[ファームウェアリリース] SEIL/X,B1 ver.4.80 & SEIL/x86 ver.3.40

SEILの新ファームウェア SEIL/X,B1 Ver4.80, SEIL/x86 Ver3.40 をリリースしました。今回はIKE Phase-2 ID(Proxy ID)の設定機能を紹介します。

記事一覧

リリースの詳細はリリースノートをご覧ください。

IKE Phase-2 ID(Proxy ID)の設定に対応しました。これにより、異機種への相互接続性が上がります。

IKE Phase-2 IDの不一致

現在、トランスポートモードのIPsecの折衝時に使用される、IKE Phase-2 ID(Proxy ID)の実装はベンダごとに多少の違いがあります。そのため、異機種同士をVPN接続しようとした際に、IKE Phase-2 IDの不一致により、SAが確立できないという状況に遭遇することが稀に発生します。この場合、ID Missmatch のような Log が双方に記載され、Algorithm 等は揃えているのに、VPN 通信が行えません。どちらかの機器が、IKE Phase-2 IDを変更できれば、相手に合わせて設定することで接続可能になります。これまで、SEILはIKE Phase-2 IDとして 0.0.0.0 を固定で送信していましたが、異機種間の接続を考えた際に設定できた方が Network 構築の際に柔軟性が上がりますので、IKE Phase-2 ID(Proxy ID) 設定として実装しました。

IKE Phase-2 ID不一致状態の確認

ここでは、NEC の IX2015 という機器との接続設定を紹介します。まず、SEIL側は従来通りの設定とします。この場合、IKE Phase-2 ID が不一致となるので、Phase-2 の確立ができません。

SEIL 設定

hostname "OBJ"
environment login-timer none
interface lan0 add 192.168.0.1/24
interface lan1 add 172.16.0.1/24
interface ipsec0 tunnel 172.16.0.1 172.16.0.2
interface ipsec0 unnumbered
route add 192.168.1.0/24 ipsec0
ike preshared-key add "172.16.0.2" "hogehoge"
ike proposal add test encryption aes hash sha1 authentication preshared-key dh-group modp1024 lifetime-of-time 10m
ike peer add test address 172.16.0.2 exchange-mode main proposals test tunnel-interface enable
ipsec security-association proposal add test authentication-algorithm hmac-sha1 encryption-algorithm aes lifetime-of-time 05m
ipsec security-association add test tunnel-interface ipsec0 ike test esp enable 

IX-2015 設定

logging buffered 10240
logging subsystem ike debug
ip route 192.168.0.0/24 Tunnel0.0
ip access-list list permit ip src any dest any
ike proposal ike-prop encryption aes hash sha group 1024-bit lifetime 600
ike policy ike-policy peer 172.16.0.1 key hogehoge ike-prop
ipsec autokey-proposal ipsec-prop esp-aes esp-sha lifetime time 300
ipsec autokey-map ipsec-policy list peer 172.16.0.1 ipsec-prop
ipsec local-id ipsec-policy 172.16.0.2
ipsec remote-id ipsec-policy 172.16.0.1
interface FastEthernet0/0.0
  ip address 172.16.0.2/24
  no shutdown
interface FastEthernet1/0.0
  ip address 192.168.1.1/24
  no shutdown
interface Tunnel0.0
  tunnel mode ipsec
  ip unnumbered FastEthernet1/0.0
  ipsec policy tunnel ipsec-policy out
  no shutdown

