RTX1000/RTX1200 間の ipsec

投稿日: 2011年11月30日 作成者: kan

RTX1000
% telnet rtx1000

# RTX1000 Rev.8.01.29 (Fri Apr 15 11:50:44 2011)
# MAC Address : 00:a0:de:
# Memory 16Mbytes, 3LAN, 1BRI
# main:  RTX1000 ver=b0 serial=XXXXXXXXX MAC-Address=00:a0:de: 
login password *
administrator password *
security class 2 on on
console character ascii
console columns 148
ip route default gateway pp 1
ip route 192.168.1.0/24 gateway tunnel 1
ip route 172.16.1.0/16 gateway tunnel 1
ip lan1 address 192.168.2.1/24
lan type lan2 auto
ip lan3 address 172.16.2.1/16
pp select 1
 pp always-on on
 pppoe use lan2
 pppoe auto disconnect off
 pp auth accept pap chap
 pp auth myname ASAHINET *PASSWORD*
 ppp lcp mru on 1454
 ppp ipcp msext on
 ip pp address XXX.XXX.XXX.XXX/32
 ip pp mtu 1454
 ip pp intrusion detection in on
 ip pp intrusion detection out on
 ip pp nat descriptor 1 3
 pp enable 1
tunnel select 1
 ipsec tunnel 101
  ipsec sa policy 101 1 esp aes-cbc sha-hmac
  ipsec ike keepalive use 1 on
  ipsec ike local address 1 192.168.2.1
  ipsec ike pre-shared-key 1 text *PRESHAREDKEY*
  ipsec ike remote address 1 YYY.YYY.YYY.YYY
  ipsec ike remote name 1 rtx1000
 tunnel enable 1
nat descriptor type 1 masquerade
nat descriptor address outer 1 XXX.XXX.XXX.XXX
nat descriptor masquerade static 1 1 192.168.2.1 udp 500
nat descriptor masquerade static 1 2 192.168.2.1 esp
ipsec auto refresh on
syslog notice on
syslog info on
syslog debug on
telnetd service on
telnetd host any
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.2.101-192.168.2.120/24
dns server 202.224.32.1 202.224.32.2
dns server dhcp lan2
dns private address spoof on

RTX1200 トンネル設定以外は抜粋
% ssh rtx1200

ip route 192.168.2.0/24 gateway tunnel 21
ip route 172.16.2.0/16 gateway tunnel 21
ip lan1 address 192.168.1.1/24
ip lan3 address 172.16.1.1/16

pp select 1
 ip pp address YYY.YYY.YYY.YYY/32

tunnel select 21
 ipsec tunnel 101
  ipsec sa policy 101 1 esp aes-cbc sha-hmac
  ipsec ike keepalive use 1 on
  ipsec ike local address 1 192.168.1.1
  ipsec ike pre-shared-key 1 text *PRESHAREDKEY*
  ipsec ike remote address 1 XXX.XXX.XXX.XXX
  ipsec ike remote name 1 rtx1200 key-id
 ip tunnel tcp mss limit auto
 tunnel enable 1
nat descriptor address outer 1 ipcp
nat descriptor address inner 1 auto
nat descriptor masquerade static 1 1 192.168.1.1 esp
nat descriptor masquerade static 1 2 192.168.1.1 udp 500

% ssh rtx1200

# show status tunnel 21
TUNNEL[21]:
Description:
  Interface type: IPsec
  Current status is Online.
  from 2011/11/30 15:25:47.
  10 minutes 33 seconds  connection.
  Received:    (IPv4) 218 packets [23091 octets]
               (IPv6) 0 packet [0 octet]
  Transmitted: (IPv4) 187 packets [31024 octets]
               (IPv6) 0 packet [0 octet]
#
# show ipsec sa
Total: isakmp:1 send:2 recv:2

sa   sgw isakmp connection   dir  life[s] remote-id
-----------------------------------------------------------------------------
3     1    -    isakmp       -    28303   YYY.YYY.YYY.YYY
4     1    3    tun[021]esp  send 28305   YYY.YYY.YYY.YYY
5     1    3    tun[021]esp  recv 28305   YYY.YYY.YYY.YYY
6     1    3    tun[021]esp  send 28305   YYY.YYY.YYY.YYY
7     1    3    tun[021]esp  recv 28305   YYY.YYY.YYY.YYY

#
# show ipsec sa 3
SA[3] Duration: 28239s
Local ID: 192.168.1.1
Remote ID: YYY.YYY.YYY.YYY (rtx1200)
Protocol: IKE
Algorithm: 3DES-CBC, SHA-1, MODP 1024bit
SPI: 01 02 03 04 05 06 06 07 08 09 0a 0b 0c 0d 0e 0f
Key: ** ** ** ** **  (confidential)   ** ** ** ** **
----------------------------------------------------

#
# show ipsec sa 4
SA[4] Duration: 28228s
Local ID: 192.168.1.1
Remote ID: YYY.YYY.YYY.YYY (rtx1200)
Direction: send
Protocol: ESP (Mode: tunnel)
Algorithm: AES-CBC (for Auth.: HMAC-SHA)
SPI: 11 22 33 44
Key: ** ** ** ** **  (confidential)   ** ** ** ** **
----------------------------------------------------

#
カテゴリー: 未分類 パーマリンク