Cisco CSR 1000V アプライアンスの使用

NSX Edge と Cisco CSR 1000V 仮想アプライアンス間に、ルートベースの IPsec VPN トンネルを構成します。

NSX Edge 設定

次の CLI 出力は、 NSX Edge でのルートベースの IPsec VPN 設定を示しています。

Edge IPsec VPN Config:
{
   "ipsec" : {
      "global" : {
         "extension" : null,
         "crlCertificates" : [],
         "pskForDynamicIp" : null,
         "id" : null,
         "caCertificates" : [],
         "serviceCertificate" : null
      },
      "logging" : {
         "logLevel" : "debug",
         "enable" : true
      },
      "disableEvent" : null,
      "enable" : true,
      "sites" : [
         {
            "name" : "VPN2 to edge-ext tun 2 192.168.14.2",
            "encryptionAlgorithm" : "3des",
            "psk" : "****",
            "tunnelInterfaceId" : 1,
            "authenticationMode" : "psk",
            "peerIp" : "111.111.111.5",
            "ipsecSessionType" : "routebasedsession",
            "pskEncryption" : null,
            "digestAlgorithm" : "sha1",
            "enabled" : true,
            "localSubnets" : [
               "0.0.0.0/0"
            ],
            "description" : "VPN to edge subnet2",
            "mtu" : null,
            "peerId" : "111.111.111.5",
            "extension" : null,
            "ikeOption" : "ikev2",
            "localIp" : "51.51.51.1",
            "peerSubnets" : [
               "0.0.0.0/0"
            ],
            "responderOnly" : false,
            "certificate" : null,
            "dhGroup" : "dh2",
            "siteId" : "ipsecsite-53",
            "localId" : "51.51.51.1",
            "tunnelInterfaceLabel" : "vti-1",
            "enablePfs" : true
         },
         {
            "peerIp" : "71.71.71.5",
            "authenticationMode" : "psk",
            "ipsecSessionType" : "routebasedsession",
            "tunnelInterfaceId" : 2,
            "psk" : "****",
            "name" : "VPN to edge-ext tun 1 192.168.13.2",
            "encryptionAlgorithm" : "3des",
            "description" : "VPN to edge subnet1",
            "localSubnets" : [
               "0.0.0.0/0"
            ],
            "enabled" : true,
            "pskEncryption" : null,
            "digestAlgorithm" : "sha1",
            "ikeOption" : "ikev2",
            "extension" : null,
            "peerSubnets" : [
               "0.0.0.0/0"
            ],
            "localIp" : "61.61.61.1",
            "peerId" : "71.71.71.5",
            "mtu" : null,
            "siteId" : "ipsecsite-54",
            "localId" : "61.61.61.1",
            "enablePfs" : true,
            "tunnelInterfaceLabel" : "vti-2",
            "responderOnly" : false,
            "certificate" : null,
            "dhGroup" : "dh2"
         }
      ]
   }
}

次の CLI 出力は、NSX Edge での VTI 設定を示しています。

Edge VTI Tunnels Config:
{
   "vtiTunnels" : [
      {
         "name" : "vti-1",
         "mtu" : 1416,
         "label" : "vti-1",
         "sourceAddress" : "51.51.51.1",
         "destinationAddress" : "111.111.111.5",
         "tunnelAddresses" : [
            "192.168.14.2/24"
         ],
         "mode" : "VTI",
         "enabled" : true
      },
      {
         "enabled" : false,
         "tunnelAddresses" : [
            "192.168.13.2/24"
         ],
         "mode" : "VTI",
         "sourceAddress" : "61.61.61.1",
         "destinationAddress" : "71.71.71.5",
         "label" : "vti-2",
         "mtu" : 1416,
         "name" : "vti-2"
      }
   ]
}

Cisco CSR 1000V アプライアンスの構成

次のスクリプトを実行すると、一致する 2 つのルートベースの IPsec トンネルが Cisco CSR 1000V アプライアンスに設定されます。

crypto ikev2 proposal PH1PROPOSAL
encryption 3des
integrity sha1
group 2
crypto ikev2 proposal PH2PROPOSAL
encryption 3des
integrity sha1
group 2
crypto ikev2 policy PH1POLICY
proposal PH1PROPOSAL
crypto ikev2 policy PH2POLICY
proposal PH2PROPOSAL
crypto ikev2 keyring PH1KEY
peer SITE1
  address 61.61.61.1
  pre-shared-key sharedvalue
!
crypto ikev2 keyring PH2KEY
peer SITE2
  address 51.51.51.1
  pre-shared-key sharedvalue
!
crypto ikev2 profile PH1PROFILE
match identity remote address 61.61.61.1 255.255.255.0
identity local address 71.71.71.5
authentication remote pre-share key sharedvalue
authentication local pre-share key sharedvalue
crypto ikev2 profile PH2PROFILE
match identity remote address 51.51.51.1 255.255.255.0
identity local address 111.111.111.5
authentication remote pre-share key sharedvalue
authentication local pre-share key sharedvalue
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile IPSEC_PROF1
set transform-set TSET
set ikev2-profile PH1PROFILE
responder-only
crypto ipsec profile IPSEC_PROF2
set transform-set TSET
set ikev2-profile PH2PROFILE
responder-only


interface Tunnel1
ip address 192.168.13.1 255.255.255.0
tunnel source 71.71.71.5
tunnel mode ipsec ipv4
tunnel destination 61.61.61.1
tunnel protection ipsec profile IPSEC_PROF1
interface Tunnel2
ip address 192.168.14.1 255.255.255.0
tunnel source 111.111.111.5
tunnel mode ipsec ipv4
tunnel destination 51.51.51.1
tunnel protection ipsec profile IPSEC_PROF2
interface GigabitEthernet1
ip address dhcp
negotiation auto
interface GigabitEthernet2
no ip address
negotiation auto
interface GigabitEthernet2.2
encapsulation dot1Q 23
ip address 81.81.81.5 255.255.255.0
interface GigabitEthernet2.3
encapsulation dot1Q 19
ip address 111.111.111.5 255.255.255.0
interface GigabitEthernet2.4
encapsulation dot1Q 22
ip address 71.71.71.5 255.255.255.0