{"id":525,"date":"2018-02-07T12:54:00","date_gmt":"2018-02-07T03:54:00","guid":{"rendered":"https:\/\/wp.zassoul.com\/?p=525"},"modified":"2018-02-07T12:54:00","modified_gmt":"2018-02-07T03:54:00","slug":"cisco%e3%83%ab%e3%83%bc%e3%82%bf%e3%81%a7%e3%81%aevtiikev2%e8%a8%ad%e5%ae%9anat%e8%b6%8a%e3%81%97","status":"publish","type":"post","link":"https:\/\/wp.zassoul.com\/?p=525","title":{"rendered":"Cisco\u30eb\u30fc\u30bf\u3067\u306eVTI+IKEv2\u8a2d\u5b9a(NAT\u8d8a\u3057)"},"content":{"rendered":"<p>EC2\u306bCisco1000v\u3092\u7acb\u3066, \u81ea\u5b85\u3068VPN\u3092\u5f35\u308b\u3002<br \/>\u4ee5\u524d, VyOS\u3068\u3067<a href=\"http:\/\/zassoul.blogspot.jp\/2016\/05\/awsvyosc841gre-over-ipsec.html\" target=\"_blank\" rel=\"noopener noreferrer\">GRE over IPSec<\/a>\u3068<a href=\"http:\/\/zassoul.blogspot.jp\/2016\/05\/awsvyosc841gre-over-ipsecvti.html\" target=\"_blank\" rel=\"noopener noreferrer\">VTI<\/a>\u30682\u30d1\u30bf\u30fc\u30f3\u3084\u3063\u305f\u304c, \u4eca\u56de\u306fVTI+IKEv2\u3067\u3084\u308b\u3002<br \/>\u307e\u305a\u306fCisco\u540c\u58eb\u3067\u30c8\u30e9\u30a4\u3002<\/p>\n<h4>\u306f\u3058\u3081\u306b<\/h4>\n<p><b>\u300c\u4f55\u6545IKEv2\u3067\u3084\u308d\u3046\u3068\u3057\u305f\u304b\u300d<\/b><br \/>\u5358\u7d14\u306bv2\u3060\u304b\u3089\u3088\u308a\u5b89\u5168\u306a\u3093\u3060\u308d\u3046\u3068\u601d\u3063\u305f\u304b\u3089\u3002<br \/>IKEv1\u3068\u4f55\u304c\u9055\u3046\u306e\u304b\u306f\u69d8\u3005\u306a\u30b5\u30a4\u30c8\u306b\u8a73\u3057\u304f\u66f8\u3044\u3066\u3042\u308b\u3002<br \/><span style=\"font-size: x-small;\">\u30fbUNIVERGE IX\u30b7\u30ea\u30fc\u30ba\u3000FAQ\u300c<a href=\"http:\/\/jpn.nec.com\/univerge\/ix\/faq\/ikev2.html\" target=\"_blank\" rel=\"noopener noreferrer\">IKEv2\u306b\u95a2\u3059\u308bFAQ<\/a>\u300d<\/span><br \/><span style=\"font-size: x-small;\">\u30fbCisco IOS \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30b3\u30f3\u30d5\u30a3\u30ae\u30e5\u30ec\u30fc\u30b7\u30e7\u30f3 \u30ac \u30a4\u30c9\u300c<a href=\"https:\/\/www.cisco.com\/cisco\/web\/support\/JP\/docs\/CIAN\/IOS\/IOS15_1M_T\/CG\/002\/sec_cfg_ikev2.html?bid=0900e4b1825298b8\" target=\"_blank\" rel=\"noopener noreferrer\">Cisco IOS \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30b3\u30f3\u30d5\u30a3\u30ae\u30e5\u30ec\u30fc\u30b7\u30e7\u30f3 \u30ac \u30a4\u30c9\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8 \u30ad\u30fc \u30a8\u30af\u30b9\u30c1\u30a7\u30f3\u30b8 \u30d0\u30fc\u30b8\u30e7 \u30f3 2\uff08IKEv2\uff09\u306e\u8a2d\u5b9a<\/a>\u300d<\/span><br \/>\u500b\u4eba\u7684\u306b\u306f\u8a2d\u5b9a\u306e\u53ef\u8996\u5316\u30ec\u30d9\u30eb\u304ccrypto map\u3088\u308a\u306f\u9ad8\u3044\u3068\u611f\u3058\u305f\u3002P1\u306e\u30dd\u30ea\u30b7\u30fc\u3082\u30d4\u30a2\u6bce\u306b\u6307\u5b9a\u3067\u304d\u308b\u306e\u3067\u3053\u306e\u3042\u305f\u308a\u306f\u4fbf\u5229\u3060\u3068\u601d\u3046\u3002(Site-to-Site\u3060\u3068\u3042\u307e\u308a\u6069\u6075\u306f\u611f\u3058\u3089\u308c\u306a\u3044\u304b\u3082\u3057\u308c\u306a\u3044)<\/p>\n<h4>\u69cb\u6210\u6982\u8981<\/h4>\n<p>2\u53f0\u306e\u30eb\u30fc\u30bf\u3067IPSec\u3092VTI+IKEv2\u3067\u5f35\u308b\u3002<br \/>\u305d\u308c\u305e\u308c\u306e\u30eb\u30fc\u30bf\u306fNAT\u8d8a\u3057\u306b\u901a\u4fe1\u3059\u308b\u3002<br \/>\u9375\u4ea4\u63db\u306fPSK\u3002<br \/>\u6697\u53f7\u5316\u5468\u308a\u306fAES256, SHA2-256, DH 14\u3002<\/p>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" style=\"margin-left: auto; margin-right: auto; text-align: center;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/3.bp.blogspot.com\/-Ludd0yzLfe0\/WnpvVEczmxI\/AAAAAAAAAPw\/_Nx8Ayg2utAH1mSWKGDjrFrn4A0u6whdACLcBGAs\/s1600\/VTI_IKEv2.png\" style=\"margin-left: auto; margin-right: auto;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" data-original-height=\"396\" data-original-width=\"840\" height=\"187\" src=\"https:\/\/3.bp.blogspot.com\/-Ludd0yzLfe0\/WnpvVEczmxI\/AAAAAAAAAPw\/_Nx8Ayg2utAH1mSWKGDjrFrn4A0u6whdACLcBGAs\/s400\/VTI_IKEv2.png\" width=\"400\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">\u69cb\u6210\u6982\u7565\u56f3<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u524d\u63d0\u6761\u4ef6<\/h4>\n<p>\u30fbEC2\u4e0a\u306b\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u4f5c\u6210\u6e08<br \/>\u30fb\u305d\u306e\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306bElastic IP\u5272\u5f53\u6e08<br \/>\u30fb\u9069\u5207\u306b\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30b0\u30eb\u30fc\u30d7\u306f\u8a2d\u5b9a\u6e08(UDP500\u30fb4500\u306f\u8a31\u53ef\u7b49)<br \/>\u30fb\u81ea\u5b85\u306eGlobal IP\u306f\u56fa\u5b9a\u524d\u63d0<br \/>\u30fb\u30d6\u30ed\u30fc\u30c9\u30d0\u30f3\u30c9\u30eb\u30fc\u30bf\u3067\u30dd\u30fc\u30c8\u30d5\u30a9\u30ef\u30fc\u30c7\u30a3\u30f3\u30b0\u8a2d\u5b9a\u6e08<\/p>\n<h4>\u8a2d\u5b9a\u624b\u9806<\/h4>\n<p>Config\u4e0a\u304b\u3089\u6d41\u3057\u8fbc\u3093\u3067\u3044\u304f\u30a4\u30e1\u30fc\u30b8\u3067OK\u3002<br \/>\u30fbIKEv2\u306e\u30d7\u30ed\u30dd\u30fc\u30b6\u30eb\u8a2d\u5b9a<br \/>\u30fbIKEv2\u306e\u30dd\u30ea\u30b7\u30fc\u8a2d\u5b9a<br \/>\u30fbIKEv2\u306eKey\u8a2d\u5b9a<br \/>\u30fbIKEv2\u306e\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u8a2d\u5b9a<br \/>\u30fb\u30c8\u30e9\u30f3\u30b9\u30d5\u30a9\u30fc\u30e0\u30bb\u30c3\u30c8\u8a2d\u5b9a<br \/>\u30fbIPSEC\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u8a2d\u5b9a<br \/>\u30fb\u30c8\u30f3\u30cd\u30eb\u30a4\u30f3\u30bf\u30d5\u30a7\u30fc\u30b9\u4f5c\u6210<br \/>\u30fbVTI\u9069\u7528<\/p>\n<h4>\u3044\u3056\u8a2d\u5b9a<\/h4>\n<p>Config\u3092\u629c\u7c8b\u3002<br \/>\u57fa\u672c\u7684\u306b\u3053\u306e\u307e\u307e\u6d41\u3057\u8fbc\u3081\u3070OK\u3002<\/p>\n<table>\n<tbody>\n<tr>\n<td>\n<div style=\"text-align: center;\"><u>C841M<\/u><\/div>\n<\/td>\n<td>\n<div style=\"text-align: center;\"><u>C1000v<\/u><\/div>\n<\/td>\n<\/tr>\n<tr>\n<td valine=\"top\">\n<pre>!\u30d7\u30ed\u30dd\u30fc\u30b6\u30eb\u8a2d\u5b9a<br \/>crypto ikev2 proposal IKEv2_Proposal<br \/>encryption aes-cbc-256<br \/>integrity sha256<br \/>group 14<br \/><br \/>! \u30dd\u30ea\u30b7\u30fc\u8a2d\u5b9a<br \/>crypto ikev2 policy IKEv2_Policy<br \/> proposal IKEv2_Proposal<br \/><br \/>!