問題は、異なる機種間での相互接続である。
それじゃ、まず、cisco --- FITELnet をやってみようか?
PC1 ---- F100 --- R1 --- R2
PC1: 192.168.1.10
F100: 192.168.1.254, 100.0.0.1
R1: 100.0.0.2, 192.168.2.254
R2: 192.168.2.1
R1とR2はDynamipsでemulateしたCisco7200
R1#sho running-config Building configuration... Current configuration : 1811 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! ip cef ! ! crypto isakmp policy 1 hash md5 authentication pre-share lifetime 600 crypto isakmp key secret address 100.0.0.1 255.255.255.0 ! crypto ipsec security-association lifetime seconds 1000 ! crypto ipsec transform-set IPSEC esp-des esp-md5-hmac ! crypto map MAP1 1 ipsec-isakmp set peer 100.0.0.1 set transform-set IPSEC match address 101 ! ! ! ! interface FastEthernet0/0 ip address 100.0.0.2 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto crypto map MAP1 ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial1/0 ip address 192.168.2.254 255.255.255.0 serial restart-delay 0 no fair-queue ! ! ip route 0.0.0.0 0.0.0.0 100.0.0.1 ! no ip http server no ip http secure-server ! ip nat inside source list 1 interface FastEthernet0/0 overload ! access-list 1 permit 192.168.2.0 0.0.0.255 access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 ! FITEL#sho running.cfg ! ! FITELnet-F100 ! Firmware version: V02.07(02) 032307 ! ! ! ip route 0.0.0.0 0.0.0.0 100.0.0.2 ! access-list 1 permit 192.168.1.0 0.0.0.255 ! vpn enable vpnlog enable ! ipsec access-list 1 ipsec ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 ipsec access-list 64 bypass ip any any ipsec transform-set P2-des-md5 esp-des esp-md5-hmac ! service dhcp-server ! hostname FITEL ! ! ip dhcp pool lan1 exit ! interface ewan 1 crypto map kyoten ip address 100.0.0.1 255.255.255.0 ip nat inside source list 1 interface exit interface ewan 2 exit interface lan 1 ip address 192.168.1.254 255.255.255.0 exit ! ! crypto isakmp policy 1 authentication prekey encryption des group 1 hash md5 idtype-pre userfqdn key ascii secret lifetime 600 negotiation-mode main peer-identity address 100.0.0.2 exit crypto map kyoten 1 match address 1 set peer address 100.0.0.2 set transform-set P2-des-md5 exit crypto security-association exit ! end FITEL#sho cry isa sa [ 1] 100.0.0.2 <--> 100.0.0.1Main Mode UP pre-shared key DES MD5 Lifetime : 600secs Current : 527secs,1kbytes mcfg config-mode: off mcfg addr: off mcfg apl-version: IKE Keepalive: dpd ICMP Keepalive: off release on addr-change: off FITEL#sho cry ipsec sa IPSEC SA current insa : 1 current outsa : 1 [ 1] 192.168.2.0,255.255.255.0 ALL ALL <--> 192.168.1.0,255.255.255.0 ALL ALL peer: 100.0.0.2 UP ESP DES HMAC-MD5 PFS:off Lifetime: 600secs,4608000kbytes Anti-Replay: Enable O-SPI: 0x3b56eeb5 Current: 531secs,1kbytes out packet : 4 error packet : 0 I-SPI: 0x105e8a87 Current: 531secs,1kbytes in packet : 4 auth packet : 4 decrypt packet : 4 discard packet : 0 replay packet : 0 auth error packet : 0 FITEL#sho cry isakmp policy Protection suite priority [1] authentication method : preshared key encryption algorithm : DES - Data Encryption Standard (56 bit keys) Diffie-Hellman Group : #1 (768 bit) hash algorithm : Message Digest 5 lifetime : 600 seconds, no volume limit Disabled frequency : 0 Default protection suite authentication method : preshared key encryption algorithm : DES - Data Encryption Standard (56 bit keys) hash algorithm : Message Digest 5 Diffie-Hellman Group : #1 (768 bit) lifetime : 1000 seconds, no volume limit R1#sho cry isa sa dst src state conn-id slot status 100.0.0.1 100.0.0.2 QM_IDLE 1 0 ACTIVE R1#sho cry isa sa ? active Shows HA-enabled ISAKMP SAs in the active state detail Show ISAKMP SA Detail nat Show ISAKMP SA NAT Detail standby Shows HA-enabled ISAKMP SAs in the standby state vrf Show ISAKMP SA as per VRF | Output modifiers R1#sho cry isa sa det R1#sho cry isa sa detail Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal X - IKE Extended Authentication psk - Preshared key, rsig - RSA signature renc - RSA encryption C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 1 100.0.0.2 100.0.0.1 ACTIVE des md5 psk 1 00:00:42 Connection-id:Engine-id = 1:1(software) R1# R1#sho cry ipsec sa interface: FastEthernet0/0 Crypto map tag: MAP1, local addr 100.0.0.2 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 100.0.0.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 100.0.0.2, remote crypto endpt.: 100.0.0.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x105E8A87(274631303) inbound esp sas: spi: 0x3B56EEB5(995552949) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: SW:1, crypto map: MAP1 sa timing: remaining key lifetime (k/sec): (4421774/438) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x105E8A87(274631303) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: SW:2, crypto map: MAP1 sa timing: remaining key lifetime (k/sec): (4421774/437) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R1#R1#sho cry isakmp policy Global IKE policy Protection suite of priority 1 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 600 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit R1#