※2017/12/07 カテゴリーにciscoを追加
Contents
はじめに
あんまり見かけなかったので。・・・あんまりやらないとは思いますが。
YAMAHAルータとciscoルータでのIPSecです。ネット上に思ったほど例を見なかったので載せてみました。
だけどpingが飛ぶところまでしか確認しておらず、
商用環境で実際に使ったことはありませんのであしからず。
検証用です!
このページは特に参考程度にとどめてください。というか同じベンダーで揃えましょう。
そのほうが夜ぐっすり寝れます。
参考サイト様
YAMAHA側はこちらを参照。パラメータ表はこのページの表を参考にさせていただきました。
cisco側はこちらを参照。
他ベンダー間のIPSecとしてこちらのサイト様も参考にさせていただきました。
構成図
パラメータ表
フェーズ1
パラメータ | yamahaA | yamahaA_command | ciscoB | ciscoB_command | 備考 |
---|---|---|---|---|---|
認証方式 | pre-shared-key | ipsec ike pre-shared-key 1 text yamaha | pre-shared-key | authentication pre-share | |
暗号アルゴリズム | 3des-cbc | ipsec ike encryption 1 3des-cbc | 3des | encr 3des | |
ハッシュアルゴリズム | sha | ipsec ike hash 1 sha | sha | hash sha ※デフォルトなので消える | |
DH(Diffie-Hellman)グループ | modp1024 | ipsec ike group 1 modp1024 | 2 | group 2 | ※modp1024=group 2 |
ISAKMP SAの寿命 | 28800 | ipsec ike duration isakmp-sa 1 28800 | 28800 | lifetime 28800 | |
交換モード(exchange mode) | main | - | main | ? | mainかaggressiveかYAMAHAは自動で切り替えてる? |
IDの種類 | ipsec ike local id | ipsec ike local id 1 1.1.1.0/24 | ? | ? | ※この設定がないとうまく行かず。ciscoのACLと対応しているのか? |
IDの種類 | ipsec ike remote id | ipsec ike remote id 1 2.2.2.0/24 | ? | ? | ※この設定がないとうまく行かず。ciscoのACLと対応しているのか? |
フェーズ2
パラメータ | yamahaA | yamahaA_command | ciscoB | ciscoB_command | 備考 |
---|---|---|---|---|---|
セキュリティプロトコル | esp | ipsec sa policy 101 1 esp 3des-cbc sha-hmac | esp | crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac | |
暗号アルゴリズム | 3des-cbc | ipsec sa policy 101 1 esp 3des-cbc sha-hmac | esp-3des | crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac | |
認証アルゴリズム | sha-hmac | ipsec sa policy 101 1 esp 3des-cbc sha-hmac | esp-sha-hmac | crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac | |
通信モード | tunnel | ipsec tunnel 101 | tunnel | mode tunnel | |
IPsec SAの寿命 | 3600 ※初期値は28800 | ipsec ike duration ipsec-sa 3600 | 3600 ※初期値は3600 | crypto ipsec security-association lifetime second | cisco側はデフォルト値のようで設定すると消える |
yamahaA (yamaha)
RTX1210 Rev.14.01.09
yamahaA config
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
console lines infinity console prompt yamahaA ip route 2.2.2.0/24 gateway tunnel 1 ip lan1 address 1.1.1.254/24 ip lan2 address 192.168.0.1/24 tunnel select 1 ipsec tunnel 101 ipsec sa policy 101 1 esp 3des-cbc sha-hmac ipsec ike duration ipsec-sa 1 3600 ipsec ike duration isakmp-sa 1 28800 ipsec ike encryption 1 3des-cbc ipsec ike group 1 modp1024 ipsec ike hash 1 sha ipsec ike local address 1 192.168.0.1 ipsec ike local id 1 1.1.1.0/24 ipsec ike pre-shared-key 1 text yamaha ipsec ike remote address 1 192.168.0.2 ipsec ike remote id 1 2.2.2.0/24 ip tunnel tcp mss limit 1350 tunnel enable 1 ipsec use on ipsec auto refresh on |
yamahaA status
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
yamahaA# show ipsec sa Total: isakmp:1 send:1 recv:1 sa sgw isakmp connection dir life[s] remote-id ---------------------------------------------------------------------------- 1 1 - isakmp - 28602 192.168.0.2 2 1 1 tun[0001]esp send 3404 192.168.0.2 3 1 1 tun[0001]esp recv 3404 192.168.0.2 yamahaA# show ipsec sa gateway 1 detail SA[1] 寿命: 28581秒 自分側の識別子: 192.168.0.1 相手側の識別子: 192.168.0.2 プロトコル: IKE アルゴリズム: 3DES-CBC, SHA-1, MODP 1024bit SPI: ca a3 46 96 1d 2b 8b 29 44 eb 66 50 85 30 82 d3 鍵 : 03 57 b4 2d 1c f2 3d 2f ---------------------------------------------------- SA[2] 寿命: 3383秒 自分側の識別子: 192.168.0.1 相手側の識別子: 192.168.0.2 送受信方向: 送信 プロトコル: ESP (モード: tunnel) アルゴリズム: 3DES-CBC (認証: HMAC-SHA) SPI: 9e 70 9c 9a 鍵 : 15 fb 35 b9 7d 80 dc c0 a1 96 d3 a5 fb 63 c5 cd ---------------------------------------------------- SA[3] 寿命: 3383秒 自分側の識別子: 192.168.0.1 相手側の識別子: 192.168.0.2 送受信方向: 受信 プロトコル: ESP (モード: tunnel) アルゴリズム: 3DES-CBC (認証: HMAC-SHA) SPI: c2 21 52 39 鍵 : 37 41 02 82 0f 2d 46 48 a9 30 bb ba 89 8a 7f be ---------------------------------------------------- |
ciscoB (cisco)
CISCO892-K9
Cisco IOS Software, C890 Software (C890-UNIVERSALK9-M), Version 15.3(3)M2