IPsec ID 不一致を示している Log

SEIL側

 98 Jan  5 07:27:06    info    ike racoon: initiate new phase 1 negotiation: 172.16.0.1[500]<=>172.16.0.2[500]
 99 Jan  5 07:27:06    info    ike racoon: begin Identity Protection mode.
100 Jan  5 07:27:06    info    ike racoon: received Vendor ID: DPD
101 Jan  5 07:27:06    info    ike racoon: received Vendor ID: DPD
102 Jan  5 07:27:06    info    ike racoon: send INITIAL-CONTACT notification to172.16.0.2[500]
103 Jan  5 07:27:06    info    ike racoon: ISAKMP-SA established 172.16.0.1[500]-172.16.0.2[500] spi:ea7faa4a2c9f9393:451fab90cc211ad2
104 Jan  5 07:27:07    info    ike racoon: delay phase2 start for 4 sec.
105 Jan  5 07:27:11    info    ike racoon: initiate new phase 2 negotiation: 172.16.0.1<=>172.16.0.2 spi:ea7faa4a2c9f9393:451fab90cc211ad2
106 Jan  5 07:27:11    info    ike racoon: received INVALID-ID-INFORMATION notification from 172.16.0.2[500]] ]></ac:plain-text-body></ac:macro><p>INVALID-ID-INFORMATION が出力されています</p><p>IX側</p><ac:macro ac:name="noformat"><ac:plain-text-body><![CDATA[ IKE.002: Finish IKE phase 1 negotiation, destination 172.16.0.1
 IKE.006: Receive packet from 172.16.0.1, length 92
 IKE.009: Receive notification data from 172.16.0.1, type 24578:INITIAL-CONTACT, protocol ISAKMP
 IKE.006: Receive packet from 172.16.0.1, length 172
 IKE.001: Begin IKE phase 2 negotiation, destination 172.16.0.1
 IKE.045: Receive payload, type 8:HASH, length 24
 IKE.045: Receive payload, type 1:SA, length 52
 IKE.045: Receive payload, type 10:NONCE, length 20
 IKE.045: Receive payload, type 5:ID, length 16
 IKE.045: Receive payload, type 5:ID, length 16
 IKE.043: IPsec configuration not found
 IKE.007: Send notification data to 172.16.0.1, type 18:INVALID-ID-INFORMATION, protocol ISAKMP

こちらも、INVALID-ID-INFORMATION が出力されています。このように、IKE Phase-2 IDが不一致の場合は Phase-2 の確立が行われず、VPN 通信が始まりません。

IKE Phase-2 ID を指定する

SEIL側でIKE Phase-2 ID指定機能を用いて、IXと同じIDを設定します。具体的には

ipsec security-association add <name> tunnel-interface <I/F>  .... proxy-id-local <ID> proxy-id-remote <ID>

を使用します。この行を変更した SEIL の設定は以下のようになります。

hostname "OBJ"
environment login-timer none
interface lan0 add 192.168.0.1/24
interface lan1 add 172.16.0.1/24
interface ipsec0 tunnel 172.16.0.1 172.16.0.2
interface ipsec0 unnumbered
route add 192.168.1.0/24 ipsec0
ike preshared-key add "172.16.0.2" "hogehoge"
ike proposal add test encryption aes hash sha1 authentication preshared-key dh-group modp1024 lifetime-of-time 10m
ike peer add test address 172.16.0.2 exchange-mode main proposals test tunnel-interface enable
ipsec security-association proposal add test authentication-algorithm hmac-sha1 encryption-algorithm aes lifetime-of-time 05m
ipsec security-association add test tunnel-interface ipsec0 ike test esp enable proxy-id-local 172.16.0.1 proxy-id-remote 172.16.0.2

IX側の設定は先ほどと同じです。

logging buffered 10240
logging subsystem ike debug
ip route 192.168.0.0/24 Tunnel0.0
ip access-list list permit ip src any dest any
ike proposal ike-prop encryption aes hash sha group 1024-bit lifetime 600
ike policy ike-policy peer 172.16.0.1 key hogehoge ike-prop
ipsec autokey-proposal ipsec-prop esp-aes esp-sha lifetime time 300
ipsec autokey-map ipsec-policy list peer 172.16.0.1 ipsec-prop
ipsec local-id ipsec-policy 172.16.0.2
ipsec remote-id ipsec-policy 172.16.0.1
interface FastEthernet0/0.0
  ip address 172.16.0.2/24
  no shutdown
interface FastEthernet1/0.0
  ip address 192.168.1.1/24
  no shutdown
interface Tunnel0.0
  tunnel mode ipsec
  ip unnumbered FastEthernet1/0.0
  ipsec policy tunnel ipsec-policy out
  no shutdown

