이 문서에서는 AES(Advanced Encryption Standard) 암호화를 사용하는 IOS-to-IOS IPSec 터널의 샘플 컨피그레이션을 제공합니다.
AES 암호화 지원은 Cisco IOS® 12.2(13)T에서 도입되었습니다.
이 문서의 정보는 다음 소프트웨어 및 하드웨어 버전을 기반으로 합니다.
Cisco IOS Software 릴리스 12.3(10)
Cisco 1721 라우터
이 문서의 정보는 특정 랩 환경의 디바이스를 토대로 작성되었습니다.이 문서에 사용된 모든 디바이스는 초기화된(기본) 컨피그레이션으로 시작되었습니다.현재 네트워크가 작동 중인 경우, 모든 명령어의 잠재적인 영향을 미리 숙지하시기 바랍니다.
문서 표기 규칙에 대한 자세한 내용은 Cisco 기술 팁 표기 규칙을 참조하십시오.
이 섹션에서는 이 문서에 설명된 기능을 구성하는 정보를 제공합니다.
참고: 이 문서에 사용된 명령에 대한 추가 정보를 찾으려면 명령 조회 도구(등록된 고객만 해당)를 사용합니다.
이 문서에서는 여기에 표시된 구성을 사용합니다.
라우터 1721-A |
---|
R-1721-A#show run Building configuration... Current configuration : 1706 bytes ! ! Last configuration change at 00:46:32 UTC Fri Sep 10 2004 ! NVRAM config last updated at 00:45:48 UTC Fri Sep 10 2004 ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R-1721-A ! boot-start-marker boot-end-marker ! ! memory-size iomem 15 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero ip cef ! ! ! ip audit po max-events 100 no ip domain lookup no ftp-server write-enable ! ! ! ! !--- Define Internet Key Exchange (IKE) policy. crypto isakmp policy 10 !--- Specify the 256-bit AES as the !--- encryption algorithm within an IKE policy. encr aes 256 !--- Specify that pre-shared key authentication is used. authentication pre-share !--- Specify the shared secret. crypto isakmp key cisco123 address 10.48.66.146 ! ! !--- Define the IPSec transform set. crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac ! !--- Define crypto map entry name "aesmap" that will use !--- IKE to establish the security associations (SA). crypto map aesmap 10 ipsec-isakmp !--- Specify remote IPSec peer. set peer 10.48.66.146 !--- Specify which transform sets !--- are allowed for this crypto map entry. set transform-set aesset !--- Name the access list that determines which traffic !--- should be protected by IPSec. match address acl_vpn ! ! ! interface ATM0 no ip address shutdown no atm ilmi-keepalive dsl equipment-type CPE dsl operating-mode GSHDSL symmetric annex A dsl linerate AUTO ! interface Ethernet0 ip address 192.168.100.1 255.255.255.0 ip nat inside half-duplex ! interface FastEthernet0 ip address 10.48.66.147 255.255.254.0 ip nat outside speed auto !--- Apply crypto map to the interface. crypto map aesmap ! ip nat inside source list acl_nat interface FastEthernet0 overload ip classless ip route 0.0.0.0 0.0.0.0 10.48.66.1 ip route 192.168.200.0 255.255.255.0 FastEthernet0 no ip http server no ip http secure-server ! ip access-list extended acl_nat !--- Exclude protected traffic from being NAT'ed. deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 permit ip 192.168.100.0 0.0.0.255 any !--- Access list that defines traffic protected by IPSec. ip access-list extended acl_vpn permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 ! end R-1721-A# |
라우터 1721-B |
---|
R-1721-B#show run Building configuration... Current configuration : 1492 bytes ! ! Last configuration change at 14:11:41 UTC Wed Sep 8 2004 ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R-1721-B ! boot-start-marker boot-end-marker ! ! memory-size iomem 15 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero ip cef ! ! ! ip audit po max-events 100 no ip domain lookup no ftp-server write-enable ! ! ! ! ! !--- Define IKE policy. crypto isakmp policy 10 !--- Specify the 256-bit AES as the !--- encryption algorithm within an IKE policy. encr aes 256 !--- Specify that pre-shared key authentication is used. authentication pre-share !--- Specify the shared secret. crypto isakmp key cisco123 address 10.48.66.147 ! ! !--- Define the IPSec transform set. crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac ! !--- Define crypto map entry name "aesmap" that uses !--- IKE to establish the SA. crypto map aesmap 10 ipsec-isakmp !--- Specify remote IPSec peer. set peer 10.48.66.147 !--- Specify which transform sets !--- are allowed for this crypto map entry. set transform-set aesset !--- Name the access list that determines which traffic !--- should be protected by IPSec. match address acl_vpn ! ! ! interface Ethernet0 ip address 192.168.200.1 255.255.255.0 ip nat inside half-duplex ! interface FastEthernet0 ip address 10.48.66.146 255.255.254.0 ip nat outside speed auto !--- Apply crypto map to the interface. crypto map aesmap ! ip nat inside source list acl_nat interface FastEthernet0 overload ip classless ip route 0.0.0.0 0.0.0.0 10.48.66.1 ip route 192.168.100.0 255.255.255.0 FastEthernet0 no ip http server no ip http secure-server ! ip access-list extended acl_nat !--- Exclude protected traffic from being NAT'ed. deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255 permit ip 192.168.200.0 0.0.0.255 any !--- Access list that defines traffic protected by IPSec. ip access-list extended acl_vpn permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255 ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 ! end R-1721-B# |
이 섹션에서는 컨피그레이션이 제대로 작동하는지 확인하는 데 사용할 수 있는 정보를 제공합니다.
