IPsec
1. IPsecのオーバーヘッドについて
IPsecで使用する暗号プロトコルでは、ブロック長暗号、認証データが使用される。
それぞれのオーバーヘッドサイズについては使用する種類により以下となる。
DES/3DES = 8 byte
AES(128/192/256) = 16 byte
MD5/SHA-1 = 12 byte
SHA256 = 16 byte
SHA384 = 24 byte
SHA512 = 32 byte
IP Datagram - IP Header - ICMP Header = data
126 - 20 - 8 = 98
127 - 20 - 8 = 99
128 - 20 - 8 = 100
...
141 - 20 - 8 = 113
142 - 20 - 8 = 114
143 - 20 - 8 = 115
...
1390 - 20 - 8 = 1362
1438 - 20 - 8 = 1410
- ★IPsec (AES256-CBC, SHA-1) [Overhead 58-73byte]
IP Datagram - IP Header - ESP Header(SPI + SEQ) - AES256(IV) - Padding(AES:0-15) - ESP Trailer(Pad length + Next Header) - HMAC(SHA-1) = data(Raw IP + ICMP Header + Data)
184 - 20 - 8(4+4) - 16 - 0 - 2(1+1) - >12 = 126(20 + 8 + 98)
200 - 20 - 8(4+4) - 16 - 15 - 2(1+1) - 12 = 127(20 + 8 + 99)
200 - 20 - 8(4+4) - 16 - 14 - 2(1+1) - 12 = 128(20 + 8 + 100)
...
200 - 20 - 8(4+4) - 16 - 1 - 2(1+1) - 12 = 141(20 + 8 + 113)
200 - 20 - 8(4+4) - 16 - 0 - 2(1+1) - 12 = 142(20 + 8 + 114)
216 - 20 - 8(4+4) - 16 - 15 - 2(1+1) - 12 = 143(20 + 8 + 115)
...
1448 - 20 - 8(4+4) - 16 - 0 - 2(1+1) - 12 = 1390(20 + 8 + 1362)
1496 - 20 - 8(4+4) - 16 - 0 - 2(1+1) - 12 = 1438(20 + 8 + 1410)
- Interface MTU, Tunnel MTU, Tunnel MSS
1454 , 1448 , 1408
1500 , 1496 , 1456
- ★Tunnel MTU (Fletsの場合 Interface MTU=1454)
X = Interface MTU - IP Header - ESP Header - AES256 - HMAC(SHA-1)
X = 1454 - 20 - 8 - 16 - 12
X = 1398
Tunnel MTU = X/16(AES暗号ブロック長)の整数部 * 16(AES暗号ブロック長) - 2
1398 / 16 = 87.375
Tunnel MTU = 87 * 16 - 2 = 1390
※HMACにより多少変動する
MD5/SHA-1 = 1390
SHA256 = 1390
SHA384 = 1374
SHA512 = 1374
以下、IP Datagram 128byte(20 + 8 + 100)の計算例(ping 100byte実施時)
Packet Details
Field Bytes
New
IPv4 Header (Tunnel Mode) 20
SPI (ESP Header) 4
Sequence (ESP Header) 4
ESP-AES (IV) 16
Original Data Packet 128
ESP Pad (ESP-AES) 14
Pad length (ESP Trailer) 1
Next Header (ESP Trailer) 1
ESP-SHA-HMAC ICV (ESP Trailer) 12
Total IPSec Packet Size 200
Cisco
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key password address 172.17.0.251
crypto ipsec transform-set IPSEC-01 esp-3des esp-sha-hmac
crypto map VPN 1 ipsec-isakmp
set peer 172.17.0.251
set transform-set IPSEC-01
match address 111
access-list 111 remark ###### IPSEC-01 ######
access-list 111 permit ip 192.168.28.0 0.0.0.255 192.168.32.0 0.0.0.255
access-list 111 permit ip 192.168.29.0 0.0.0.255 192.168.32.0 0.0.0.255
access-list 111 permit ip 192.168.28.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 111 permit ip 192.168.29.0 0.0.0.255 192.168.33.0 0.0.0.255
interface FastEthernet0
ip address 172.17.0.253 255.255.255.128
duplex auto
speed auto
crypto map VPN
interface Vlan28
ip address 192.168.28.254 255.255.255.0
interface Vlan29
ip address 192.168.29.254 255.255.255.0
ip route 192.168.32.0 255.255.255.0 FastEthernet0 172.17.0.251
ip route 192.168.33.0 255.255.255.0 FastEthernet0 172.17.0.251
SSG
set interface ethernet0/0 zone "Untrust"
set interface ethernet0/0 ip 172.17.0.251/24
set interface ethernet0/0 route
set interface ethernet0/1.1 tag 901 zone "Zone01"
set interface ethernet0/1.1 ip 172.19.1.254/24
set interface ethernet0/1.1 route
set flow reverse-route clear-text always
set address "Untrust" "CLan-01" 192.168.28.0 255.255.255.0
set address "Untrust" "CLan-02" 192.168.29.0 255.255.255.0
set address "Zone01" "Lan-01" 192.168.32.0 255.255.255.0
set ike gateway "GW-01" address 172.17.0.253 outgoing-interface ethernet0/0 preshare password proposal pre-g2-3des-sha
set vpn "VPN-01" gateway "GW-01" proposal "g2-esp-3des-sha"
set policy id 11 from "Zone01" to "Untrust" "Lan-01" "CLan-01" "ANY" tunnel vpn "VPN-01"
set policy id 12 from "Untrust" to "Zone01" "CLan-01" "Lan-01" "ANY" tunnel vpn "VPN-01"
set policy id 21 from "Zone01" to "Untrust" "Lan-01" "CLan-02" "ANY" tunnel vpn "VPN-01"
set policy id 22 from "Untrust" to "Zone01" "CLan-02" "Lan-01" "ANY" tunnel vpn "VPN-01"
set route 192.168.32.0/23 interface ethernet0/1.1 gateway 172.19.1.253
set route 192.168.28.0/24 interface ethernet0/0 gateway 172.17.0.253