c890-universalk9-mz.153-3.M2.bin
ciscoB config
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 |
ciscoB#show run Building configuration... Current configuration : 2030 bytes ! version 15.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname ciscoB ! boot-start-marker boot config flash:startup-config boot-end-marker ! aqm-register-fnf ! logging buffered 40960 ! no aaa new-model memory-size iomem 15 ! ! ! ! ! ! ! ! ! ! no ip domain lookup ip cef no ipv6 cef ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! no spanning-tree vlan 1 ! redundancy ! ! ! ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 28800 crypto isakmp key yamaha address 192.168.0.1 ! ! crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac mode tunnel ! ! ! crypto map TEST local-address GigabitEthernet0 crypto map TEST 1 ipsec-isakmp set peer 192.168.0.1 set transform-set IPSEC match address 100 ! ! ! ! ! interface BRI0 no ip address encapsulation hdlc shutdown isdn termination multidrop ! interface FastEthernet0 no ip address ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface FastEthernet4 no ip address ! interface FastEthernet5 no ip address ! interface FastEthernet6 no ip address ! interface FastEthernet7 no ip address ! interface FastEthernet8 no ip address shutdown duplex auto speed auto ! interface GigabitEthernet0 ip address 192.168.0.2 255.255.255.0 duplex auto speed auto crypto map TEST ! interface Vlan1 ip address 2.2.2.254 255.255.255.0 ip tcp adjust-mss 1350 ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip route 1.1.1.0 255.255.255.0 192.168.0.1 ! ! ! access-list 100 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 log ! control-plane ! ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 login transport input all ! ! end |
ciscoB status
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 |
ciscoB#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnets S 1.1.1.0 [1/0] via 192.168.0.1 2.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 2.2.2.0/24 is directly connected, Vlan1 L 2.2.2.254/32 is directly connected, Vlan1 192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.0.0/24 is directly connected, GigabitEthernet0 L 192.168.0.2/32 is directly connected, GigabitEthernet0 ciscoB#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 192.168.0.2 192.168.0.1 QM_IDLE 2001 ACTIVE IPv6 Crypto ISAKMP SA ciscoB#show crypto ipsec sa interface: GigabitEthernet0 Crypto map tag: TEST, local addr 192.168.0.2 protected vrf: (none) local ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0) current_peer 192.168.0.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 237, #pkts encrypt: 237, #pkts digest: 237 #pkts decaps: 237, #pkts decrypt: 237, #pkts verify: 237 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 192.168.0.2, remote crypto endpt.: 192.168.0.1 plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0 current outbound spi: 0xC2215239(3256963641) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x9E709C9A(2658180250) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000040, crypto map: TEST sa timing: remaining key lifetime (k/sec): (4251096/3257) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xC2215239(3256963641) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000040, crypto map: TEST sa timing: remaining key lifetime (k/sec): (4251096/3257) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: ciscoB#show crypto isakmp policy Global IKE policy Protection suite of priority 1 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 28800 seconds, no volume limit ciscoB#show crypto ipsec transform-set Transform set default: { esp-aes esp-sha-hmac } will negotiate = { Transport, }, Transform set IPSEC: { esp-3des esp-sha-hmac } will negotiate = { Tunnel, }, |
エージング試験
12時間くらい1.1.1.1→2.2.2.2と2.2.2.2→1.1.1.1へお互いpingを打ち続けたところ、
それぞれ1秒のtimeoutが合計3、4発くらい発生していた。
この辺が許容できるならいいけど、許されないなら同じベンダーにしたほうがいい。
コメント