GNS3で。
172.16.1.0/24 - TARO [.1]-(100.0.0.0/24)-[.2] RT [.1]-(200.0.0.0)-[.2] HANAKO - 172.16.2.0/24
TARO#ter len 0
TARO#sho run
Building configuration...
Current configuration : 1490 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TARO
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
ip tcp synwait-time 5
ip cef
no ip domain lookup
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key CISCO address 200.0.0.2 255.255.255.0
crypto isakmp keepalive 100
!
!
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
!
crypto map MAP1 1 ipsec-isakmp
set peer 200.0.0.2
set transform-set IPSEC
match address 101
!
!
!
!
interface FastEthernet0/0
ip address 172.16.1.254 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet1/0
ip address 100.0.0.1 255.255.255.0
negotiation auto
crypto map MAP1
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
ip route 0.0.0.0 0.0.0.0 100.0.0.2
ip route 172.16.2.0 255.255.255.0 100.0.0.2
!
no ip http server
no ip http secure-server
!
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
HANAKO#sho run
Building configuration...
Current configuration : 1492 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HANAKO
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
ip tcp synwait-time 5
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key CISCO address 100.0.0.1 255.255.255.0
crypto isakmp keepalive 100
!
!
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
!
crypto map MAP1 1 ipsec-isakmp
set peer 100.0.0.1
set transform-set IPSEC
match address 101
!
!
!
!
interface FastEthernet0/0
ip address 172.16.2.254 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet1/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet2/0
ip address 200.0.0.2 255.255.255.0
negotiation auto
crypto map MAP1
!
ip route 0.0.0.0 0.0.0.0 200.0.0.1
ip route 172.16.1.0 255.255.255.0 200.0.0.1
!
no ip http server
no ip http secure-server
!
!
access-list 101 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
HANAKO#
TARO#ping 172.16.2.254 source 172.16.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.254, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.254
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 68/94/116 ms
TARO#
TARO#
TARO#
TARO#sho cry isa sa
dst src state conn-id slot status
200.0.0.2 100.0.0.1 QM_IDLE 1 0 ACTIVE
TARO#sho cry ipsec sa
interface: GigabitEthernet1/0
Crypto map tag: MAP1, local addr 100.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)
current_peer 200.0.0.2 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 100.0.0.1, remote crypto endpt.: 200.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1/0
current outbound spi: 0xD05FC0B9(3495936185)
inbound esp sas:
spi: 0xA794FBD4(2811558868)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: MAP1
sa timing: remaining key lifetime (k/sec): (4540909/3589)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD05FC0B9(3495936185)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: MAP1
sa timing: remaining key lifetime (k/sec): (4540909/3589)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
TARO#