ここでは、Cisco IOS を使用して実行された構成について説明します。

手順

  1. インターフェイスとデフォルト ルートの設定
    interface GigabitEthernet0/0
    ip address 10.24.120.90 255.255.252.0
    duplex auto
    speed auto
    crypto map MYVPN
    !
    interface GigabitEthernet0/1
    ip address 172.16.0.1 255.255.0.0
    duplex auto
    speed auto
    !
    ip route 0.0.0.0 0.0.0.0 10.24.123.253
  2. IKE ポリシーの設定
    Router# config term
    Router(config)# crypto isakmp policy 1
    Router(config-isakmp)# encryption 3des
    Router(config-isakmp)# group 2
    Router(config-isakmp)# hash sha
    Router(config-isakmp)# lifetime 28800
    Router(config-isakmp)# authentication 
         pre-share
    Router(config-isakmp)# exit
  3. プリシェアード シークレットで各ピアをマッチする
    Router# config term
    Router(config)# crypto isakmp key vshield 
        address 10.115.199.103
    Router(config-isakmp)# exit
  4. IPSEC 変換の定義
    Router# config term
    Router(config)# crypto ipsec transform-set 
         myset esp-3des esp-sha-hmac
    Router(config-isakmp)# exit
  5. IPSEC アクセス リストの作成
    Router# config term
    Enter configuration commands, one per line.  
         End with CNTL/Z.
    Router(config)# access-list 101 permit ip 
         172.16.0.0 0.0.255.255 192.168.5.0 0.0.0.255
    Router(config)# exit
  6. ポリシーのクリプト マップとの紐付けとラベル付け
    以下の例では、クリプト マップが MYVPN としてラベル付けされています。
    Router# config term
    Router(config)# crypto map MYVPN 1 
          ipsec-isakmp
    % NOTE: This new crypto map will remain 
          disabled until a peer and a valid 
          access list have been configured.
    Router(config-crypto-map)# set transform-set 
          myset
    Router(config-crypto-map)# set pfs group1
    Router(config-crypto-map)# set peer 
          10.115.199.103
    Router(config-crypto-map)# match address 101
    Router(config-crypto-map)# exit

例: 設定

router2821#show running-config output
Building configuration...

Current configuration : 1263 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router2821
!
boot-start-marker
boot-end-marker
!
! card type command needed for slot 0
! card type command needed for slot 1
enable password cisco
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
ip cef
!no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key vshield address 10.115.199.103
!
crypto ipsec transform-set myset esp-3des 
      esp-sha-hmac
!
crypto map MYVPN 1 ipsec-isakmp
set peer 10.115.199.103
set transform-set myset
set pfs group1
match address 101
!
interface GigabitEthernet0/0
ip address 10.24.120.90 255.255.252.0
duplex auto
speed auto
crypto map MYVPN
!
interface GigabitEthernet0/1
ip address 172.16.0.1 255.255.0.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.24.123.253
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 172.16.0.0 
       0.0.255.255 192.168.5.0 0.0.0.255
!
control-plane
!
line con 0
line aux 0
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
scheduler allocate 20000 1000
!
end