GRE tunnelのみだと暗号化されませんが、GRE over IPsecを使うことで、通信を暗号化することができます。Tunnel インターフェースを使用するルートベースでは、Tunnel を通る通信はすべて暗号化されます。
ルートベース VPN は、Tunnel インターフェースを使用するので、GRE over IPsec
の一種であるといえます。
どの通信が暗号化されるかは、ルーティングテーブルに基づいて決定されます。
推奨される最小限のセキュリティアルゴリズムがあり、そちらはメーカのHP参照をお願いします。
Wiresharkで通信が暗号化されているキャプチャ画面を記載したいですが、割愛します。
構成図です。
投入コンフィグ
■R1■
hostname R1
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 15
crypto isakmp key ipsec-password address 192.168.2.2
!
crypto ipsec transform-set TF-SET esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile PROF-IPsec
set transform-set TF-SET
!
!interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 192.168.10.1 255.255.255.0
tunnel source GigabitEthernet0
tunnel destination 192.168.2.2
tunnel protection ipsec profile PROF-IPsec
no sh
!
!
interface FastEthernet8
ip address 10.10.10.2 255.255.255.0
no sh
!
!
interface GigabitEthernet0
ip address 192.168.1.1 255.255.255.0
no sh
!
router ospf 10
router-id 1.1.1.1
log-adjacency-changes
network 1.1.1.0 0.0.0.255 area 0
network 10.10.10.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0
!
■R2■
hostname R2
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 15
crypto isakmp key ipsec-password address 192.168.1.1
!
!
crypto ipsec transform-set TF-SET esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile PROF-IPsec
set transform-set TF-SET
!
interface Loopback1
ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
ip address 192.168.10.2 255.255.255.0
tunnel source GigabitEthernet0/4
tunnel destination 192.168.1.1
tunnel protection ipsec profile PROF-IPsec
no sh
!
interface GigabitEthernet0/4
ip address 192.168.2.2 255.255.255.0
no sh
!
interface GigabitEthernet0/5
ip address 10.20.20.1 255.255.255.0
no sh
!
router ospf 10
router-id 2.2.2.2
network 2.2.2.0 0.0.0.255 area 0
network 10.20.20.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0
!
end
■SW■
SW
conf t
hostname SW
!
ip routing
!
interface GigabitEthernet1/0/1
no switchport
ip address 192.168.1.2 255.255.255.0
no sh
!
interface GigabitEthernet1/0/2
no switchport
ip address 192.168.2.1 255.255.255.0
no sh
!
router ospf 10
network 192.168.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
!
R1、R2確認コマンド
show crypto engine connection active
show crypto session
show crypto ipsec sa(長いので割愛)
SW
show ip ospf neighbor
■R1■
R1#show crypto engine connection active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
3 IPsec AES256+SHA 0 58 58 192.168.1.1
4 IPsec AES256+SHA 59 0 0 192.168.1.1
2001 IKE SHA+AES256 0 0 0 192.168.1.1
R1#show crypto session
Crypto session current status
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 192.168.2.2 port 500
IKE SA: local 192.168.1.1/500 remote 192.168.2.2/500 Active
IPSEC FLOW: permit 47 host 192.168.1.1 host 192.168.2.2
Active SAs: 2, origin: crypto map
■R2■
R2#show crypto engine connection active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
3 IPsec AES256+SHA 0 80 80 192.168.2.2
4 IPsec AES256+SHA 91 0 0 192.168.2.2
2001 IKE SHA+AES256 0 0 0 192.168.2.2
R2#show crypto session
Crypto session current status
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 192.168.1.1 port 500
Session ID: 0
IKEv1 SA: local 192.168.2.2/500 remote 192.168.1.1/500 Active
IPSEC FLOW: permit 47 host 192.168.2.2 host 192.168.1.1
Active SAs: 2, origin: crypto map
■SW■
Switch#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.2.2 1 FULL/DR 00:00:36 192.168.2.2 GigabitEthernet1/0/2
192.168.1.1 1 FULL/DR 00:00:36 192.168.1.1 GigabitEthernet1/0/1
Switch#
Switch#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/BDR 00:00:39 192.168.2.2 GigabitEthernet1/0/2
1.1.1.1 1 FULL/BDR 00:00:36 192.168.1.1 GigabitEthernet1/0/1
Switch#