ただし、フォルダが読み取り専用になっていたのでそれを直すのと、 telnetはデフォルトで無効になっている(クライアントも)ので有効にする必要がある。 IPsecをやってみます。
192.168.1.0/24 10.10.10.0/24 192.168.2.0/24 +----+ +----+ +----+ +----+ | R3 +--------+ R1 +-------------+ R2 +--------+ R4 | +----+.2 .1+----+.1 .2+----+.1 .2+----+R1
R1#sho running-config Building configuration... Current configuration : 1695 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! no aaa new-model ip cef ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share lifetime 28800 crypto isakmp key cisco address 10.10.10.2 255.255.255.0 crypto isakmp keepalive 100 ! crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac ! crypto map MAP1 1 ipsec-isakmp set peer 10.10.10.2 set transform-set IPSEC match address 101 interface FastEthernet0/0 ip address 192.168.1.1 255.255.255.0 duplex half speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial1/0 ip address 10.10.10.1 255.255.255.0 serial restart-delay 0 crypto map MAP1 ! interface Serial1/1 no ip address shutdown serial restart-delay 0 ! interface Serial1/2 no ip address shutdown serial restart-delay 0 ! interface Serial1/3 no ip address shutdown serial restart-delay 0 ! interface Serial1/4 no ip address shutdown serial restart-delay 0 ! interface Serial1/5 no ip address shutdown serial restart-delay 0 ! interface Serial1/6 no ip address shutdown serial restart-delay 0 ! interface Serial1/7 no ip address shutdown serial restart-delay 0 ! ip route 192.168.1.0 255.255.255.0 10.10.10.2 ip route 192.168.2.0 255.255.255.0 10.10.10.2 ! no ip http server no ip http secure-server ! access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 ! control-plane ! gatekeeper shutdown ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 login ! end R2 R2#sho running-config Building configuration... Current configuration : 1710 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! no aaa new-model ! ip cef ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share lifetime 28800 crypto isakmp key cisco address 10.10.10.1 255.255.255.0 crypto isakmp keepalive 100 ! crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac ! crypto map MAP1 1 ipsec-isakmp set peer 10.10.10.1 set transform-set IPSEC match address 101 ! interface FastEthernet0/0 ip address 192.168.2.1 255.255.255.0 duplex half speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial1/0 ip address 10.10.10.2 255.255.255.0 serial restart-delay 0 no fair-queue crypto map MAP1 ! interface Serial1/1 no ip address shutdown serial restart-delay 0 ! interface Serial1/2 no ip address shutdown serial restart-delay 0 ! interface Serial1/3 no ip address shutdown serial restart-delay 0 ! interface Serial1/4 no ip address shutdown serial restart-delay 0 ! interface Serial1/5 no ip address shutdown serial restart-delay 0 ! interface Serial1/6 no ip address shutdown serial restart-delay 0 ! interface Serial1/7 no ip address shutdown serial restart-delay 0 ! ip route 192.168.1.0 255.255.255.0 10.10.10.1 ip route 192.168.2.0 255.255.255.0 10.10.10.1 ! no ip http server no ip http secure-server ! access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 ! control-plane ! gatekeeper shutdown line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 login end R3 R3#sho running-config Building configuration... Current configuration : 621 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! no aaa new-model ! ip cef ! interface FastEthernet0/0 ip address 192.168.1.2 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 192.168.1.1 ! no ip http server no ip http secure-server ! control-plane ! gatekeeper shutdown ! line con 0 stopbits 1 line aux 0 line vty 0 4 ! end R4 R4#sho running-config Building configuration... Current configuration : 621 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R4 ! boot-start-marker boot-end-marker ! no aaa new-model ! ip cef ! interface FastEthernet0/0 ip address 192.168.2.2 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 192.168.2.1 ! no ip http server no ip http secure-server ! control-plane ! gatekeeper shutdown ! line con 0 stopbits 1 line aux 0 line vty 0 4 ! end設定しただけではIPsec SAは確立しません。
この設定だと、192.168.0/24 <---> 192.168.2.0/24 の通信が発生したときのみ、IPsec 通信が行われます。
R3#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 220/260/356 ms
R3#
R1#show crypto isakmp sa
dst src state conn-id slot status
10.10.10.2 10.10.10.1 QM_IDLE 1 0 ACTIVE
R1#
R1#sho crypto isakmp peers
Peer: 10.10.10.2 Port: 500 Local: 10.10.10.1
Phase1 id: 10.10.10.2
R1#
R1#sho crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 28800 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R1#
08/12/22(Mon) 08:36
R1#sho cry ipsec sa
interface: Serial1/0
Crypto map tag: MAP1, local addr 10.10.10.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer 10.10.10.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18
#pkts decaps: 17, #pkts decrypt: 17, #pkts verify: 17
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 10.10.10.1, remote crypto endpt.: 10.10.10.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0x193624A0(422978720)
inbound esp sas:
spi: 0xC5E6FB2A(3320249130)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: MAP1
sa timing: remaining key lifetime (k/sec): (4482477/2342)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x193624A0(422978720)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: MAP1
sa timing: remaining key lifetime (k/sec): (4482477/2341)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#
R1#sho cry ipsec transform-set
Transform set IPSEC: { esp-3des esp-md5-hmac }
will negotiate = { Tunnel, },
R1#sho cry ipsec ?
policy Show IPSEC client policies
profile Show ipsec profile information
sa IPSEC SA table
security-association Show parameters for IPSec security associations
transform-set Crypto transform sets
R1#sho cry ipsec se
R1#sho cry ipsec security-association
Security association lifetime: 4608000 kilobytes/3600 seconds
R1の S1/0をキャプチャしてみると、ISAKMP Identity Protectionが3往復、ISAKMP Quick Modeが1往復半した後に、ESPパケットの通信が開始されている。
これは vista ultimate 64bitバージョンで、Dynamipsを使って4台の7200をエミュレートしたものである。
このとき、teratermのログを保存したのだが、そのファイルが見つからなくなった。
しかし、teratermでログを保存するメニューを出すと、ちゃんとファイルが表示される。
と、エクスプローラのメニューに「互換性ファイル」という文字が。
そこをクリックすると表示された。しかし今度は他のファイルが見えなくなる。
エクスプローラをいったん閉じて、再び開くと、またログファイル以外が見える。
この「互換性ファイル」問題は、bitcometを使ったときに出くわしたのだが、
いまだに意味がよくわからない。
まあ、スレ違いの話題なので、これについてはまたの機会に。