ここでは、Cisco IOS を使用して実行された構成について説明します。

手順

  1. インターフェイスとデフォルト ルートの設定 
    interface GigabitEthernet0/0
ip address 10.24.120.90 255.255.252.0
duplex auto
speed auto
crypto map MYVPN
!
interface GigabitEthernet0/1
ip address 172.16.0.1 255.255.0.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 10.24.123.253
  2. IKE ポリシーの設定 
    Router# config term
Router(config)# crypto isakmp policy 1
Router(config-isakmp)# encryption 3des
Router(config-isakmp)# group 2
Router(config-isakmp)# hash sha
Router(config-isakmp)# lifetime 28800
Router(config-isakmp)# authentication 
     pre-share
Router(config-isakmp)# exit
  3. プリシェアード シークレットで各ピアをマッチする 
    Router# config term
Router(config)# crypto isakmp key vshield 
    address 10.115.199.103
Router(config-isakmp)# exit
  4. IPSEC 変換の定義 
    Router# config term
Router(config)# crypto ipsec transform-set 
     myset esp-3des esp-sha-hmac
Router(config-isakmp)# exit
  5. IPSEC アクセス リストの作成 
    Router# config term
Enter configuration commands, one per line.  
     End with CNTL/Z.
Router(config)# access-list 101 permit ip 
     172.16.0.0 0.0.255.255 192.168.5.0 0.0.0.255
Router(config)# exit
  6. ポリシーのクリプト マップとの紐付けとラベル付け
    以下の例では、クリプト マップが MYVPN としてラベル付けされています。 
    Router# config term
Router(config)# crypto map MYVPN 1 
      ipsec-isakmp
% NOTE: This new crypto map will remain 
      disabled until a peer and a valid 
      access list have been configured.
Router(config-crypto-map)# set transform-set 
      myset
Router(config-crypto-map)# set pfs group1
Router(config-crypto-map)# set peer 
      10.115.199.103
Router(config-crypto-map)# match address 101
Router(config-crypto-map)# exit

例: 設定

router2821#show running-config output
Building configuration...

Current configuration : 1263 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router2821
!
boot-start-marker
boot-end-marker
!
! card type command needed for slot 0
! card type command needed for slot 1
enable password cisco
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
ip cef
!no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key vshield address 10.115.199.103
!
crypto ipsec transform-set myset esp-3des 
      esp-sha-hmac
!
crypto map MYVPN 1 ipsec-isakmp
set peer 10.115.199.103
set transform-set myset
set pfs group1
match address 101
!
interface GigabitEthernet0/0
ip address 10.24.120.90 255.255.252.0
duplex auto
speed auto
crypto map MYVPN
!
interface GigabitEthernet0/1
ip address 172.16.0.1 255.255.0.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.24.123.253
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 172.16.0.0 
       0.0.255.255 192.168.5.0 0.0.0.255
!
control-plane
!
line con 0
line aux 0
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
scheduler allocate 20000 1000
!
end