IPSec VPNでPingが通らない
ネットワーク初心者です。
現在構成図のような「Cisco WAN 実践ケーススタディ(インプレスジャパン)」に記載されている設定内容と同じ設定をGNS3というシュミレーションソフトでIPSec VPNを設定しているのですが、PC1からPC2へpingが通りません。
大変お手数ですが、原因と解決策をご教示いただけないでしょうか。
設定内容についても記載します。
よろしくお願い致します。
※access-listについては自分で追加しました。
・WAN1
WAN1#show run line
Building configuration...
Current configuration : 2252 bytes
1 : !
2 : version 12.4
3 : service timestamps debug datetime msec
4 : service timestamps log datetime msec
5 : no service password-encryption
6 : !
7 : hostname WAN1
8 : !
9 : boot-start-marker
10 : boot-end-marker
11 : !
12 : !
13 : no aaa new-model
14 : memory-size iomem 5
15 : no ip icmp rate-limit unreachable
16 : ip cef
17 : !
18 : !
19 : !
20 : !
21 : no ip domain lookup
22 : !
23 : multilink bundle-name authenticated
24 : !
25 : !
26 : !
27 : !
28 : !
29 : !
30 : !
31 : !
32 : !
33 : !
34 : !
35 : !
36 : !
37 : !
38 : !
39 : !
40 : !
41 : !
42 : !
43 : !
44 : !
45 : archive
46 : log config
47 : hidekeys
48 : !
49 : !
50 : crypto isakmp policy 1
51 : encr 3des
52 : hash md5
53 : authentication pre-share
54 : crypto isakmp key cisco address 64.100.2.1
55 : crypto isakmp keepalive 30 periodic
56 : !
57 : !
58 : crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
59 : !
60 : crypto map IPSECL2L 1 ipsec-isakmp
61 : set peer 64.100.2.1
62 : set transform-set IPSEC
63 : match address 100
64 : !
65 : !
66 : !
67 : ip tcp synwait-time 5
68 : !
69 : !
70 : !
71 : !
72 : interface Loopback0
73 : ip address 64.100.1.1 255.255.255.0
74 : !
75 : interface FastEthernet0/0
76 : no ip address
77 : ip access-group 101 in
78 : ip access-group 101 out
79 : duplex auto
80 : speed auto
81 : pppoe enable group global
82 : pppoe-client dial-pool-number 1
83 : !
84 : interface Serial0/0
85 : no ip address
86 : shutdown
87 : clock rate 2000000
88 : !
89 : interface FastEthernet0/1
90 : no ip address
91 : shutdown
92 : duplex auto
93 : speed auto
94 : !
95 : interface Serial0/1
96 : no ip address
97 : shutdown
98 : clock rate 2000000
99 : !
100 : interface FastEthernet1/0
101 : no ip address
102 : shutdown
103 : duplex auto
104 : speed auto
105 : !
106 : interface FastEthernet2/0
107 : ip address 192.168.1.254 255.255.255.0
108 : ip access-group 101 in
109 : ip access-group 101 out
110 : ip tcp adjust-mss 1356
111 : duplex auto
112 : speed auto
113 : !
114 : interface Dialer1
115 : ip unnumbered Loopback0
116 : ip mtu 1454
117 : encapsulation ppp
118 : dialer pool 1
119 : dialer-group 1
120 : ppp authentication chap callin
121 : ppp chap hostname 2811@cisco.com
122 : ppp chap password 0 cisco
123 : crypto map IPSECL2L
124 : !
125 : ip forward-protocol nd
126 : ip route 0.0.0.0 0.0.0.0 Dialer1
127 : !
128 : !
129 : no ip http server
130 : no ip http secure-server
131 : !
132 : access-list 100 permit ip any any
133 : access-list 101 permit ip any any
134 : access-list 101 permit icmp any any
135 : access-list 101 permit udp any any eq isakmp
136 : access-list 101 permit esp any any
137 : dialer-list 1 protocol ip permit
138 : no cdp log mismatch duplex
139 : !
140 : !
141 : !
142 : !
143 : !
144 : !
145 : control-plane
146 : !
147 : !
148 : !
149 : !
150 : !
151 : !
152 : !
153 : !
154 : !
155 : !
156 : gatekeeper
157 : shutdown
158 : !
159 : !