set route 192.168.29.0/24 interface ethernet0/0 gateway 172.17.0.253
ssg-> get policy
Total regular policies 6, Default deny, Software based policy search, new policy enabled.
ID From To Src-address Dst-address Service Action State ASTLCB
1 Trust Untrust Any Any ANY Permit enabled -----X
11 Zone01 Untrust SLan-01 CLan-01 ANY Tunnel enabled -----X
12 Untrust Zone01 CLan-01 SLan-01 ANY Tunnel enabled -----X
21 Zone01 Untrust SLan-01 CLan-02 ANY Tunnel enabled -----X
22 Untrust Zone01 CLan-02 SLan-01 ANY Tunnel enabled -----X
101 Zone01 Untrust Any Any ANY Permit enabled -----X
ssg-> get sa
total configured sa: 2
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000005< 172.17.0.253 500 esp:3des/sha1 00000000 expir unlim I/I 12 0
00000005> 172.17.0.253 500 esp:3des/sha1 00000000 expir unlim I/I 11 0
00000006< 172.17.0.253 500 esp:3des/sha1 00000000 expir unlim I/I 22 0
00000006> 172.17.0.253 500 esp:3des/sha1 00000000 expir unlim I/I 21 0
SSG側からping
ping 192.168.28.254 source Vlan32
Router# debug crypto ipsec
Router#
Feb 2 03:04:23 JST: IPSEC(validate_proposal_request): proposal part #1
Feb 2 03:04:23 JST: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.17.0.253:0, remote= 172.17.0.251:0,
local_proxy= 192.168.28.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.32.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Feb 2 03:04:23 JST: Crypto mapdb : proxy_match
src addr : 192.168.28.0
dst addr : 192.168.32.0
protocol : 0
src port : 0
dst port : 0
Feb 2 03:04:23 JST: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Feb 2 03:04:23 JST: Crypto mapdb : proxy_match
src addr : 192.168.28.0
dst addr : 192.168.32.0
protocol : 0
src port : 0
dst port : 0
Feb 2 03:04:23 JST: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 172.17.0.251
Feb 2 03:04:23 JST: IPSEC(policy_db_add_ident): src 192.168.28.0, dest 192.168.32.0, dest_port 0
Feb 2 03:04:23 JST: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.17.0.253, sa_proto= 50,
sa_spi= 0xC9BAF342(3384472386),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 7
sa_lifetime(k/sec)= (4550099/3600)
Feb 2 03:04:23 JST: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.17.0.251, sa_proto= 50,
sa_spi= 0xA7D6C228(2815869480),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 8
sa_lifetime(k/sec)= (4550099/3600)
Feb 2 03:04:23 JST: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Feb 2 03:04:23 JST: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Feb 2 03:04:23 JST: IPSEC(key_engine_enable_outbound): enable SA with spi 2815869480/50
Feb 2 03:04:23 JST: IPSEC(update_current_outbound_sa): get enable SA peer 172.17.0.251 current outbound sa to SPI A7D6C228
Feb 2 03:04:23 JST: IPSEC(update_current_outbound_sa): updated peer 172.17.0.251 current outbound sa to SPI A7D6C228
Router#
ssg-> get sa
total configured sa: 2
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000005< 172.17.0.253 500 esp:3des/sha1 a7d6c228 3594 4095M A/- 12 0
00000005> 172.17.0.253 500 esp:3des/sha1 c9baf342 3594 4095M A/- 11 0
00000006< 172.17.0.253 500 esp:3des/sha1 00000000 expir unlim I/I 22 0
00000006> 172.17.0.253 500 esp:3des/sha1 00000000 expir unlim I/I 21 0
Router#show crypto isakmp sa
Load for five secs: 0%/0%; one minute: 1%; five minutes: 1%
Time source is [[NTP]], 03:05:18.018 JST Mon Feb 2 2015
IPv4 Crypto ISAKMP SA
dst src state conn-id status
172.17.0.253 172.17.0.251 QM_IDLE 2022 ACTIVE
[[IPv6]] Crypto ISAKMP SA
SSG側から2つ目のアドレス宛にping
ping 192.168.29.254 source Vlan32
Router#
Feb 2 03:06:15 JST: IPSEC(validate_proposal_request): proposal part #1
Feb 2 03:06:15 JST: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.17.0.253:0, remote= 172.17.0.251:0,
local_proxy= 192.168.29.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.32.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Feb 2 03:06:15 JST: Crypto mapdb : proxy_match
src addr : 192.168.29.0
dst addr : 192.168.32.0
protocol : 0
src port : 0
