リリースの詳細はリリースノートをご覧ください。
IKE Phase-2 ID(Proxy ID)の設定に対応しました。これにより、異機種への相互接続性が上がります。
IKE Phase-2 IDの不一致
現在、トランスポートモードのIPsecの折衝時に使用される、IKE Phase-2 ID(Proxy ID)の実装はベンダごとに多少の違いがあります。そのため、異機種同士をVPN接続しようとした際に、IKE Phase-2 IDの不一致により、SAが確立できないという状況に遭遇することが稀に発生します。この場合、ID Missmatch のような Log が双方に記載され、Algorithm 等は揃えているのに、VPN 通信が行えません。どちらかの機器が、IKE Phase-2 IDを変更できれば、相手に合わせて設定することで接続可能になります。これまで、SEILはIKE Phase-2 IDとして 0.0.0.0 を固定で送信していましたが、異機種間の接続を考えた際に設定できた方が Network 構築の際に柔軟性が上がりますので、IKE Phase-2 ID(Proxy ID) 設定として実装しました。
IKE Phase-2 ID不一致状態の確認
ここでは、NEC の IX2015 という機器との接続設定を紹介します。まず、SEIL側は従来通りの設定とします。この場合、IKE Phase-2 ID が不一致となるので、Phase-2 の確立ができません。
SEIL 設定
hostname "OBJ"
environment login-timer none
interface lan0 add 192.168.0.1/24
interface lan1 add 172.16.0.1/24
interface ipsec0 tunnel 172.16.0.1 172.16.0.2
interface ipsec0 unnumbered
route add 192.168.1.0/24 ipsec0
ike preshared-key add "172.16.0.2" "hogehoge"
ike proposal add test encryption aes hash sha1 authentication preshared-key dh-group modp1024 lifetime-of-time 10m
ike peer add test address 172.16.0.2 exchange-mode main proposals test tunnel-interface enable
ipsec security-association proposal add test authentication-algorithm hmac-sha1 encryption-algorithm aes lifetime-of-time 05m
ipsec security-association add test tunnel-interface ipsec0 ike test esp enable
IX-2015 設定
logging buffered 10240
logging subsystem ike debug
ip route 192.168.0.0/24 Tunnel0.0
ip access-list list permit ip src any dest any
ike proposal ike-prop encryption aes hash sha group 1024-bit lifetime 600
ike policy ike-policy peer 172.16.0.1 key hogehoge ike-prop
ipsec autokey-proposal ipsec-prop esp-aes esp-sha lifetime time 300
ipsec autokey-map ipsec-policy list peer 172.16.0.1 ipsec-prop
ipsec local-id ipsec-policy 172.16.0.2
ipsec remote-id ipsec-policy 172.16.0.1
interface FastEthernet0/0.0
ip address 172.16.0.2/24
no shutdown
interface FastEthernet1/0.0
ip address 192.168.1.1/24
no shutdown
interface Tunnel0.0
tunnel mode ipsec
ip unnumbered FastEthernet1/0.0
ipsec policy tunnel ipsec-policy out
no shutdown
IPsec ID 不一致を示している Log
SEIL側
98 Jan 5 07:27:06 info ike racoon: initiate new phase 1 negotiation: 172.16.0.1[500]<=>172.16.0.2[500] 99 Jan 5 07:27:06 info ike racoon: begin Identity Protection mode. 100 Jan 5 07:27:06 info ike racoon: received Vendor ID: DPD 101 Jan 5 07:27:06 info ike racoon: received Vendor ID: DPD 102 Jan 5 07:27:06 info ike racoon: send INITIAL-CONTACT notification to172.16.0.2[500] 103 Jan 5 07:27:06 info ike racoon: ISAKMP-SA established 172.16.0.1[500]-172.16.0.2[500] spi:ea7faa4a2c9f9393:451fab90cc211ad2 104 Jan 5 07:27:07 info ike racoon: delay phase2 start for 4 sec. 105 Jan 5 07:27:11 info ike racoon: initiate new phase 2 negotiation: 172.16.0.1<=>172.16.0.2 spi:ea7faa4a2c9f9393:451fab90cc211ad2 106 Jan 5 07:27:11 info ike