## CentreCOM AR260S V2 設定例集 3.3.3
##  11 PPPoEのIPsecセンター機器冗長構成(RIP使用)
##  ルーターB（AR550S）のコンフィグ
##
## 「#」で始まる行は、コンソールから入力しないと意味を持たないコマンドです。

add user=secoff password=secoff priv=sec
cre ppp=0 over=eth0-any
set ppp=0 over=eth0-any user=user2@example password=password lqr=off bap=off echo=on
ena ip
add ip int=vlan1 ip=192.168.9.3 mask=255.255.255.0
add ip int=ppp0 ip=10.10.10.3 mask=255.255.255.255
add ip rou=0.0.0.0 mask=0.0.0.0 int=ppp0 next=0.0.0.0 metric=2
add ip dns int=ppp0
ena ip dnsrelay
ena fire
cre fire poli=net
ena fire poli=net icmp_f=unreach,ping
dis fire poli=net identproxy
add fire poli=net int=vlan1 type=private
add fire poli=net int=ppp0 type=public
add fire poli=net nat=enhanced int=vlan1 gblint=ppp0
add fire poli=net ru=1 ac=allow int=ppp0 prot=udp po=500 gblpo=500 ip=10.10.10.3 gblip=10.10.10.3
add fire poli=net ru=2 ac=nonat int=ppp0 prot=all ip=192.168.9.1-192.168.10.254 encap=ipsec
add fire poli=net ru=3 ac=nonat int=ppp0 prot=all ip=192.168.20.1-192.168.20.254 encap=ipsec
add fire poli=net ru=4 ac=nonat int=ppp0 prot=all ip=192.168.30.1-192.168.30.254 encap=ipsec
add fire poli=net ru=5 ac=nonat int=vlan1 prot=all ip=192.168.9.1-192.168.10.254
set fire poli=net ru=5 remoteip=192.168.20.1-192.168.20.254
add fire poli=net ru=6 ac=nonat int=vlan1 prot=all ip=192.168.9.1-192.168.10.254
set fire poli=net ru=6 remoteip=192.168.30.1-192.168.30.254
add ip route template=route-c int=ppp0 next=0.0.0.0 metric1=10
add ip route template=route-d int=ppp0 next=0.0.0.0 metric1=1
# create enco key=1 type=gene value="secret-bc"
# create enco key=2 type=gene value="secret-bd"
cre isakmp poli="ike_bc" peer=any key=1 mode=aggressive sendn=true encalg=3desouter hash=sha group=2
set isakmp poli="ike_bc" remoteid=vpn_bc expirys=3600
set isakmp poli="ike_bc" heartbeat=both
cre isakmp poli="ike_bd" peer=any key=2 mode=aggressive sendn=true encalg=3desouter hash=sha group=2
set isakmp poli="ike_bd" remoteid=vpn_bd expirys=3600
set isakmp poli="ike_bd" heartbeat=both
cre ipsec sas=1 key=isakmp prot=esp enc=3desouter hasha=sha
cre ipsec bundle=1 key=isakmp string=1 expirys=3600
cre ipsec poli="isa" int=ppp0 ac=permit lport=500 rport=500 transport=udp
cre ipsec poli="vpn_bc" int=ppp0 ac=ipsec keyman=isakmp bundle=1 peer=dynamic iproute=route-c
set ipsec poli="vpn_bc" lad=192.168.0.0 lma=255.255.0.0 rad=192.168.20.0 rma=255.255.255.0
cre ipsec poli="vpn_bd" int=ppp0 ac=ipsec keyman=isakmp bundle=1 peer=dynamic iproute=route-d
set ipsec poli="vpn_bd" lad=192.168.0.0 lma=255.255.0.0 rad=192.168.30.0 rma=255.255.255.0
cre ipsec poli="inet" int=ppp0 ac=permit
ena ipsec
ena isakmp
add ip rip int=vlan1 staticexport=yes
add ip route filter=1 ip=0.0.0.0 mask=0.0.0.0 action=exclude direction=receive
add ip route filter=2 ip=*.*.*.* mask=*.*.*.* action=include
# login secoff
# enable system security_mode