dst port : 0
Feb 2 03:06:15 JST: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Feb 2 03:06:15 JST: Crypto mapdb : proxy_match
src addr : 192.168.29.0
dst addr : 192.168.32.0
protocol : 0
src port : 0
dst port : 0
Feb 2 03:06:15 JST: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 172.17.0.251
Feb 2 03:06:15 JST: IPSEC(policy_db_add_ident): src 192.168.29.0, dest 192.168.32.0, dest_port 0
Feb 2 03:06:15 JST: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.17.0.253, sa_proto= 50,
sa_spi= 0x1B3ABE18(456834584),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 9
sa_lifetime(k/sec)= (4459339/3600)
Feb 2 03:06:15 JST: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.17.0.251, sa_proto= 50,
sa_spi= 0xA7D6C229(2815869481),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 10
sa_lifetime(k/sec)= (4459339/3600)
Feb 2 03:06:16 JST: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Feb 2 03:06:16 JST: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Feb 2 03:06:16 JST: IPSEC(key_engine_enable_outbound): enable SA with spi 2815869481/50
Feb 2 03:06:16 JST: IPSEC(update_current_outbound_sa): get enable SA peer 172.17.0.251 current outbound sa to SPI A7D6C229
Feb 2 03:06:16 JST: IPSEC(update_current_outbound_sa): updated peer 172.17.0.251 current outbound sa to SPI A7D6C229
Router#
ssg-> get sa
total configured sa: 2
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000005< 172.17.0.253 500 esp:3des/sha1 a7d6c228 3483 4095M A/- 12 0
00000005> 172.17.0.253 500 esp:3des/sha1 c9baf342 3483 4095M A/- 11 0
00000006< 172.17.0.253 500 esp:3des/sha1 a7d6c229 3596 4095M A/- 22 0
00000006> 172.17.0.253 500 esp:3des/sha1 1b3abe18 3596 4095M A/- 21 0
Router#show crypto isakmp sa
Load for five secs: 0%/0%; one minute: 1%; five minutes: 1%
Time source is NTP, 03:07:23.349 JST Mon Feb 2 2015
IPv4 Crypto ISAKMP SA
dst src state conn-id status
172.17.0.253 172.17.0.251 QM_IDLE 2022 ACTIVE
IPv6 Crypto ISAKMP SA
Router#show crypto ipsec sa
Load for five secs: 3%/0%; one minute: 1%; five minutes: 1%
Time source is NTP, 03:08:01.234 JST Mon Feb 2 2015
interface: FastEthernet0
Crypto map tag: VPN, local addr 172.17.0.253
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.28.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.32.0/255.255.255.0/0/0)
current_peer 172.17.0.251 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.17.0.253, remote crypto endpt.: 172.17.0.251
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0xA7D6C228(2815869480)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0xC9BAF342(3384472386)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 7, flow_id: Onboard VPN:7, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4550098/3382)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA7D6C228(2815869480)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 8, flow_id: Onboard VPN:8, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4550098/3382)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.28.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.33.0/255.255.255.0/0/0)
current_peer 172.17.0.251 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.17.0.253, remote crypto endpt.: 172.17.0.251
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.29.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.32.0/255.255.255.0/0/0)
current_peer 172.17.0.251 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.17.0.253, remote crypto endpt.: 172.17.0.251
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0xA7D6C229(2815869481)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x1B3ABE18(456834584)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 9, flow_id: Onboard VPN:9, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4459338/3494)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA7D6C229(2815869481)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 10, flow_id: Onboard VPN:10, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4459338/3494)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.29.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.33.0/255.255.255.0/0/0)