일부 show 명령은 출력 인터프리터 툴 에서 지원되는데(등록된 고객만), 이 툴을 사용하면 show 명령 출력의 분석 결과를 볼 수 있습니다.
show crypto isakmp sa - ISAKMP(Internet Security Association and Key Management Protocol) SA의 상태를 표시합니다.
라우터 1721-A |
---|
R-1721-A#show crypto isakmp sa dst src state conn-id slot 10.48.66.147 10.48.66.146 QM_IDLE 1 0 |
라우터 1721-B |
---|
R-1721-B#show crypto isakmp sa dst src state conn-id slot 10.48.66.147 10.48.66.146 QM_IDLE 1 0 |
show crypto ipsec sa - 활성 터널의 통계를 표시합니다.
라우터 1721-A |
---|
R-1721-A#show crypto ipsec sa interface: FastEthernet0 Crypto map tag: aesmap, local addr. 10.48.66.147 protected vrf: local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0) current_peer: 10.48.66.146:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 30, #pkts encrypt: 30, #pkts digest 30 #pkts decaps: 30, #pkts decrypt: 30, #pkts verify 30 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 10.48.66.147, remote crypto endpt.: 10.48.66.146 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0 current outbound spi: 2EB0BA1A inbound esp sas: spi: 0xFECA28BC(4274661564) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2000, flow_id: 1, crypto map: aesmap sa timing: remaining key lifetime (k/sec): (4554237/2895) IV size: 16 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x2EB0BA1A(783333914) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2001, flow_id: 2, crypto map: aesmap sa timing: remaining key lifetime (k/sec): (4554237/2894) IV size: 16 bytes replay detection support: Y outbound ah sas: outbound pcp sas: R-1721-A# |
라우터 1721-B |
---|
R-1721-B#show crypto ipsec sa interface: FastEthernet0 Crypto map tag: aesmap, local addr. 10.48.66.146 protected vrf: local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0) current_peer: 10.48.66.147:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 30, #pkts encrypt: 30, #pkts digest 30 #pkts decaps: 30, #pkts decrypt: 30, #pkts verify 30 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 5, #recv errors 0 local crypto endpt.: 10.48.66.146, remote crypto endpt.: 10.48.66.147 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0 current outbound spi: FECA28BC inbound esp sas: spi: 0x2EB0BA1A(783333914) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2000, flow_id: 1, crypto map: aesmap sa timing: remaining key lifetime (k/sec): (4583188/2762) IV size: 16 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xFECA28BC(4274661564) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2001, flow_id: 2, crypto map: aesmap sa timing: remaining key lifetime (k/sec): (4583188/2761) IV size: 16 bytes replay detection support: Y outbound ah sas: outbound pcp sas: R-1721-B# |
show crypto engine connections active(암호화 엔진 연결 활성 표시) - SA당 총 암호화/해독 횟수를 표시합니다.
라우터 1721-A |
---|
R-1721-A#show crypto engine connections active ID Interface IP-Address State Algorithm Encrypt Decrypt 1 FastEthernet0 10.48.66.147 set HMAC_SHA+AES_256_C 0 0 2000 FastEthernet0 10.48.66.147 set HMAC_SHA+AES_256_C 0 30 2001 FastEthernet0 10.48.66.147 set HMAC_SHA+AES_256_C 30 0 |
라우터 1721-B |
---|
R-1721-B#show crypto engine connections active ID Interface IP-Address State Algorithm Encrypt Decrypt 1 FastEthernet0 10.48.66.146 set HMAC_SHA+AES_256_C 0 0 2000 FastEthernet0 10.48.66.146 set HMAC_SHA+AES_256_C 0 30 2001 FastEthernet0 10.48.66.146 set HMAC_SHA+AES_256_C 30 0 |
이 섹션에서는 컨피그레이션 문제를 해결하는 데 사용할 수 있는 정보를 제공합니다.
참고: debug 명령을 실행하기 전에 디버그 명령에 대한 중요 정보를 참조하십시오.
debug crypto ipsec - IPSec 이벤트를 표시합니다.
debug crypto isakmp - IKE 이벤트에 대한 메시지를 표시합니다.
debug crypto engine - 암호화 엔진의 정보를 표시합니다.
IPSec 문제 해결에 대한 자세한 내용은 IP Security Troubleshooting - Understanding and Using debug 명령을 참조하십시오.