NETWORK ENGINEER BLOG

Tips and Reviews for Engineers

SEIL/x86 による疑似 VPN(L2TPv3 over IPsec 編)

前回、掲載した L2TPv3 編の環境に IPsec を適用する際の設定例になります。
L2TPv3 でカプセル化したパケットをセレクタで定義します。
f:id:FriendsNow:20120212013252p:plain:w600

IKE/IPsec で使用するパラメーターは以下のとおりです。

  • IKE:暗号化アルゴリズム(encrption): AES(aes)
  • IKE:ハッシュアルゴリズム(hash): SHA-1(sha1)
  • IKE:DH グループ(df-group): 1024ビット MODP DH グループ(modp1024)
  • IKE:ライフタイム(lifetime-of-time): 12時間(12h)
  • IKE:鍵交換モード(exchange-mode): メインモード(main)
  • IPsec:暗号化アルゴリズム(encrption-algorithm): AES(aes)
  • IPsec:認証アルゴリズム(authentication-algorithm): HMAC-SHA1(hmac-sha1)
  • IPsec:PFS グループ(pfs-group): 1024ビット MODP DH グループ(modp1024)
  • IPsec:ライフタイム(lifetime-of-time): 6時間(6h)
神戸拠点ルータ(SEIL/x86)
# show config ike
ike auto-initiation enable
ike preshared-key add "10.1.2.1" "seil"
ike proposal add IKEP encryption aes hash sha1 authentication preshared-key
 dh-group modp1024 lifetime-of-time 12h
ike peer add PEER address 10.1.2.1 exchange-mode main proposals IKEP initial-contact
 enable my-identifier address peers-identifier address

# show config ipsec
ipsec security-association proposal add SAP pfs-group modp1024 authentication-algorithm
 hmac-sha1 encryption-algorithm aes lifetime-of-time 06h
ipsec security-association add SA transport 10.1.1.1 10.1.2.1 ike SAP esp enable
ipsec security-policy add SP security-association SA src 10.1.1.1/32 dst 10.1.2.1/32
大阪拠点ルータ(SEIL/x86)
# show config ike
ike auto-initiation enable
ike preshared-key add "10.1.1.1" "seil"
ike proposal add IKEP encryption aes hash sha1 authentication preshared-key
 dh-group modp1024 lifetime-of-time 12h
ike peer add PEER address 10.1.1.1 exchange-mode main proposals IKEP initial-contact
 enable my-identifier address peers-identifier address

# show config ipsec
ipsec security-association proposal add SAP pfs-group modp1024 authentication-algorithm 
 hmac-sha1 encryption-algorithm aes lifetime-of-time 06h
ipsec security-association add SA transport 10.1.2.1 10.1.1.1 ike SAP esp enable
ipsec security-policy add SP security-association SA src 10.1.2.1/32 dst 10.1.1.1/32

確認例(神戸拠点ルータ)

# show status ike
IKE server: up
IKE Phase1 Sessions:
        10.1.1.1 10.1.2.1
                Cookies: 0x4be4f052:0xac0070b5
                Status: established
                Side: responder
                Phase2 Negotiations: 2
                Created Time: 2012-02-12 09:35:56
                Lifetime: 43200
                Identity (local): 10.1.1.1/32 (AddressPrefix)
                Identity (remote): 10.1.2.1/32 (AddressPrefix)
        10.1.1.1 10.1.2.1
                Cookies: 0x4b6b2af3:0x14df34a2
                Status: established
                Side: initiator
                Phase2 Negotiations: 0
                Created Time: 2012-02-12 09:36:00
                Lifetime: 43200
                Identity (local): 10.1.1.1/32 (AddressPrefix)
                Identity (remote): 10.1.2.1/32 (AddressPrefix)

# show status ipsec
10.1.1.1 10.1.2.1
        ESP transport spi=229258877(0x0DAA367D)
        Encap: AES128 0x6AFA9F87F13E09FDAF5895A782BE61EA
        Auth: HMAC-SHA1 0x6D1E6F8D4072CBD04EA2159D29F37D67D6D9763F
        State: mature
        Add Time: 2012-02-12 09:36:05
        Use Time: 2012-02-12 10:03:30
        Use Packets: 1297
        Use Bytes: 216984
        Lifetime (soft/hard): 17280/21600
10.1.2.1 10.1.1.1
        ESP transport spi=10858513(0x00A5B011)
        Encap: AES128 0x0DF9D5E166AC40149825D6259D8744AE
        Auth: HMAC-SHA1 0x3AB102C06A1F8B71865C27F63CB2444B07FED18B
        State: mature
        Add Time: 2012-02-12 09:36:05
        Use Time: 2012-02-12 10:03:30
        Use Packets: 1165
        Use Bytes: 137817
        Lifetime (soft/hard): 17280/21600 
10.1.2.1 10.1.1.1
        ESP transport spi=220625588(0x0D267AB4)
        Encap: AES128 0xE55887D405815A25973DA5DF6AF583CA
        Auth: HMAC-SHA1 0x357C367A39D94512F0DC6563892E2AE10A584EB4
        State: mature
        Add Time: 2012-02-12 09:36:00
        Use Time: 2012-02-12 09:36:01
        Use Packets: 2
        Use Bytes: 134
        Lifetime (soft/hard): 17280/21600

キャプチャ例:Kobe_WAN dvSwitch
f:id:FriendsNow:20120212011452j:plain