160 : line con 0
161 : exec-timeout 0 0
162 : privilege level 15
163 : logging synchronous
164 : line aux 0
165 : exec-timeout 0 0
166 : privilege level 15
167 : logging synchronous
168 : line vty 0 4
169 : login
170 : !
171 : !
172 : end
WAN1#
・WAN2
WAN2#show run line
Building configuration...
Current configuration : 2252 bytes
1 : !
2 : version 12.4
3 : service timestamps debug datetime msec
4 : service timestamps log datetime msec
5 : no service password-encryption
6 : !
7 : hostname WAN2
8 : !
9 : boot-start-marker
10 : boot-end-marker
11 : !
12 : !
13 : no aaa new-model
14 : memory-size iomem 5
15 : no ip icmp rate-limit unreachable
16 : ip cef
17 : !
18 : !
19 : !
20 : !
21 : no ip domain lookup
22 : !
23 : multilink bundle-name authenticated
24 : !
25 : !
26 : !
27 : !
28 : !
29 : !
30 : !
31 : !
32 : !
33 : !
34 : !
35 : !
36 : !
37 : !
38 : !
39 : !
40 : !
41 : !
42 : !
43 : !
44 : !
45 : archive
46 : log config
47 : hidekeys
48 : !
49 : !
50 : crypto isakmp policy 1
51 : encr 3des
52 : hash md5
53 : authentication pre-share
54 : crypto isakmp key cisco address 64.100.1.1
55 : crypto isakmp keepalive 30 periodic
56 : !
57 : !
58 : crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
59 : !
60 : crypto map IPSECL2L 1 ipsec-isakmp
61 : set peer 64.100.1.1
62 : set transform-set IPSEC
63 : match address 100
64 : !
65 : !
66 : !
67 : ip tcp synwait-time 5
68 : !
69 : !
70 : !
71 : !
72 : interface Loopback0
73 : ip address 64.100.2.1 255.255.255.0
74 : !
75 : interface FastEthernet0/0
76 : no ip address
77 : ip access-group 101 in
78 : ip access-group 101 out
79 : duplex auto
80 : speed auto
81 : pppoe enable group global
82 : pppoe-client dial-pool-number 1
83 : !
84 : interface Serial0/0
85 : no ip address
86 : shutdown
87 : clock rate 2000000
88 : !
89 : interface FastEthernet0/1
90 : no ip address
91 : shutdown
92 : duplex auto
93 : speed auto
94 : !
95 : interface Serial0/1
96 : no ip address
97 : shutdown
98 : clock rate 2000000
99 : !
100 : interface FastEthernet1/0
101 : no ip address
102 : shutdown
103 : duplex auto
104 : speed auto
105 : !
106 : interface FastEthernet2/0
107 : ip address 192.168.2.254 255.255.255.0
108 : ip access-group 101 in
109 : ip access-group 101 out
110 : ip tcp adjust-mss 1356
111 : duplex auto
112 : speed auto
113 : !
114 : interface Dialer1
115 : ip unnumbered Loopback0
116 : ip mtu 1454
117 : encapsulation ppp
118 : dialer pool 1
119 : dialer-group 1
120 : ppp authentication chap callin
121 : ppp chap hostname 2811@cisco.com
122 : ppp chap password 0 cisco
123 : crypto map IPSECL2L
124 : !
125 : ip forward-protocol nd
126 : ip route 0.0.0.0 0.0.0.0 Dialer1
127 : !
128 : !
129 : no ip http server
130 : no ip http secure-server
131 : !
132 : access-list 100 permit ip any any
133 : access-list 101 permit ip any any
134 : access-list 101 permit icmp any any
135 : access-list 101 permit udp any any eq isakmp
136 : access-list 101 permit esp any any
137 : dialer-list 1 protocol ip permit
138 : no cdp log mismatch duplex
139 : !
140 : !
141 : !
142 : !
143 : !
144 : !
145 : control-plane
146 : !
147 : !
148 : !
149 : !
150 : !
151 : !
152 : !
153 : !
154 : !
155 : !
156 : gatekeeper
157 : shutdown
158 : !
159 : !
160 : line con 0
161 : exec-timeout 0 0
162 : privilege level 15
163 : logging synchronous
164 : line aux 0
165 : exec-timeout 0 0
166 : privilege level 15
167 : logging synchronous
168 : line vty 0 4
169 : login
170 : !