\u30ad\u30fc\u8a2d\u5b9a<br \/>crypto ikev2 keyring IKEv2_Key_Cisco<br \/> peer C1000V<br \/>  address A.A.A.A<br \/>  pre-shared-key password<br \/><br \/>! \u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u8a2d\u5b9a<br \/>crypto ikev2 profile IKEv2_Profile_Cisco<br \/> match identity remote address 10.200.10.12 255.255.255.255<br \/> identity local address 192.168.1.2<br \/> authentication remote pre-share<br \/> authentication local pre-share<br \/> keyring local IKEv2_Key_Cisco<br \/> lifetime 3600<br \/><br \/>! \u30c8\u30e9\u30f3\u30b9\u30d5\u30a9\u30fc\u30e0\u30bb\u30c3\u30c8\u8a2d\u5b9a<br \/>crypto ipsec transform-set IPSEC esp-aes 256 esp-sha256-hmac<br \/> mode tunnel<br \/><br \/>! IPSEC\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u8a2d\u5b9a<br \/>crypto ipsec profile VTI_Cisco<br \/> set transform-set IPSEC<br \/> set ikev2-profile IKEv2_Profile_Cisco<br \/><br \/>! Tunnel\u30a4\u30f3\u30bf\u30d5\u30a7\u30fc\u30b9\u8a2d\u5b9a<br \/>interface Tunnel1<br \/> ip address 172.16.10.1 255.255.255.0<br \/> tunnel source G0\/0<br \/> tunnel mode ipsec ipv4<br \/> tunnel destination A.A.A.A<br \/> tunnel protection ipsec profile VTI_Cisco<br \/><\/pre>\n<\/td>\n<td valine=\"top\">\n<pre>! \u30d7\u30ed\u30dd\u30fc\u30b6\u30eb\u8a2d\u5b9a<br \/>crypto ikev2 proposal IKEv2_Proposal<br \/>encryption aes-cbc-256<br \/>integrity sha256<br \/>group 14<br \/><br \/>! \u30dd\u30ea\u30b7\u30fc\u8a2d\u5b9a<br \/>crypto ikev2 policy IKEv2_Policy<br \/> proposal IKEv2_Proposal<br \/><br \/>!\u30ad\u30fc\u8a2d\u5b9a<br \/>crypto ikev2 keyring IKEv2_Key_Cisco<br \/> peer C841M<br \/>  address B.B.B.B<br \/>  pre-shared-key password<br \/><br \/>! \u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u8a2d\u5b9a<br \/>crypto ikev2 profile IKEv2_Profile_Cisco<br \/> match identity remote address 192.168.1.2 255.255.255.255<br \/> identity local address 10.1.1.10<br \/> authentication remote pre-share<br \/> authentication local pre-share<br \/> keyring local IKEv2_Key_Cisco<br \/> lifetime 3600<br \/><br \/>! \u30c8\u30e9\u30f3\u30b9\u30d5\u30a9\u30fc\u30e0\u30bb\u30c3\u30c8\u8a2d\u5b9a<br \/>crypto ipsec transform-set IPSEC esp-aes 256 esp-sha256-hmac<br \/> mode tunnel<br \/><br \/>! IPSEC\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u8a2d\u5b9a<br \/>crypto ipsec profile VTI_Cisco<br \/> set transform-set IPSEC<br \/> set ikev2-profile IKEv2_Profile_Cisco<br \/><br \/>! Tunnel\u30a4\u30f3\u30bf\u30d5\u30a7\u30fc\u30b9\u8a2d\u5b9a<br \/>interface Tunnel1<br \/> ip address 172.16.10.2 255.255.255.0<br \/> tunnel source G0\/0<br \/> tunnel mode ipsec ipv4<br \/> tunnel destination B.B.B.B<br \/> tunnel protection ipsec profile VTI_Cisco<br \/><\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/p>\n<h4>\u78ba\u8a8d<\/h4>\n<p><\/p>\n<pre>c1000v#sh crypto ikev2 sa<br \/> IPv4 Crypto IKEv2  SA<br \/><br \/>Tunnel-id Local                 Remote                fvrf\/ivrf            Status<br \/>1         10.1.1.10\/4500     B.B.B.B\/4500     none\/none            READY<br \/>      Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK<br \/>      Life\/Active Time: 3600\/2111 sec<br \/><br \/> IPv6 Crypto IKEv2  SA<br \/><br \/>c1000v#sh crypto ipsec sa<br \/><br \/>interface: Tunnel1<br \/>    Crypto map tag: Tunnel1-head-0, local addr 10.1.1.10<br \/><br \/>   protected vrf: (none)<br \/>   local  ident (addr\/mask\/prot\/port): (0.0.0.0\/0.0.0.0\/0\/0)<br \/>   remote ident (addr\/mask\/prot\/port): (0.0.0.0\/0.0.0.0\/0\/0)<br \/>   current_peer B.B.B.B port 4500<br \/>     PERMIT, flags={origin_is_acl,}<br \/>    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10<br \/>    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10<br \/>    #pkts compressed: 0, #pkts decompressed: 0<br \/>    #pkts not compressed: 0, #pkts compr. failed: 0<br \/>    #pkts not decompressed: 0, #pkts decompress failed: 0<br \/>    #send errors 0, #recv errors 0<br \/><br \/>     local crypto endpt.: 10.1.1.10, remote crypto endpt.: B.B.B.B<br \/>     plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1<br \/>     current outbound spi: 0x3478CA01(880331265)<br \/>     PFS (Y\/N): N, DH group: none<br \/><br \/>     inbound esp sas:<br \/>      spi: 0x9AF7C1FF(2599928319)<br \/>        transform: esp-256-aes esp-sha256-hmac ,<br \/>        in use settings ={Tunnel UDP-Encaps, }<br \/>        conn id: 2068, flow_id: CSR:68, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0<br \/>        sa timing: remaining key lifetime (k\/sec): (4607998\/1485)<br \/>        IV size: 16 bytes<br \/>        replay detection support: Y<br \/>        Status: ACTIVE(ACTIVE)<br \/><br \/>     inbound ah sas:<br \/><br \/>     inbound pcp sas:<br \/><br \/>     outbound esp sas:<br \/>      spi: 0x3478CA01(880331265)<br \/>        transform: esp-256-aes esp-sha256-hmac ,<br \/>        in use settings ={Tunnel UDP-Encaps, }<br \/>        conn id: 2067, flow_id: CSR:67, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0<br \/>        sa timing: remaining key lifetime (k\/sec): (4607999\/1485)<br \/>        IV size: 16 bytes<br \/>        replay detection support: Y<br \/>        Status: ACTIVE(ACTIVE)<br \/><br \/>     outbound ah sas:<br \/><br \/>     outbound pcp sas:<br \/><br \/>c1000v#sh crypto session<br \/>Crypto session current status<br \/><br \/>Interface: Tunnel1<br \/>Profile: IKEv2_Profile<br \/>Session status: UP-ACTIVE<br \/>Peer: B.B.B.B port 4500<br \/>  Session ID: 6<br \/>  IKEv2 SA: local 10.1.1.10\/4500 remote B.B.B.B\/4500 Active<br \/>  IPSEC FLOW: permit ip 0.0.0.0\/0.0.0.0 0.0.0.0\/0.0.0.0<br \/>        Active SAs: 2, origin: crypto map<br \/><\/pre>\n<p>\u4ee5\u4e0a, \u304a\u75b2\u308c\u69d8\u3067\u3057\u305f\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>EC2\u306bCisco1000v\u3092\u7acb\u3066, \u81ea\u5b85\u3068VPN\u3092\u5f35\u308b\u3002\u4ee5\u524d, VyOS\u3068\u3067GRE over IPSec\u3068VTI\u30682\u30d1\u30bf\u30fc\u30f3\u3084\u3063\u305f\u304c, \u4eca\u56de\u306fVTI+IKEv2\u3067\u3084\u308b\u3002\u307e\u305a\u306fCisco\u540c\u58eb\u3067\u30c8\u30e9\u30a4\u3002 \u306f\u3058\u3081\u306b \u300c\u4f55\u6545I\u2026 <span class=\"read-more\"><a href=\"https:\/\/wp.zassoul.com\/?p=525\">\u7d9a\u304d\u3092\u8aad\u3080 &raquo;<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[54,11,6,42,15],"tags":[],"class_list":["post-525","post","type-post","status-publish","format-standard","hentry","category-aws","category-cisco","category-it","category-nat","category-network"],"_links":{"self":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/posts\/525","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=525"}],"version-history":[{"count":0,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/posts\/525\/revisions"}],"wp:attachment":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=525"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=525"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=525"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}