SEIL/x86 による疑似 VPN(L2TPv3 over IPsec 編)
SEIL/x86 の概要についてはこちらがご参考になれば幸いです。
検証環境
前回、掲載した L2TPv3 の設定に IPsec を適用する際の設定例になります。
L2TPv3 でカプセル化したパケットをセレクタで定義します。
IKE/IPsec で使用するパラメーターは以下のとおりです。
- IKE:暗号化アルゴリズム(encrption): AES(aes)
- IKE:ハッシュアルゴリズム(hash): SHA-1(sha1)
- IKE:DH グループ(df-group): 1024ビット MODP DH グループ(modp1024)
- IKE:ライフタイム(lifetime-of-time): 12時間(12h)
- IKE:鍵交換モード(exchange-mode): メインモード(main)
- IPsec:暗号化アルゴリズム(encrption-algorithm): AES(aes)
- IPsec:認証アルゴリズム(authentication-algorithm): HMAC-SHA1(hmac-sha1)
- IPsec:PFS グループ(pfs-group): 1024ビット MODP DH グループ(modp1024)
- IPsec:ライフタイム(lifetime-of-time): 6時間(6h)
神戸拠点ルータ(SEIL/x86)
# show config ike ike auto-initiation enable ike preshared-key add "10.1.2.1" "seil" ike proposal add IKEP encryption aes hash sha1 authentication preshared-key dh-group modp1024 lifetime-of-time 12h ike peer add PEER address 10.1.2.1 exchange-mode main proposals IKEP initial-contact enable my-identifier address peers-identifier address
# show config ipsec ipsec security-association proposal add SAP pfs-group modp1024 authentication-algorithm hmac-sha1 encryption-algorithm aes lifetime-of-time 06h ipsec security-association add SA transport 10.1.1.1 10.1.2.1 ike SAP esp enable ipsec security-policy add SP security-association SA src 10.1.1.1/32 dst 10.1.2.1/32
大阪拠点ルータ(SEIL/x86)
# show config ike ike auto-initiation enable ike preshared-key add "10.1.1.1" "seil" ike proposal add IKEP encryption aes hash sha1 authentication preshared-key dh-group modp1024 lifetime-of-time 12h ike peer add PEER address 10.1.1.1 exchange-mode main proposals IKEP initial-contact enable my-identifier address peers-identifier address
# show config ipsec ipsec security-association proposal add SAP pfs-group modp1024 authentication-algorithm hmac-sha1 encryption-algorithm aes lifetime-of-time 06h ipsec security-association add SA transport 10.1.2.1 10.1.1.1 ike SAP esp enable ipsec security-policy add SP security-association SA src 10.1.2.1/32 dst 10.1.1.1/32
確認例(神戸拠点ルータ)
# show status ike IKE server: up IKE Phase1 Sessions: 10.1.1.1 10.1.2.1 Cookies: 0x4be4f052:0xac0070b5 Status: established Side: responder Phase2 Negotiations: 2 Created Time: 2012-02-12 09:35:56 Lifetime: 43200 Identity (local): 10.1.1.1/32 (AddressPrefix) Identity (remote): 10.1.2.1/32 (AddressPrefix) 10.1.1.1 10.1.2.1 Cookies: 0x4b6b2af3:0x14df34a2 Status: established Side: initiator Phase2 Negotiations: 0 Created Time: 2012-02-12 09:36:00 Lifetime: 43200 Identity (local): 10.1.1.1/32 (AddressPrefix) Identity (remote): 10.1.2.1/32 (AddressPrefix)
# show status ipsec 10.1.1.1 10.1.2.1 ESP transport spi=229258877(0x0DAA367D) Encap: AES128 0x6AFA9F87F13E09FDAF5895A782BE61EA Auth: HMAC-SHA1 0x6D1E6F8D4072CBD04EA2159D29F37D67D6D9763F State: mature Add Time: 2012-02-12 09:36:05 Use Time: 2012-02-12 10:03:30 Use Packets: 1297 Use Bytes: 216984 Lifetime (soft/hard): 17280/21600 10.1.2.1 10.1.1.1 ESP transport spi=10858513(0x00A5B011) Encap: AES128 0x0DF9D5E166AC40149825D6259D8744AE Auth: HMAC-SHA1 0x3AB102C06A1F8B71865C27F63CB2444B07FED18B State: mature Add Time: 2012-02-12 09:36:05 Use Time: 2012-02-12 10:03:30 Use Packets: 1165 Use Bytes: 137817 Lifetime (soft/hard): 17280/21600 10.1.2.1 10.1.1.1 ESP transport spi=220625588(0x0D267AB4) Encap: AES128 0xE55887D405815A25973DA5DF6AF583CA Auth: HMAC-SHA1 0x357C367A39D94512F0DC6563892E2AE10A584EB4 State: mature Add Time: 2012-02-12 09:36:00 Use Time: 2012-02-12 09:36:01 Use Packets: 2 Use Bytes: 134 Lifetime (soft/hard): 17280/21600
キャプチャ例:Kobe_WAN dvSwitch
以上
