RTX1000
% telnet rtx1000
# RTX1000 Rev.8.01.29 (Fri Apr 15 11:50:44 2011) # MAC Address : 00:a0:de: # Memory 16Mbytes, 3LAN, 1BRI # main: RTX1000 ver=b0 serial=XXXXXXXXX MAC-Address=00:a0:de: login password * administrator password * security class 2 on on console character ascii console columns 148 ip route default gateway pp 1 ip route 192.168.1.0/24 gateway tunnel 1 ip route 172.16.1.0/16 gateway tunnel 1 ip lan1 address 192.168.2.1/24 lan type lan2 auto ip lan3 address 172.16.2.1/16 pp select 1 pp always-on on pppoe use lan2 pppoe auto disconnect off pp auth accept pap chap pp auth myname ASAHINET *PASSWORD* ppp lcp mru on 1454 ppp ipcp msext on ip pp address XXX.XXX.XXX.XXX/32 ip pp mtu 1454 ip pp intrusion detection in on ip pp intrusion detection out on ip pp nat descriptor 1 3 pp enable 1 tunnel select 1 ipsec tunnel 101 ipsec sa policy 101 1 esp aes-cbc sha-hmac ipsec ike keepalive use 1 on ipsec ike local address 1 192.168.2.1 ipsec ike pre-shared-key 1 text *PRESHAREDKEY* ipsec ike remote address 1 YYY.YYY.YYY.YYY ipsec ike remote name 1 rtx1000 tunnel enable 1 nat descriptor type 1 masquerade nat descriptor address outer 1 XXX.XXX.XXX.XXX nat descriptor masquerade static 1 1 192.168.2.1 udp 500 nat descriptor masquerade static 1 2 192.168.2.1 esp ipsec auto refresh on syslog notice on syslog info on syslog debug on telnetd service on telnetd host any dhcp service server dhcp server rfc2131 compliant except remain-silent dhcp scope 1 192.168.2.101-192.168.2.120/24 dns server 202.224.32.1 202.224.32.2 dns server dhcp lan2 dns private address spoof on
RTX1200 トンネル設定以外は抜粋
% ssh rtx1200
ip route 192.168.2.0/24 gateway tunnel 21 ip route 172.16.2.0/16 gateway tunnel 21 ip lan1 address 192.168.1.1/24 ip lan3 address 172.16.1.1/16 pp select 1 ip pp address YYY.YYY.YYY.YYY/32 tunnel select 21 ipsec tunnel 101 ipsec sa policy 101 1 esp aes-cbc sha-hmac ipsec ike keepalive use 1 on ipsec ike local address 1 192.168.1.1 ipsec ike pre-shared-key 1 text *PRESHAREDKEY* ipsec ike remote address 1 XXX.XXX.XXX.XXX ipsec ike remote name 1 rtx1200 key-id ip tunnel tcp mss limit auto tunnel enable 1 nat descriptor address outer 1 ipcp nat descriptor address inner 1 auto nat descriptor masquerade static 1 1 192.168.1.1 esp nat descriptor masquerade static 1 2 192.168.1.1 udp 500
% ssh rtx1200
# show status tunnel 21 TUNNEL[21]: Description: Interface type: IPsec Current status is Online. from 2011/11/30 15:25:47. 10 minutes 33 seconds connection. Received: (IPv4) 218 packets [23091 octets] (IPv6) 0 packet [0 octet] Transmitted: (IPv4) 187 packets [31024 octets] (IPv6) 0 packet [0 octet] # # show ipsec sa Total: isakmp:1 send:2 recv:2 sa sgw isakmp connection dir life[s] remote-id ----------------------------------------------------------------------------- 3 1 - isakmp - 28303 YYY.YYY.YYY.YYY 4 1 3 tun[021]esp send 28305 YYY.YYY.YYY.YYY 5 1 3 tun[021]esp recv 28305 YYY.YYY.YYY.YYY 6 1 3 tun[021]esp send 28305 YYY.YYY.YYY.YYY 7 1 3 tun[021]esp recv 28305 YYY.YYY.YYY.YYY # # show ipsec sa 3 SA[3] Duration: 28239s Local ID: 192.168.1.1 Remote ID: YYY.YYY.YYY.YYY (rtx1200) Protocol: IKE Algorithm: 3DES-CBC, SHA-1, MODP 1024bit SPI: 01 02 03 04 05 06 06 07 08 09 0a 0b 0c 0d 0e 0f Key: ** ** ** ** ** (confidential) ** ** ** ** ** ---------------------------------------------------- # # show ipsec sa 4 SA[4] Duration: 28228s Local ID: 192.168.1.1 Remote ID: YYY.YYY.YYY.YYY (rtx1200) Direction: send Protocol: ESP (Mode: tunnel) Algorithm: AES-CBC (for Auth.: HMAC-SHA) SPI: 11 22 33 44 Key: ** ** ** ** ** (confidential) ** ** ** ** ** ---------------------------------------------------- #