racoon: received INVALID-ID-INFORMATION notification from 172.16.0.2[500]] ]></ac:plain-text-body></ac:macro><p>INVALID-ID-INFORMATION が出力されています</p><p>IX側</p><ac:macro ac:name="noformat"><ac:plain-text-body><![CDATA[ IKE.002: Finish IKE phase 1 negotiation, destination 172.16.0.1 IKE.006: Receive packet from 172.16.0.1, length 92 IKE.009: Receive notification data from 172.16.0.1, type 24578:INITIAL-CONTACT, protocol ISAKMP IKE.006: Receive packet from 172.16.0.1, length 172 IKE.001: Begin IKE phase 2 negotiation, destination 172.16.0.1 IKE.045: Receive payload, type 8:HASH, length 24 IKE.045: Receive payload, type 1:SA, length 52 IKE.045: Receive payload, type 10:NONCE, length 20 IKE.045: Receive payload, type 5:ID, length 16 IKE.045: Receive payload, type 5:ID, length 16 IKE.043: IPsec configuration not found IKE.007: Send notification data to 172.16.0.1, type 18:INVALID-ID-INFORMATION, protocol ISAKMP
こちらも、INVALID-ID-INFORMATION が出力されています。このように、IKE Phase-2 IDが不一致の場合は Phase-2 の確立が行われず、VPN 通信が始まりません。
IKE Phase-2 ID を指定する
SEIL側でIKE Phase-2 ID指定機能を用いて、IXと同じIDを設定します。具体的には
ipsec security-association add <name> tunnel-interface <I/F> .... proxy-id-local <ID> proxy-id-remote <ID>
を使用します。この行を変更した SEIL の設定は以下のようになります。
hostname "OBJ"
environment login-timer none
interface lan0 add 192.168.0.1/24
interface lan1 add 172.16.0.1/24
interface ipsec0 tunnel 172.16.0.1 172.16.0.2
interface ipsec0 unnumbered
route add 192.168.1.0/24 ipsec0
ike preshared-key add "172.16.0.2" "hogehoge"
ike proposal add test encryption aes hash sha1 authentication preshared-key dh-group modp1024 lifetime-of-time 10m
ike peer add test address 172.16.0.2 exchange-mode main proposals test tunnel-interface enable
ipsec security-association proposal add test authentication-algorithm hmac-sha1 encryption-algorithm aes lifetime-of-time 05m
ipsec security-association add test tunnel-interface ipsec0 ike test esp enable proxy-id-local 172.16.0.1 proxy-id-remote 172.16.0.2
IX側の設定は先ほどと同じです。
logging buffered 10240
logging subsystem ike debug
ip route 192.168.0.0/24 Tunnel0.0
ip access-list list permit ip src any dest any
ike proposal ike-prop encryption aes hash sha group 1024-bit lifetime 600
ike policy ike-policy peer 172.16.0.1 key hogehoge ike-prop
ipsec autokey-proposal ipsec-prop esp-aes esp-sha lifetime time 300
ipsec autokey-map ipsec-policy list peer 172.16.0.1 ipsec-prop
ipsec local-id ipsec-policy 172.16.0.2
ipsec remote-id ipsec-policy 172.16.0.1
interface FastEthernet0/0.0
ip address 172.16.0.2/24
no shutdown
interface FastEthernet1/0.0
ip address 192.168.1.1/24
no shutdown
interface Tunnel0.0
tunnel mode ipsec
ip unnumbered FastEthernet1/0.0
ipsec policy tunnel ipsec-policy out
no shutdown
IX側の、
ipsec local-id ipsec-policy 172.16.0.2
ipsec remote-id ipsec-policy 172.16.0.1
の設定行と対応しています。(向きが逆になるので、Remote,Local が入れ替わる)
