2009年08月16日の記事一覧 - 詳細表示

＜続＞Cisco - Linux でIPSec設定　

http://www.tokyovalley.com/yahoo_blog/article/article.php
Linux側ログ
# less /var/log/secure
Aug 15 18:38:48 fedora7logitech pluto[18442]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Aug 15 18:38:48 fedora7logitech pluto[18442]: starting up 1 cryptographic helpers
Aug 15 18:38:48 fedora7logitech pluto[18442]: started helper pid=18444 (fd:6)
Aug 15 18:38:48 fedora7logitech pluto[18442]: Using NETKEY IPsec interface code on 2.6.23.17-88.fc7
Aug 15 18:38:50 fedora7logitech pluto[18442]: Changing to directory '/etc/ipsec.d/cacerts'
Aug 15 18:38:50 fedora7logitech pluto[18442]: Changing to directory '/etc/ipsec.d/aacerts'
Aug 15 18:38:50 fedora7logitech pluto[18442]: Changing to directory '/etc/ipsec.d/ocspcerts'
Aug 15 18:38:50 fedora7logitech pluto[18442]: Changing to directory '/etc/ipsec.d/crls'
Aug 15 18:38:50 fedora7logitech pluto[18442]: Warning: empty directory
Aug 15 18:38:50 fedora7logitech pluto[18442]: added connection description "net-to-net"
Aug 15 18:38:50 fedora7logitech pluto[18442]: listening for IKE messages
Aug 15 18:38:50 fedora7logitech pluto[18442]: adding interface eth2/eth2 192.168.2.25:500
Aug 15 18:38:50 fedora7logitech pluto[18442]: adding interface eth2/eth2 192.168.2.25:4500
Aug 15 18:38:50 fedora7logitech pluto[18442]: adding interface eth0/eth0 192.168.1.25:500
Aug 15 18:38:50 fedora7logitech pluto[18442]: adding interface eth0/eth0 192.168.1.25:4500
Aug 15 18:38:50 fedora7logitech pluto[18442]: adding interface eth0/eth0 192.168.1.38:500
Aug 15 18:38:50 fedora7logitech pluto[18442]: adding interface eth0/eth0 192.168.1.38:4500
Aug 15 18:38:50 fedora7logitech pluto[18442]: adding interface eth1/eth1 192.168.0.25:500
Aug 15 18:38:50 fedora7logitech pluto[18442]: adding interface eth1/eth1 192.168.0.25:4500
Aug 15 18:38:50 fedora7logitech pluto[18442]: adding interface lo/lo 127.0.0.1:500
Aug 15 18:38:50 fedora7logitech pluto[18442]: adding interface lo/lo 127.0.0.1:4500
Aug 15 18:38:50 fedora7logitech pluto[18442]: adding interface lo/lo ::1:500
Aug 15 18:38:50 fedora7logitech pluto[18442]: loading secrets from "/etc/ipsec.secrets"
Aug 15 18:38:51 fedora7logitech pluto[18442]: "net-to-net" #1: initiating Main Mode
Aug 15 18:38:51 fedora7logitech pluto[18442]: "net-to-net" #1: received Vendor ID payload [draft-ietf-ipsec
-nat-t-ike-03] method set to=108
Aug 15 18:38:51 fedora7logitech pluto[18442]: "net-to-net" #1: enabling possible NAT-traversal with method
draft-ietf-ipsec-nat-t-ike-02/03
Aug 15 18:38:51 fedora7logitech pluto[18442]: "net-to-net" #1: transition from state STATE_MAIN_I1 to state

STATE_MAIN_I2

Aug 15 18:38:51 fedora7logitech pluto[18442]: "net-to-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 15 18:38:51 fedora7logitech pluto[18442]: "net-to-net" #1: received Vendor ID payload [Cisco-Unity]
Aug 15 18:38:51 fedora7logitech pluto[18442]: "net-to-net" #1: received Vendor ID payload [Dead Peer Detect
ion]
Aug 15 18:38:51 fedora7logitech pluto[18442]: "net-to-net" #1: ignoring unknown Vendor ID payload [408d0318
3d173dd4e3f79e9ecda70e19]
Aug 15 18:38:51 fedora7logitech pluto[18442]: "net-to-net" #1: received Vendor ID payload [XAUTH]
Aug 15 18:38:51 fedora7logitech pluto[18442]: "net-to-net" #1: I did not send a certificate because I do no
t have one.
Aug 15 18:38:51 fedora7logitech pluto[18442]: "net-to-net" #1: NAT-Traversal: Result using draft-ietf-ipsec
-nat-t-ike-02/03: no NAT detected
Aug 15 18:38:51 fedora7logitech pluto[18442]: "net-to-net" #1: transition from state STATE_MAIN_I2 to state

