※2017/12/07 カテゴリーにciscoを追加
Contents
はじめに
あんまり見かけなかったので。・・・あんまりやらないとは思いますが。
YAMAHAルータとciscoルータでのIPSecです。ネット上に思ったほど例を見なかったので載せてみました。
だけどpingが飛ぶところまでしか確認しておらず、
商用環境で実際に使ったことはありませんのであしからず。
検証用です!
このページは特に参考程度にとどめてください。というか同じベンダーで揃えましょう。
そのほうが夜ぐっすり寝れます。
参考サイト様
YAMAHA側はこちらを参照。パラメータ表はこのページの表を参考にさせていただきました。
IPsec 相互接続の手引き
www.rtpro.yamaha.co.jp
cisco側はこちらを参照。
IPsec IKE Phase1 - Ciscoコンフィグ
IPsec IKE Phase1 - Ciscoコンフィグ
www.infraexpert.com
IPsec IKE Phase2 - Ciscoコンフィグ
IPsec IKE Phase2 - Ciscoコンフィグ。
www.infraexpert.com
IPsec - Ciscoコンフィグ - PPPoE上のIPsec-VPNの設定
IPsec-VPNのCiscoコンフィグについて解説。
www.infraexpert.com
他ベンダー間のIPSecとしてこちらのサイト様も参考にさせていただきました。
IPSec構築例(ローカルネットの場合)
IPSecについての説明と設定事例
d-net.robata.org
構成図
パラメータ表
フェーズ1
| パラメータ | yamahaA | yamahaA_command | ciscoB | ciscoB_command | 備考 |
|---|---|---|---|---|---|
| 認証方式 | pre-shared-key | ipsec ike pre-shared-key 1 text yamaha | pre-shared-key | authentication pre-share | |
| 暗号アルゴリズム | 3des-cbc | ipsec ike encryption 1 3des-cbc | 3des | encr 3des | |
| ハッシュアルゴリズム | sha | ipsec ike hash 1 sha | sha | hash sha ※デフォルトなので消える | |
| DH(Diffie-Hellman)グループ | modp1024 | ipsec ike group 1 modp1024 | 2 | group 2 | ※modp1024=group 2 |
| ISAKMP SAの寿命 | 28800 | ipsec ike duration isakmp-sa 1 28800 | 28800 | lifetime 28800 | |
| 交換モード(exchange mode) | main | - | main | ? | mainかaggressiveかYAMAHAは自動で切り替えてる? |
| IDの種類 | ipsec ike local id | ipsec ike local id 1 1.1.1.0/24 | ? | ? | ※この設定がないとうまく行かず。ciscoのACLと対応しているのか? |
| IDの種類 | ipsec ike remote id | ipsec ike remote id 1 2.2.2.0/24 | ? | ? | ※この設定がないとうまく行かず。ciscoのACLと対応しているのか? |
フェーズ2
| パラメータ | yamahaA | yamahaA_command | ciscoB | ciscoB_command | 備考 |
|---|---|---|---|---|---|
| セキュリティプロトコル | esp | ipsec sa policy 101 1 esp 3des-cbc sha-hmac | esp | crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac | |
| 暗号アルゴリズム | 3des-cbc | ipsec sa policy 101 1 esp 3des-cbc sha-hmac | esp-3des | crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac | |
| 認証アルゴリズム | sha-hmac | ipsec sa policy 101 1 esp 3des-cbc sha-hmac | esp-sha-hmac | crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac | |
| 通信モード | tunnel | ipsec tunnel 101 | tunnel | mode tunnel | |
| IPsec SAの寿命 | 3600 ※初期値は28800 | ipsec ike duration ipsec-sa 3600 | 3600 ※初期値は3600 | crypto ipsec security-association lifetime second | cisco側はデフォルト値のようで設定すると消える |
yamahaA (yamaha)
RTX1210 Rev.14.01.09
yamahaA config
console lines infinity
console prompt yamahaA
ip route 2.2.2.0/24 gateway tunnel 1
ip lan1 address 1.1.1.254/24
ip lan2 address 192.168.0.1/24
tunnel select 1
ipsec tunnel 101
ipsec sa policy 101 1 esp 3des-cbc sha-hmac
ipsec ike duration ipsec-sa 1 3600
ipsec ike duration isakmp-sa 1 28800
ipsec ike encryption 1 3des-cbc
ipsec ike group 1 modp1024
ipsec ike hash 1 sha
ipsec ike local address 1 192.168.0.1
ipsec ike local id 1 1.1.1.0/24
ipsec ike pre-shared-key 1 text yamaha
ipsec ike remote address 1 192.168.0.2
ipsec ike remote id 1 2.2.2.0/24
ip tunnel tcp mss limit 1350
tunnel enable 1
ipsec use on
ipsec auto refresh onyamahaA status
yamahaA# show ipsec sa
Total: isakmp:1 send:1 recv:1
sa sgw isakmp connection dir life[s] remote-id
----------------------------------------------------------------------------
1 1 - isakmp - 28602 192.168.0.2
2 1 1 tun[0001]esp send 3404 192.168.0.2
3 1 1 tun[0001]esp recv 3404 192.168.0.2
yamahaA# show ipsec sa gateway 1 detail
SA[1] 寿命: 28581秒
自分側の識別子: 192.168.0.1
相手側の識別子: 192.168.0.2
プロトコル: IKE
アルゴリズム: 3DES-CBC, SHA-1, MODP 1024bit
SPI: ca a3 46 96 1d 2b 8b 29 44 eb 66 50 85 30 82 d3
鍵 : 03 57 b4 2d 1c f2 3d 2f
----------------------------------------------------