接続時のLog
SEIL側
90 Jan 5 07:37:54 info ike racoon: send INITIAL-CONTACT notification to172.16.0.2[500] 91 Jan 5 07:37:54 info ike racoon: ISAKMP-SA established 172.16.0.1[500]-172.16.0.2[500] spi:d628859f7391f9d5:0dd2a11d65cb1027 92 Jan 5 07:37:55 info ike racoon: initiate new phase 2 negotiation: 172.16.0.1<=>172.16.0.2 spi:d628859f7391f9d5:0dd2a11d65cb1027 93 Jan 5 07:37:55 info ike racoon: IPsec-SA established: ESP/Transport 172.16.0.2->172.16.0.1 spi=244160156(0xe8d969c) 94 Jan 5 07:37:55 info ike racoon: IPsec-SA established: ESP/Transport 172.16.0.1->172.16.0.2 spi=2934033157(0xaee1cb05) 95 Jan 5 07:37:56 info system Security Association Database Initialized. 96 Jan 5 07:37:56 info ike racoon: send IPsec-SA delete information to 172.16.0.2[500] 97 Jan 5 07:37:56 info system Security Policy Database Initialized. 98 Jan 5 07:37:57 info ike racoon: initiate new phase 2 negotiation: 172.16.0.1<=>172.16.0.2 spi:d628859f7391f9d5:0dd2a11d65cb1027 99 Jan 5 07:37:57 info ike racoon: IPsec-SA established: ESP/Transport 172.16.0.2->172.16.0.1 spi=267961179(0xff8c35b) 100 Jan 5 07:37:57 info ike racoon: IPsec-SA established: ESP/Transport 172.16.0.1->172.16.0.2 spi=3738209920(0xded08e80)
INVALID-ID-INFORMATION の Log は出ていません
IX側
IKE.009: Receive notification data from 172.16.0.1, type 24578:INITIAL-CONTACT, protocol ISAKMP IKE.006: Receive packet from 172.16.0.1, length 156 IKE.001: Begin IKE phase 2 negotiation, destination 172.16.0.1 IKE.045: Receive payload, type 8:HASH, length 24 IKE.045: Receive payload, type 1:SA, length 52 IKE.045: Receive payload, type 10:NONCE, length 20 IKE.045: Receive payload, type 5:ID, length 12 IKE.045: Receive payload, type 5:ID, length 12 IKE.005: Send packet to 172.16.0.1, length 156 IKE.006: Receive packet from 172.16.0.1, length 60 IKE.045: Receive payload, type 8:HASH, length 24 IKE.002: Finish IKE phase 2 negotiation, destination 172.16.0.1 IKE.006: Receive packet from 172.16.0.1, length 76 IKE.014: Receive delete information, protocol ESP, SPI 0xe8d969c IKE.012: Send delete information, protocol ESP, SPI 0xaee1cb05 IKE.005: Send packet to 172.16.0.1, length 76 IKE.006: Receive packet from 172.16.0.1, length 156 IKE.001: Begin IKE phase 2 negotiation, destination 172.16.0.1 IKE.045: Receive payload, type 8:HASH, length 24 IKE.045: Receive payload, type 1:SA, length 52 IKE.045: Receive payload, type 10:NONCE, length 20 IKE.045: Receive payload, type 5:ID, length 12 IKE.045: Receive payload, type 5:ID, length 12 IKE.005: Send packet to 172.16.0.1, length 156 IKE.006: Receive packet from 172.16.0.1, length 60 IKE.045: Receive payload, type 8:HASH, length 24 IKE.002: Finish IKE phase 2 negotiation, destination 172.16.0.1
こちらも、INVALID-ID-INFORMATION の Log は出ていません。無事に、繋がりました。
既存のVPNが既にある状況で、それらを実現している機器と SEIL を接続する際に、より柔軟に設定が行えるようになりましたので、是非、ご活用ください。