## CentreCOM AR260S V2 設定例集 3.3.3
##  11 PPPoEのIPsecセンター機器冗長構成(RIP使用)
##  ルーターA（AR550S）のコンフィグ
##
## 「#」で始まる行は、コンソールから入力しないと意味を持たないコマンドです。

add user=secoff password=secoff priv=sec
cre ppp=0 over=eth0-any
set ppp=0 over=eth0-any user=user1@example password=password lqr=off bap=off echo=on
ena ip
add ip int=vlan1 ip=192.168.9.2 mask=255.255.255.0
add ip int=ppp0 ip=10.10.10.2 mask=255.255.255.255
add ip rou=0.0.0.0 mask=0.0.0.0 int=ppp0 next=0.0.0.0
add ip dns int=ppp0
ena ip dnsrelay
ena fire
cre fire poli=net
ena fire poli=net icmp_f=unreach,ping
dis fire poli=net identproxy
add fire poli=net int=vlan1 type=private
add fire poli=net int=ppp0 type=public
add fire poli=net nat=enhanced int=vlan1 gblint=ppp0
add fire poli=net ru=1 ac=allow int=ppp0 prot=udp po=500 gblpo=500 ip=10.10.10.2 gblip=10.10.10.2
add fire poli=net ru=2 ac=nonat int=ppp0 prot=all ip=192.168.9.1-192.168.10.254 encap=ipsec
add fire poli=net ru=3 ac=nonat int=ppp0 prot=all ip=192.168.20.1-192.168.20.254 encap=ipsec
add fire poli=net ru=4 ac=nonat int=ppp0 prot=all ip=192.168.30.1-192.168.30.254 encap=ipsec
add fire poli=net ru=5 ac=nonat int=vlan1 prot=all ip=192.168.9.1-192.168.10.254
set fire poli=net ru=5 remoteip=192.168.20.1-192.168.20.254
add fire poli=net ru=6 ac=nonat int=vlan1 prot=all ip=192.168.9.1-192.168.10.254
set fire poli=net ru=6 remoteip=192.168.30.1-192.168.30.254
add ip route template=route-c int=ppp0 next=0.0.0.0 metric1=1
add ip route template=route-d int=ppp0 next=0.0.0.0 metric1=10
# create enco key=1 type=gene value="secret-ac"
# create enco key=2 type=gene value="secret-ad"
cre isakmp poli="ike_ac" peer=any key=1 mode=aggressive sendn=true encalg=3desouter hash=sha group=2
set isakmp poli="ike_ac" remoteid=vpn_ac expirys=3600
set isakmp poli="ike_ac" heartbeat=both
cre isakmp poli="ike_ad" peer=any key=2 mode=aggressive sendn=true encalg=3desouter hash=sha group=2
set isakmp poli="ike_ad" remoteid=vpn_ad expirys=3600
set isakmp poli="ike_ad" heartbeat=both
cre ipsec sas=1 key=isakmp prot=esp enc=3desouter hasha=sha
cre ipsec bundle=1 key=isakmp string=1 expirys=3600
cre ipsec poli="isa" int=ppp0 ac=permit lport=500 rport=500 transport=udp
cre ipsec poli="vpn_ac" int=ppp0 ac=ipsec keyman=isakmp bundle=1 peer=dynamic iproute=route-c
set ipsec poli="vpn_ac" lad=192.168.0.0 lma=255.255.0.0 rad=192.168.20.0 rma=255.255.255.0
cre ipsec poli="vpn_ad" int=ppp0 ac=ipsec keyman=isakmp bundle=1 peer=dynamic iproute=route-d
set ipsec poli="vpn_ad" lad=192.168.0.0 lma=255.255.0.0 rad=192.168.30.0 rma=255.255.255.0
cre ipsec poli="inet" int=ppp0 ac=permit
ena ipsec
ena isakmp
add ip rip int=vlan1 staticexport=yes
add ip route filter=1 ip=0.0.0.0 mask=0.0.0.0 action=exclude direction=receive
add ip route filter=2 ip=*.*.*.* mask=*.*.*.* action=include
# login secoff
# enable system security_mode