目次

GRE over IPSec(GRE トンネルのパケットをIPSecで暗号化)


関連ページ


目次


GRE over IPsecとは

GRE トンネルのパケットをIPSecで暗号化します。

GREトンネルを使うことにより、マルチキャストルーティングが利用することができるため、金融分野のテスト環境で使われることがあります。
(本番環境では、IPSec VPNではなく、データセンター内の構内配線で接続することになります。)


GRE(Generic Routing Encapsulation)

ダイナミックルーティングやマルチキャストルーティングなど、マルチプロトコル対応のトンネリングプロトコルです。


Ciscoの設定例

GREトンネルの作成(Cisco)

interface Tunnnel 0
  description xx xx xx
  ip address xxx.local.xxx.xxx 255.255.255.252
  ip pim sparse-mode
  tunnnel source xx.local.xxx.xx
  tunnnel destination xx.target.xx.xx

IPSecの設定(cisco)

crypto isakmp policy 10
  encr aes 256
  hash sha384
  authentication pre-share
  group 14
  crypto isakmp key ************* address xx.target.xx.xx


crypto ipsec transfrom-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac


crypto map TEST-IPSEC-VPN-MAP 10 ipsec-isakmp
  description xxxxxxx xxxxxx
  set peer xx.target.xx.xx
  set transfrom-set ESP-AES256-SHA
  set pfs group2
  match address TEST-TEST


ip access-list extended TEST-TEST
  permit ip host xx.local.xx.xx host xx.traget.xx.xx


interface eth0/0
  crypto map  TEST-IPSEC-VPN-MAP


Juniper SRXの設定例

GREトンネルの作成(Juniper SRX)

set interfaces gr-0/0/0 unit 0 clear-dont-fragment-bit
set interfaces gr-0/0/0 unit 0 tunnel source xx.local.xx.xx
set interfaces gr-0/0/0 unit 0 tunnel destination xx.target.xx.xx
set interfaces gr-0/0/0 unit 0 tunnel allow-fragmentation
set interfaces gr-0/0/0 unit 0 family inet mtu 1400
set interfaces gr-0/0/0 unit 0 family inet address xx.local.xx.xx/30


IPSecの設定(Juniper SRX)

set interfaces st0 unit 0 family inet

set routing-options static route 192.168.2.0/24 next-hop gr-0/0/0.0

##Phase1 (ike)##
# proposal #
set security ike proposal P1 authentication-method pre-shared-keys
set security ike proposal P1 dh-group group2
set security ike proposal P1 authentication-algorithm sha1
set security ike proposal P1 encryption-algorithm aes-128-cbc

# policy #
set security ike policy IKE-Policy mode main
set security ike policy IKE-Policy proposals P1
set security ike policy IKE-Policy pre-shared-key ascii-text "*********"

# gateway #
set security ike gateway Gateway-A external-interface ge-0/0/0.0
set security ike gateway Gateway-A ike-policy IKE-Policy
set security ike gateway Gateway-A address 10.1.2.100
set security ike gateway Gateway-A dead-peer-detection



## Phase2 (ipsec)##
# proposal #
set security ipsec proposal P2 protocol esp
set security ipsec proposal P2 authentication-algorithm hmac-sha1-96
set security ipsec proposal P2 encryption-algorithm aes-128-cbc

# policy #
set security ipsec policy IPsec-Policy proposals P2
set security ipsec policy IPsec-Policy perfect-forward-secrecy keys group2

# vpn #
set security ipsec vpn VPN-A ike gateway Gateway-A
set security ipsec vpn VPN-A ike ipsec-policy IPsec-Policy
set security ipsec vpn VPN-A bind-interface st0.0
set security ipsec vpn VPN-A ike proxy-identity local x.x.x.x./24
set security ipsec vpn VPN-A ike proxy-identity remote x.x.x.x./24