RTX1000
% telnet rtx1000
# RTX1000 Rev.8.01.29 (Fri Apr 15 11:50:44 2011) # MAC Address : 00:a0:de: # Memory 16Mbytes, 3LAN, 1BRI # main: RTX1000 ver=b0 serial=XXXXXXXXX MAC-Address=00:a0:de: login password * administrator password * security class 2 on on console character ascii console columns 148 ip route default gateway pp 1 ip route 192.168.1.0/24 gateway tunnel 1 ip route 172.16.1.0/16 gateway tunnel 1 ip lan1 address 192.168.2.1/24 lan type lan2 auto ip lan3 address 172.16.2.1/16 pp select 1 pp always-on on pppoe use lan2 pppoe auto disconnect off pp auth accept pap chap pp auth myname ASAHINET *PASSWORD* ppp lcp mru on 1454 ppp ipcp msext on ip pp address XXX.XXX.XXX.XXX/32 ip pp mtu 1454 ip pp intrusion detection in on ip pp intrusion detection out on ip pp nat descriptor 1 3 pp enable 1 tunnel select 1 ipsec tunnel 101 ipsec sa policy 101 1 esp aes-cbc sha-hmac ipsec ike keepalive use 1 on ipsec ike local address 1 192.168.2.1 ipsec ike pre-shared-key 1 text *PRESHAREDKEY* ipsec ike remote address 1 YYY.YYY.YYY.YYY ipsec ike remote name 1 rtx1000 tunnel enable 1 nat descriptor type 1 masquerade nat descriptor address outer 1 XXX.XXX.XXX.XXX nat descriptor masquerade static 1 1 192.168.2.1 udp 500 nat descriptor masquerade static 1 2 192.168.2.1 esp ipsec auto refresh on syslog notice on syslog info on syslog debug on telnetd service on telnetd host any dhcp service server dhcp server rfc2131 compliant except remain-silent dhcp scope 1 192.168.2.101-192.168.2.120/24 dns server 202.224.32.1 202.224.32.2 dns server dhcp lan2 dns private address spoof on
RTX1200 トンネル設定以外は抜粋
% ssh rtx1200
ip route 192.168.2.0/24 gateway tunnel 21 ip route 172.16.2.0/16 gateway tunnel 21 ip lan1 address 192.168.1.1/24 ip lan3 address 172.16.1.1/16 pp select 1 ip pp address YYY.YYY.YYY.YYY/32 tunnel select 21 ipsec tunnel 101 ipsec sa policy 101 1 esp aes-cbc sha-hmac ipsec ike keepalive use 1 on ipsec ike local address 1 192.168.1.1 ipsec ike pre-shared-key 1 text *PRESHAREDKEY* ipsec ike remote address 1 XXX.XXX.XXX.XXX ipsec ike remote name 1 rtx1200 key-id ip tunnel tcp mss limit auto tunnel enable 1 nat descriptor address outer 1 ipcp nat descriptor address inner 1 auto nat descriptor masquerade static 1 1 192.168.1.1 esp nat descriptor masquerade static 1 2 192.168.1.1 udp 500
% ssh rtx1200
# show status tunnel 21
TUNNEL[21]:
Description:
Interface type: IPsec
Current status is Online.
from 2011/11/30 15:25:47.
10 minutes 33 seconds connection.
Received: (IPv4) 218 packets [23091 octets]
(IPv6) 0 packet [0 octet]
Transmitted: (IPv4) 187 packets [31024 octets]
(IPv6) 0 packet [0 octet]
#
# show ipsec sa
Total: isakmp:1 send:2 recv:2
sa sgw isakmp connection dir life[s] remote-id
-----------------------------------------------------------------------------
3 1 - isakmp - 28303 YYY.YYY.YYY.YYY
4 1 3 tun[021]esp send 28305 YYY.YYY.YYY.YYY
5 1 3 tun[021]esp recv 28305 YYY.YYY.YYY.YYY
6 1 3 tun[021]esp send 28305 YYY.YYY.YYY.YYY
7 1 3 tun[021]esp recv 28305 YYY.YYY.YYY.YYY
#
# show ipsec sa 3
SA[3] Duration: 28239s
Local ID: 192.168.1.1
Remote ID: YYY.YYY.YYY.YYY (rtx1200)
Protocol: IKE
Algorithm: 3DES-CBC, SHA-1, MODP 1024bit
SPI: 01 02 03 04 05 06 06 07 08 09 0a 0b 0c 0d 0e 0f
Key: ** ** ** ** ** (confidential) ** ** ** ** **
----------------------------------------------------
#
# show ipsec sa 4
SA[4] Duration: 28228s
Local ID: 192.168.1.1
Remote ID: YYY.YYY.YYY.YYY (rtx1200)
Direction: send
Protocol: ESP (Mode: tunnel)
Algorithm: AES-CBC (for Auth.: HMAC-SHA)
SPI: 11 22 33 44
Key: ** ** ** ** ** (confidential) ** ** ** ** **
----------------------------------------------------
#