STATE_MAIN_I3

Aug 15 18:38:51 fedora7logitech pluto[18442]: "net-to-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 15 18:38:51 fedora7logitech pluto[18442]: "net-to-net" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.
0.253'
Aug 15 18:38:51 fedora7logitech pluto[18442]: "net-to-net" #1: transition from state STATE_MAIN_I3 to state

STATE_MAIN_I4

Aug 15 18:38:51 fedora7logitech pluto[18442]: "net-to-net" #1: STATE_MAIN_I4: ISAKMP SA established {auth=O
AKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Aug 15 18:38:51 fedora7logitech pluto[18442]: "net-to-net" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS
+UP {using isakmp#1}
Aug 15 18:38:52 fedora7logitech pluto[18442]: "net-to-net" #2: ignoring informational payload, type IPSEC_R
ESPONDER_LIFETIME
Aug 15 18:38:52 fedora7logitech pluto[18442]: "net-to-net" #2: transition from state STATE_QUICK_I1 to stat
e STATE_QUICK_I2
Aug 15 18:38:52 fedora7logitech pluto[18442]: "net-to-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA establish
ed {ESP=>0x337983d4 <0xcadc9537 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}

コメント（7）

トラックバック（1）

Cisco - Linux でIPSec設定

http://www.tokyovalley.com/yahoo_blog/article/article.php

いやー、cisco同士とかlinux同士ならマニュアルの基本設定どおりで簡単にセットアップできるのですが、ciscoとlinuxは苦労多き道でした。。
他にも僕と同じことをやりたい人がいるかもなのでここに共有しておきます。

＜環境＞
Cisco側
ハードウェア：cisco 1721
ソフトウェア：IOS12.2
モジュール：Virtual Private Network (VPN) Module

Linux側
ディストリビューション：fedora core 7
IPSecソフトウェア：openswan-2.4.7-3

＜ネットワーク構成＞
192.168.2.0/24
linux
192.168.0.25
|
|(IPSec通信)
|
192.168.0.253
cisco router
192.168.1.0/24

＜設定＞（重要ポイントだけ抽出）
Cisco側設定
ciscorouter#sh run
!
crypto isakmp policy 10

encr 3des
authentication pre-share
group 2

crypto isakmp key password address 192.168.0.25
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp

set peer 192.168.0.25
set transform-set myset
set pfs group2
match address 100

!
interface Ethernet0

description IPSECWAN
ip address 192.168.0.253 255.255.255.0
ip nat inside
half-duplex
crypto map mymap

!
interface FastEthernet0

description IPSECLAN
ip address 192.168.1.253 255.255.255.0
ip nat outside
speed auto

!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Linux側設定
# cat /etc/ipsec.conf
conn net-to-net

left=192.168.0.25
leftsubnet=192.168.2.0/24
leftid=@fedora7logitech
leftnexthop=%defaultroute
esp=3des-sha1,3des-md5
authby=secret
right=192.168.0.253
rightsubnet=192.168.1.0/24
rightid=192.168.0.253
rightnexthop=%defaultroute
auto=start

# cat /etc/ipsec.secrets
: PSK "password"

＜結果＞
Cisco側ログ
ciscorouter#sh cry isa sa
dst src state conn-id slot
192.168.0.253 192.168.0.25 QM_IDLE 3 0
192.168.0.253 192.168.0.25 MM_NO_STATE 2 0 (deleted)

ciscorouter#sh cry ipse sa

interface: Ethernet0

Crypto map tag: mymap, local addr. 192.168.0.253

protected vrf:

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 192.168.0.25:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.0.253, remote crypto endpt.: 192.168.0.25
path mtu 1500, media mtu 1500
current outbound spi: CADC9537

inbound esp sas:

spi: 0x337983D4(863601620)

transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 200, flow_id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4441814/3586)
IV size: 8 bytes
replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xCADC9537(3403453751)

transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 201, flow_id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4441814/3586)
IV size: 8 bytes
replay detection support: Y

outbound ah sas:

outbound pcp sas:

続き↓
http://blogs.yahoo.co.jp/satsukimatsujp/55523318.html

日本でボチボチビジネス実践

過去の投稿日別表示