SA[2] 寿命: 3383秒
自分側の識別子: 192.168.0.1
相手側の識別子: 192.168.0.2
送受信方向: 送信
プロトコル: ESP (モード: tunnel)
アルゴリズム: 3DES-CBC (認証: HMAC-SHA)
SPI: 9e 70 9c 9a
鍵 : 15 fb 35 b9 7d 80 dc c0 a1 96 d3 a5 fb 63 c5 cd
----------------------------------------------------
SA[3] 寿命: 3383秒
自分側の識別子: 192.168.0.1
相手側の識別子: 192.168.0.2
送受信方向: 受信
プロトコル: ESP (モード: tunnel)
アルゴリズム: 3DES-CBC (認証: HMAC-SHA)
SPI: c2 21 52 39
鍵 : 37 41 02 82 0f 2d 46 48 a9 30 bb ba 89 8a 7f be
----------------------------------------------------
ciscoB (cisco)
CISCO892-K9
Cisco IOS Software, C890 Software (C890-UNIVERSALK9-M), Version 15.3(3)M2
c890-universalk9-mz.153-3.M2.bin
ciscoB config
ciscoB#show run
Building configuration...
Current configuration : 2030 bytes
!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ciscoB
!
boot-start-marker
boot config flash:startup-config
boot-end-marker
!
aqm-register-fnf
!
logging buffered 40960
!
no aaa new-model
memory-size iomem 15
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
no spanning-tree vlan 1
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key yamaha address 192.168.0.1
!
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map TEST local-address GigabitEthernet0
crypto map TEST 1 ipsec-isakmp
set peer 192.168.0.1
set transform-set IPSEC
match address 100
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
ip address 192.168.0.2 255.255.255.0
duplex auto
speed auto
crypto map TEST
!
interface Vlan1
ip address 2.2.2.254 255.255.255.0
ip tcp adjust-mss 1350
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 1.1.1.0 255.255.255.0 192.168.0.1
!
!
!
access-list 100 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 log
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
!
end
ciscoB status
ciscoB#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
S 1.1.1.0 [1/0] via 192.168.0.1
2.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 2.2.2.0/24 is directly connected, Vlan1
L 2.2.2.254/32 is directly connected, Vlan1
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, GigabitEthernet0
L 192.168.0.2/32 is directly connected, GigabitEthernet0
ciscoB#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.0.2 192.168.0.1 QM_IDLE 2001 ACTIVE
IPv6 Crypto ISAKMP SA
ciscoB#show crypto ipsec sa
interface: GigabitEthernet0
Crypto map tag: TEST, local addr 192.168.0.2
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
current_peer 192.168.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 237, #pkts encrypt: 237, #pkts digest: 237
#pkts decaps: 237, #pkts decrypt: 237, #pkts verify: 237
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.0.2, remote crypto endpt.: 192.168.0.1
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
current outbound spi: 0xC2215239(3256963641)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x9E709C9A(2658180250)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000040, crypto map: TEST
sa timing: remaining key lifetime (k/sec): (4251096/3257)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC2215239(3256963641)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000040, crypto map: TEST
sa timing: remaining key lifetime (k/sec): (4251096/3257)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
ciscoB#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 28800 seconds, no volume limit
ciscoB#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set IPSEC: { esp-3des esp-sha-hmac }
will negotiate = { Tunnel, },
エージング試験
12時間くらい1.1.1.1→2.2.2.2と2.2.2.2→1.1.1.1へお互いpingを打ち続けたところ、
それぞれ1秒のtimeoutが合計3、4発くらい発生していた。
この辺が許容できるならいいけど、許されないなら同じベンダーにしたほうがいい。