171 : !
172 : end
WAN2#
・PC-1
PC-1> show ip
NAME : PC-1[1]
IP/MASK : 192.168.1.1/24
GATEWAY : 192.168.1.254
DNS :
MAC : 00:50:79:66:68:01
LPORT : 10068
RHOST:PORT : 127.0.0.1:10069
MTU: : 1500
PC-1>
・PC-2
PC-2> show ip
NAME : PC-2[1]
IP/MASK : 192.168.2.1/24
GATEWAY : 192.168.2.254
DNS :
MAC : 00:50:79:66:68:00
LPORT : 10070
RHOST:PORT : 127.0.0.1:10071
MTU: : 1500
PC-2>
PC-1からPC-2へpingを飛ばしたときのWANルーターの挙動です。
・WAN1
WAN1#show crypto session
Crypto session current status
Interface: Dialer1
Session status: DOWN-NEGOTIATING
Peer: 64.100.2.1 port 500
IKE SA: local 64.100.1.1/500 remote 64.100.2.1/500 Inactive
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
WAN1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
64.100.2.1 64.100.1.1 MM_NO_STATE 0 0 ACTIVE
IPv6 Crypto ISAKMP SA
WAN1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
WAN1#
WAN1#debug crypto isakmp
Crypto ISAKMP debugging is on
WAN1#
*Mar 1 00:21:26.935: ISAKMP:(0): SA request profile is (NULL)
*Mar 1 00:21:26.935: ISAKMP: Created a peer struct for 64.100.2.1, peer port 500
*Mar 1 00:21:26.935: ISAKMP: New peer created peer = 0x66F690B8 peer_handle = 0x80000004
*Mar 1 00:21:26.935: ISAKMP: Locking peer struct 0x66F690B8, refcount 1 for isakmp_initiator
*Mar 1 00:21:26.935: ISAKMP: local port 500, remote port 500
*Mar 1 00:21:26.935: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 00:21:26.935: insert sa successfully sa = 66C7A93C
*Mar 1 00:21:26.935: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar 1 00:21:26.935: ISAKMP:(0):found peer pre-shared key matching 64.100.2.1
WAN1#
*Mar 1 00:21:26.935: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar 1 00:21:26.935: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar 1 00:21:26.935: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar 1 00:21:26.935: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Mar 1 00:21:26.935: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 00:21:26.935: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 00:21:26.935: ISAKMP:(0): beginning Main Mode exchange
*Mar 1 00:21:26.935: ISAKMP:(0): sending packet to 64.100.2.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 00:21:26.935: ISAKMP:(0):Sending an IKE IPv4 Packet.
WAN1#
*Mar 1 00:21:36.935: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 1 00:21:36.935: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 1 00:21:36.935: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 1 00:21:36.939: ISAKMP:(0): sending packet to 64.100.2.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 00:21:36.939: ISAKMP:(0):Sending an IKE IPv4 Packet.
WAN1#
*Mar 1 00:21:46.939: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 1 00:21:46.939: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar 1 00:21:46.939: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 1 00:21:46.943: ISAKMP:(0): sending packet to 64.100.2.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 00:21:46.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
WAN1#
*Mar 1 00:21:56.931: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 00:21:56.935: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 64.100.1.1, remote 64.100.2.1)
*Mar 1 00:21:56.935: ISAKMP: Error while processing SA request: Failed to initialize SA
*Mar 1 00:21:56.935: ISAKMP: Error while processing KMI message 0, error 2.
*Mar 1 00:21:56.943: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 1 00:21:56.943: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Mar 1 00:21:56.943: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
WAN1#
*Mar 1 00:21:56.947: ISAKMP:(0): sending packet to 64.100.2.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 00:21:56.947: ISAKMP:(0):Sending an IKE IPv4 Packet.
WAN1#
*Mar 1 00:22:06.947: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 1 00:22:06.947: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Mar 1 00:22:06.947: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 1 00:22:06.951: ISAKMP:(0): sending packet to 64.100.2.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 00:22:06.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
WAN1#
・WAN2
WAN2#show crypto session
Crypto session current status
Interface: Dialer1
Session status: DOWN
Peer: 64.100.1.1 port 500
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
WAN2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
WAN2#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
WAN2#