IPsecトンネル動作確認

CCIE

crypto map使うんだと思ってたけど、interfaceへの適用じゃない場合はpolicyなのね。v5のラボはIPsecトンネルとかが出題範囲らしいのでもう少し細かいところまで理解しとかないと。

R1#sh run
!
hostname R1
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key CISCO address 10.3.3.3
crypto isakmp keepalive 30
!
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
 set transform-set IPSEC
!
interface Loopback0
 ip address 10.1.1.1 255.255.255.0
!
interface Loopback1
 ip address 172.16.11.11 255.255.255.0
!
interface Tunnel0
 ip address 172.16.1.1 255.255.255.0
 tunnel source Loopback0
 tunnel destination 10.3.3.3
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router eigrp 1
 network 172.16.0.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 192.168.12.2
!
end

!---
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
!
ip tcp synwait-time 5
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
 ip access-group PERMIT_ONLY_TUNNEL in
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.23.2 255.255.255.0
 ip access-group PERMIT_ONLY_TUNNEL in
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 10.1.1.1 255.255.255.255 192.168.12.1
ip route 10.3.3.3 255.255.255.255 192.168.23.3
!
!
ip access-list extended PERMIT_ONLY_TUNNEL
 permit esp any any
 deny   ip any any
!
end

!---
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key CISCO address 10.1.1.1
crypto isakmp keepalive 30
!
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
 set transform-set IPSEC
!
ip tcp synwait-time 5
!
interface Loopback0
 ip address 10.3.3.3 255.255.255.0
!
interface Loopback1
 ip address 172.16.30.30 255.255.255.0
!
interface Tunnel0
 ip address 172.16.1.3 255.255.255.0
 tunnel source Loopback0
 tunnel destination 10.1.1.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI
!
interface FastEthernet0/0
 ip address 192.168.23.3 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router eigrp 1
 network 172.16.0.0
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.23.2
!
end