IX側の、

ipsec local-id ipsec-policy 172.16.0.2
ipsec remote-id ipsec-policy 172.16.0.1

の設定行と対応しています。(向きが逆になるので、Remote,Local が入れ替わる)

接続時のLog

SEIL側

 90 Jan  5 07:37:54    info    ike racoon: send INITIAL-CONTACT notification to172.16.0.2[500]
 91 Jan  5 07:37:54    info    ike racoon: ISAKMP-SA established 172.16.0.1[500]-172.16.0.2[500] spi:d628859f7391f9d5:0dd2a11d65cb1027
 92 Jan  5 07:37:55    info    ike racoon: initiate new phase 2 negotiation: 172.16.0.1<=>172.16.0.2 spi:d628859f7391f9d5:0dd2a11d65cb1027
 93 Jan  5 07:37:55    info    ike racoon: IPsec-SA established: ESP/Transport 172.16.0.2->172.16.0.1 spi=244160156(0xe8d969c)
 94 Jan  5 07:37:55    info    ike racoon: IPsec-SA established: ESP/Transport 172.16.0.1->172.16.0.2 spi=2934033157(0xaee1cb05)
 95 Jan  5 07:37:56    info system Security Association Database Initialized.
 96 Jan  5 07:37:56    info    ike racoon: send IPsec-SA delete information to 172.16.0.2[500]
 97 Jan  5 07:37:56    info system Security Policy Database Initialized.
 98 Jan  5 07:37:57    info    ike racoon: initiate new phase 2 negotiation: 172.16.0.1<=>172.16.0.2 spi:d628859f7391f9d5:0dd2a11d65cb1027
 99 Jan  5 07:37:57    info    ike racoon: IPsec-SA established: ESP/Transport 172.16.0.2->172.16.0.1 spi=267961179(0xff8c35b)
100 Jan  5 07:37:57    info    ike racoon: IPsec-SA established: ESP/Transport 172.16.0.1->172.16.0.2 spi=3738209920(0xded08e80)

INVALID-ID-INFORMATION の Log は出ていません

IX側

 IKE.009: Receive notification data from 172.16.0.1, type 24578:INITIAL-CONTACT, protocol ISAKMP
 IKE.006: Receive packet from 172.16.0.1, length 156
 IKE.001: Begin IKE phase 2 negotiation, destination 172.16.0.1
 IKE.045: Receive payload, type 8:HASH, length 24
 IKE.045: Receive payload, type 1:SA, length 52
 IKE.045: Receive payload, type 10:NONCE, length 20
 IKE.045: Receive payload, type 5:ID, length 12
 IKE.045: Receive payload, type 5:ID, length 12
 IKE.005: Send packet to 172.16.0.1, length 156
 IKE.006: Receive packet from 172.16.0.1, length 60
 IKE.045: Receive payload, type 8:HASH, length 24
 IKE.002: Finish IKE phase 2 negotiation, destination 172.16.0.1
 IKE.006: Receive packet from 172.16.0.1, length 76
 IKE.014: Receive delete information, protocol ESP, SPI 0xe8d969c
 IKE.012: Send delete information, protocol ESP, SPI 0xaee1cb05
 IKE.005: Send packet to 172.16.0.1, length 76
 IKE.006: Receive packet from 172.16.0.1, length 156
 IKE.001: Begin IKE phase 2 negotiation, destination 172.16.0.1
 IKE.045: Receive payload, type 8:HASH, length 24
 IKE.045: Receive payload, type 1:SA, length 52
 IKE.045: Receive payload, type 10:NONCE, length 20
 IKE.045: Receive payload, type 5:ID, length 12
 IKE.045: Receive payload, type 5:ID, length 12
 IKE.005: Send packet to 172.16.0.1, length 156
 IKE.006: Receive packet from 172.16.0.1, length 60
 IKE.045: Receive payload, type 8:HASH, length 24
 IKE.002: Finish IKE phase 2 negotiation, destination 172.16.0.1

こちらも、INVALID-ID-INFORMATION の Log は出ていません。無事に、繋がりました。

既存のVPNが既にある状況で、それらを実現している機器と SEIL を接続する際に、より柔軟に設定が行えるようになりましたので、是非、ご活用ください。