IPsecトンネル動作確認
crypto map使うんだと思ってたけど、interfaceへの適用じゃない場合はpolicyなのね。v5のラボはIPsecトンネルとかが出題範囲らしいのでもう少し細かいところまで理解しとかないと。
R1#sh run ! hostname R1 ! no aaa new-model no ip icmp rate-limit unreachable ip cef ! no ip domain lookup ! crypto isakmp policy 1 encr 3des authentication pre-share group 5 crypto isakmp key CISCO address 10.3.3.3 crypto isakmp keepalive 30 ! ! crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac ! crypto ipsec profile VTI set transform-set IPSEC ! interface Loopback0 ip address 10.1.1.1 255.255.255.0 ! interface Loopback1 ip address 172.16.11.11 255.255.255.0 ! interface Tunnel0 ip address 172.16.1.1 255.255.255.0 tunnel source Loopback0 tunnel destination 10.3.3.3 tunnel mode ipsec ipv4 tunnel protection ipsec profile VTI ! interface FastEthernet0/0 ip address 192.168.12.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! router eigrp 1 network 172.16.0.0 no auto-summary ! ip route 0.0.0.0 0.0.0.0 192.168.12.2 ! end !--- ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! no aaa new-model no ip icmp rate-limit unreachable ip cef ! no ip domain lookup ! ip tcp synwait-time 5 ! interface FastEthernet0/0 ip address 192.168.12.2 255.255.255.0 ip access-group PERMIT_ONLY_TUNNEL in duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.23.2 255.255.255.0 ip access-group PERMIT_ONLY_TUNNEL in duplex auto speed auto ! ip forward-protocol nd ip route 10.1.1.1 255.255.255.255 192.168.12.1 ip route 10.3.3.3 255.255.255.255 192.168.23.3 ! ! ip access-list extended PERMIT_ONLY_TUNNEL permit esp any any deny ip any any ! end !--- ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! ! no aaa new-model memory-size iomem 5 ip cef ! crypto isakmp policy 1 encr 3des authentication pre-share group 5 crypto isakmp key CISCO address 10.1.1.1 crypto isakmp keepalive 30 ! ! crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac ! crypto ipsec profile VTI set transform-set IPSEC ! ip tcp synwait-time 5 ! interface Loopback0 ip address 10.3.3.3 255.255.255.0 ! interface Loopback1 ip address 172.16.30.30 255.255.255.0 ! interface Tunnel0 ip address 172.16.1.3 255.255.255.0 tunnel source Loopback0 tunnel destination 10.1.1.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile VTI ! interface FastEthernet0/0 ip address 192.168.23.3 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! router eigrp 1 network 172.16.0.0 no auto-summary ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.23.2 ! end