current_peer 172.17.0.251 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.17.0.253, remote crypto endpt.: 172.17.0.251
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
access-list 111 remark ###### IPSEC-01 ######
access-list 111 permit ip any 192.168.32.0 0.0.0.255
SSG側のアドレスオブジェクトを変更し、proxy-idを指定
set address Untrust Clan-01 192.168.28.0/23
set vpn "VPN-01" proxy-id local-ip 192.168.32.0/24 remote-ip 192.168.28.0/23 "ANY"
set policy id 11 from "Zone01" to "Untrust" "SLan-01" "CLan-01" "ANY" tunnel vpn "VPN-01"
set policy id 12 from "Untrust" to "Zone01" "CLan-01" "SLan-01" "ANY" tunnel vpn "VPN-01"
Cisco側のProxy-IDを確認
Router#show crypto ipsec sa
Load for five secs: 0%/0%; one minute: 3%; five minutes: 2%
Time source is NTP, 04:01:09.915 JST Mon Feb 2 2015
interface: FastEthernet0
Crypto map tag: VPN, local addr 172.17.0.253
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.32.0/255.255.255.0/0/0)
current_peer 172.17.0.251 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.17.0.253, remote crypto endpt.: 172.17.0.251
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
SSG側のProxy-IDを確認
ssg-> get policy id 11
name:"none" (id 11), zone Zone01 -> Untrust,action Tunnel, status "enabled", pair policy 12
src "SLan-01", dst "Clan-01", serv "ANY"
Rules on this VPN policy: 0
nat off, Web filtering : disabled
vpn VPN-01, nsp tunnel 40000008, sa index 0, sa tunnel id 8
policy flag 00000000, session backup: on, idle reset: on
traffic shaping off, scheduler n/a, serv flag 00
log no, log count 0, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 0, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/0 policing (no)
proxy id:
local 192.168.32.0/255.255.255.0, remote 192.168.28.0/255.255.254.0, proto 0, port 0
No Authentication
No User, User Group or Group expression set
SSG側よりping
Switch#ping 192.168.28.254 source Vlan32
ssg-> get ike cookie
IKEv1 SA -- Active: 1, Dead: 0, Total 1
80182f/0003, 172.17.0.251:500->172.17.0.253:500, PRESHR/grp2/3DES/SHA, xchg(2) (GW-01/grp-1/usr-1)
resent-tmr 322 lifetime 28800 lt-recv 28800 nxt_rekey 28759 cert-expire 0
initiator, err cnt 0, send dir 0, cond 0x0
nat-traversal map not available
ike heartbeat : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 0
DPD seq local 0, peer 0
IKEv2 SA -- Active: 0, Dead: 0, Total 0
ssg-> get sa
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000008< 172.17.0.253 500 esp:3des/sha1 a7d6c22c 3558 4095M A/- 12 0
00000008> 172.17.0.253 500 esp:3des/sha1 f7a6a89d 3558 4095M A/- 11 0
Router#show crypto ipsec sa
Load for five secs: 0%/0%; one minute: 1%; five minutes: 1%
Time source is NTP, 04:05:31.100 JST Mon Feb 2 2015
interface: FastEthernet0
Crypto map tag: VPN, local addr 172.17.0.253
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.28.0/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (192.168.32.0/255.255.255.0/0/0)
current_peer 172.17.0.251 port 500
PERMIT, flags={}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.17.0.253, remote crypto endpt.: 172.17.0.251
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0xA7D6C22C(2815869484)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0xF7A6A89D(4154894493)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 15, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4579697/3550)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA7D6C22C(2815869484)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 16, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4579697/3550)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.32.0/255.255.255.0/0/0)
current_peer 172.17.0.251 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.17.0.253, remote crypto endpt.: 172.17.0.251
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Proxy-IDが異なる(サブネット長変えたりした・・・)にも関わらず接続できる?
最終更新:2016年10月02日 03:10
