このブログを検索

2008/12/23

続・IPsecをやってみる (FITELnet)

今度はfitelnetでやってみました。

PC1 ---- R1 ---- R2 ---- PC2

PC1: 192.168.1.13
R1: 192.168.1.254, 100.0.0.1
R2: 192.168.2.254, 100.0.0.2
PC2: 192.168.2.1

natあり

R1#sho running.cfg
!
! FITELnet-F100
! Firmware version: V02.07(02) 032307
!
ip route 0.0.0.0 0.0.0.0 ewan 1
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
vpn enable
vpnlog enable
!
ipsec access-list 1 ipsec ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ipsec access-list 64 bypass ip any any
ipsec transform-set P2-des-md5 esp-des esp-md5-hmac
!
service dhcp-server
!
hostname R1
!
ip dhcp pool lan1
exit
!
interface ewan 1
crypto map kyoten
ip address 100.0.0.1 255.255.255.0
ip nat inside source list 1 interface
exit
interface ewan 2
exit
interface lan 1
ip address 192.168.1.254 255.255.255.0
exit
!
crypto isakmp policy 1
authentication prekey
encryption des
hash md5
idtype-pre userfqdn
key ascii secret
negotiation-mode main
peer-identity address 100.0.0.2
exit
crypto map kyoten 1
match address 1
set peer address 100.0.0.2
set transform-set P2-des-md5
exit
!
end


R2#sho running.cfg
!
! FITELnet-F100
! Firmware version: V02.07(02) 032307
!
ip route 0.0.0.0 0.0.0.0 ewan 1
ip route 192.168.1.0 255.255.255.0 100.0.0.1
!
access-list 1 permit 192.168.2.0 0.0.0.255
!
vpn enable
!
ipsec access-list 1 ipsec ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
ipsec access-list 64 bypass ip any any
ipsec transform-set P2-des-md5 esp-des esp-md5-hmac
!
service dhcp-server
!
hostname R2
!
ip dhcp pool lan1
exit
!
interface ewan 1
crypto map center
ip address 100.0.0.2 255.255.255.0
ip nat inside source list 1 interface
exit
interface ewan 2
exit
interface lan 1
ip address 192.168.2.254 255.255.255.0
exit
!
crypto isakmp policy 1
authentication prekey
encryption des
hash md5
idtype-pre userfqdn
key ascii secret
my-identity kyoten
negotiation-mode main
peer-identity address 100.0.0.1
exit
crypto map center 1
match address 1
set peer address 100.0.0.1
set transform-set P2-des-md5
exit
!
end




R1#sho crypto isakmp sa
[ 1] 100.0.0.2
<--> 100.0.0.1
 Main Mode UP pre-shared key DES MD5
Lifetime : 1000secs
Current : 43secs,1kbytes
mcfg config-mode: off
mcfg addr: off
mcfg apl-version:
IKE Keepalive: dpd
ICMP Keepalive: off
release on addr-change: off

R1#sho cry isakmp policy
Protection suite priority [1]
authentication method : preshared key
encryption algorithm : DES - Data Encryption Standard (56 bit keys)
hash algorithm : Message Digest 5
Disabled frequency : 0

Default protection suite
authentication method : preshared key
encryption algorithm : DES - Data Encryption Standard (56 bit keys)
hash algorithm : Message Digest 5
Diffie-Hellman Group : #1 (768 bit)
lifetime : 1000 seconds, no volume limit


R1#sho crypto ipsec sa
IPSEC SA
current insa : 1
current outsa : 1
[ 1] 192.168.2.0,255.255.255.0 ALL ALL
<--> 192.168.1.0,255.255.255.0 ALL ALL
peer: 100.0.0.2

UP ESP DES HMAC-MD5 PFS:off
Lifetime: 600secs
Anti-Replay: Enable
O-SPI: 0x2c159090 Current: 60secs,1kbytes
out packet : 4 error packet : 0
I-SPI: 0x2b91a660 Current: 60secs,1kbytes
in packet : 4 auth packet : 4
decrypt packet : 4 discard packet : 0
replay packet : 0 auth error packet : 0