目次
GRE トンネルのパケットをIPSecで暗号化します。
GREトンネルを使うことにより、マルチキャストルーティングが利用することができるため、金融分野のテスト環境で使われることがあります。
(本番環境では、IPSec VPNではなく、データセンター内の構内配線で接続することになります。)
ダイナミックルーティングやマルチキャストルーティングなど、マルチプロトコル対応のトンネリングプロトコルです。
interface Tunnnel 0 description xx xx xx ip address xxx.local.xxx.xxx 255.255.255.252 ip pim sparse-mode tunnnel source xx.local.xxx.xx tunnnel destination xx.target.xx.xx
crypto isakmp policy 10 encr aes 256 hash sha384 authentication pre-share group 14 crypto isakmp key ************* address xx.target.xx.xx crypto ipsec transfrom-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac crypto map TEST-IPSEC-VPN-MAP 10 ipsec-isakmp description xxxxxxx xxxxxx set peer xx.target.xx.xx set transfrom-set ESP-AES256-SHA set pfs group2 match address TEST-TEST ip access-list extended TEST-TEST permit ip host xx.local.xx.xx host xx.traget.xx.xx interface eth0/0 crypto map TEST-IPSEC-VPN-MAP
set interfaces gr-0/0/0 unit 0 clear-dont-fragment-bit set interfaces gr-0/0/0 unit 0 tunnel source xx.local.xx.xx set interfaces gr-0/0/0 unit 0 tunnel destination xx.target.xx.xx set interfaces gr-0/0/0 unit 0 tunnel allow-fragmentation set interfaces gr-0/0/0 unit 0 family inet mtu 1400 set interfaces gr-0/0/0 unit 0 family inet address xx.local.xx.xx/30
set interfaces st0 unit 0 family inet set routing-options static route 192.168.2.0/24 next-hop gr-0/0/0.0 ##Phase1 (ike)## # proposal # set security ike proposal P1 authentication-method pre-shared-keys set security ike proposal P1 dh-group group2 set security ike proposal P1 authentication-algorithm sha1 set security ike proposal P1 encryption-algorithm aes-128-cbc # policy # set security ike policy IKE-Policy mode main set security ike policy IKE-Policy proposals P1 set security ike policy IKE-Policy pre-shared-key ascii-text "*********" # gateway # set security ike gateway Gateway-A external-interface ge-0/0/0.0 set security ike gateway Gateway-A ike-policy IKE-Policy set security ike gateway Gateway-A address 10.1.2.100 set security ike gateway Gateway-A dead-peer-detection ## Phase2 (ipsec)## # proposal # set security ipsec proposal P2 protocol esp set security ipsec proposal P2 authentication-algorithm hmac-sha1-96 set security ipsec proposal P2 encryption-algorithm aes-128-cbc # policy # set security ipsec policy IPsec-Policy proposals P2 set security ipsec policy IPsec-Policy perfect-forward-secrecy keys group2 # vpn # set security ipsec vpn VPN-A ike gateway Gateway-A set security ipsec vpn VPN-A ike ipsec-policy IPsec-Policy set security ipsec vpn VPN-A bind-interface st0.0 set security ipsec vpn VPN-A ike proxy-identity local x.x.x.x./24 set security ipsec vpn VPN-A ike proxy-identity remote x.x.x.x./24