetime of 4608000 kilobytes

 1d21h: outbound SA from 200.1.1.2 to 200.1.1.1 (proxy 172.16.1.0 to 192.168.1.0 )

 1d21h: has spi 885225242 and conn_id 2001 and flags C

 1d21h: lifetime of 3600 seconds

 1d21h: lifetime of 4608000 kilobytes

 1d21h: ISAKMP (0:2): sending packet to 200.1.1.1 (I) QM_IDLE

 1d21h: ISAKMP (0:2): deleting node -78115175 error FALSE reason ""

 1d21h: IPSEC(key_engine): got a queue event...

 1d21h: IPSEC(initialize_sas): ,

 (key eng. msg.) INBOUND local= 200.1.1.2, remote= 200.1.1.1,

 local_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),

 remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

 protocol= ESP, transform= esp-des esp-md5-hmac ,

 lifedur= 3600s and 4608000kb,

 spi= 0x6968ABC8(1768467400), conn_id= 2000, keysize= 0, flags= 0x4

 1d21h: IPSEC(initialize_sas): ,

 (key eng. msg.) OUTBOUND local= 200.1.1.2, remote= 200.1.1.1,

 local_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),

 remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

 protocol= ESP, transform= esp-des esp-md5-hmac ,

 lifedur= 3600s and 4608000kb,

 spi= 0x34C3771A(885225242), conn_id= 2001, keysize= 0, flags= 0xC

 1d21h: IPSEC(create_sa): sa created,

 (sa) sa_dest= 200.1.1.2, sa_prot= 50,

 sa_spi= 0x6968ABC8(1768467400),

 sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2000

 1d21h: IPSEC(create_sa): sa created,

 (sa) sa_dest= 200.1.1.1, sa_prot= 50,

 sa_spi= 0x34C3771A(885225242),

 sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2001s

 

次に、ハブ ルータ上で show crypto engine connections active コマンドを実効した出力を示します。

2503#show crypto engine connections active

 

 ID Interface IP-Address State Algorithm Encrypt Decrypt

 5 Ethernet0 200.1.1.1 set HMAC_MD5+DES_56_CB 0 0

 6 <none> <none>  set HMAC_MD5+DES_56_CB 0 0

 2000 Ethernet0 200.1.1.1 set HMAC_MD5+DES_56_CB 0 10

 2001 Ethernet0 200.1.1.1 set HMAC_MD5+DES_56_CB 10 0

 2002 Ethernet0 200.1.1.1 set HMAC_MD5+DES_56_CB 0 10

 2003 Ethernet0 200.1.1.1 set HMAC_MD5+DES_56_CB 10 0

 

この例から、各トンネルでは 10 個のパケットが暗号化および複合化されたことがわかります。つまり、トラフィックがハブ ルータ経由で到着したことが実証されます。

注: 片方向のピアごとに 2 つの IPSec SA が作成されます。


関連情報


関連するシスコ サポート コミュニティ ディスカッション

シスコ サポート コミュニティは、どなたでも投稿や回答ができる情報交換スペースです。


Document ID: 7912