IPsecトンネル間でのダイナミックルーティング(IPsec VTI)
IPsecトンネル間はユニキャスト通信しか通さないためダイナミックルーティングを使う場合は、GRE over IPsecでGREトンネルを必ず使うと思ってたけどそれ以外の方法でも出来ると知ったのでメモ
構成は上記ケースで検証(1812J)
まずは、GRE over IPsecの場合のConfig
#R1&R2のループバックアドレスのセグメントの広告で確認
R1
fa0→10.1.1.1/24
tun0→172.16.1.1/24
loop0→192.168.1.1/24
R2
fa0→10.1.1.2/24
tun0→172.16.1.2/24
loop0→192.168.2.1/24
<R1>
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key cisco address 10.1.1.2
!
!
crypto ipsec transform-set TRANSFORM esp-des esp-sha-hmac
!
crypto map MAP 1 ipsec-isakmp
set peer 10.1.1.2
set transform-set TRANSFORM
match address 100!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
ip ospf network point-to-point
ip ospf 1 area 0
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
ip ospf 1 area 0
tunnel source FastEthernet0
tunnel destination 10.1.1.2
crypto map MAP
!
interface FastEthernet0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map MAP
!
access-list 100 permit gre host 10.1.1.1 host 10.1.1.2
<R2> crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key cisco address 10.1.1.1
!
!
crypto ipsec transform-set TRANSFORM esp-des esp-sha-hmac
!
crypto map MAP 1 ipsec-isakmp
set peer 10.1.1.1
set transform-set TRANSFORM
match address 100
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
ip ospf network point-to-point
ip ospf 1 area 0
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
ip ospf 1 area 0
tunnel source FastEthernet0
tunnel destination 10.1.1.1
crypto map MAP
!
interface FastEthernet0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
crypto map MAP
!
access-list 100 permit gre host 10.1.1.2 host 10.1.1.1
↑でGRE over IPsecのトンネルを張りOSPFの経路がやり取りされる。
これはWebで調べれば色々見つかる
IPsec VTIを使う場合
#R1&R2のループバックアドレスのセグメントで広告を確認
R1
fa0→10.1.1.1/24
tun0→172.16.1.1/24
loop1→192.168.1.1/24
R2
fa0→10.1.1.2/24
tun0→172.16.1.2/24
loop1→192.168.2.1/24
<R1>
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key cisco address 10.1.1.2
!
!
crypto ipsec transform-set TRANSFORM esp-des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TRANSFORM
!
interface Loopback1
ip address 192.168.1.1 255.255.255.0
ip ospf network point-to-point
ip ospf 1 area 0
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
ip ospf 1 area 0
tunnel source FastEthernet0
tunnel mode ipsec ipv4
tunnel destination 10.1.1.2
tunnel protection ipsec profile VTI
!
interface FastEthernet0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 Tunnel0
<R2>
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key cisco address 10.1.1.1
!
!
crypto ipsec transform-set TRANSFORM esp-des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TRANSFORM
!
interface Loopback1
ip address 192.168.2.1 255.255.255.0
ip ospf network point-to-point
ip ospf 1 area 0
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
ip ospf 1 area 0
tunnel source FastEthernet0
tunnel mode ipsec ipv4
tunnel destination 10.1.1.1
tunnel protection ipsec profile VTI
!
interface FastEthernet0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 Tunnel0
確認
R1>show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
172.16.1.2 0 FULL/ - 00:00:37 172.16.1.2 Tunnel0
→ちゃんとネイバーを認識できてる。
R1>sho ip route ospf
O 192.168.2.0/24 [110/1001] via 172.16.1.2, 01:35:20, Tunnel0
→R2のLoop1のアドレスを受理している。
IPsec VTIのConfigが個人的にはとっつきやすいかなぁ・・・
とはいえ、GRE over IPSecも必須だろうけど。