## CentreCOM AR550S 設定例集 2.9 ## 191 PPPoE接続環境における2点間IPsec VPN(ARルーター側アドレス不定、SRX210対向) ## ルーターB(SRX210)のコンフィグ rout@% cli root> configure root# delete root# set system root-authentication plain-text-password New password: PasswordS Retype new password: PasswordS root# set interfaces ge-0/0/1 unit 0 family inet address 192.168.10.1/24 root# set interfaces ge-0/0/0 unit 0 encapsulation ppp-over-ether root# set interfaces pp0 unit 0 ppp-options chap local-name user1@example default-chap-secret password passive root# set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/0.0 auto-reconnect 10 client root# set interfaces pp0 unit 0 family inet negotiate-address root# set routing-options static route 0.0.0.0/0 next-hop pp0.0 root# set security zones security-zone trust interfaces ge-0/0/1.0 root# set security zones security-zone untrust interfaces pp0.0 root# set security zones security-zone trust host-inbound-traffic system-services all root# set security zones security-zone untrust host-inbound-traffic system-services ping root# set security zones security-zone untrust host-inbound-traffic system-services ike root# edit security nat source rule-set TrustToUntrust root# set from zone trust root# set to zone untrust root# set rule match1 match source-address 0.0.0.0/0 root# set rule match1 then source-nat interface root# top root# set security zones security-zone trust address-book address net10 192.168.10.0/24 root# set security zones security-zone trust address-book address net20 192.168.20.0/24 root# set interfaces st0 unit 0 family inet root# set security zones security-zone trust interfaces st0.0 root# set security ike respond-bad-spi 5 root# set security ike proposal ar-p1 authentication-method pre-shared-keys root# set security ike proposal ar-p1 dh-group group2 root# set security ike proposal ar-p1 encryption-algorithm 3des-cbc root# set security ike proposal ar-p1 authentication-algorithm sha1 root# set security ike proposal ar-p1 lifetime-seconds 3600 root# set security ipsec proposal ar-p2 protocol esp root# set security ipsec proposal ar-p2 encryption-algorithm 3des-cbc root# set security ipsec proposal ar-p2 authentication-algorithm hmac-sha1-96 root# set security ipsec proposal ar-p2 lifetime-seconds 3600 root# set security ike policy p1-policy mode aggressive root# set security ike policy p1-policy proposals ar-p1 root# set security ike policy p1-policy pre-shared-key ascii-text secret root# set security ipsec policy p2-policy proposals ar-p2 root# set security ike gateway ar-gw ike-policy p1-policy root# set security ike gateway ar-gw dynamic hostname client root# set security ike gateway ar-gw external-interface pp0.0 root# set security ike gateway ar-gw dead-peer-detection always-send interval 20 threshold 5 root# set security ipsec vpn ar-vpn ike gateway ar-gw root# set security ipsec vpn ar-vpn ike ipsec-policy p2-policy root# set security ipsec vpn ar-vpn establish-tunnels immediately root# set security ipsec vpn ar-vpn bind-interface st0.0 root# set security ipsec vpn ar-vpn ike proxy-identity local 192.168.10.0/24 root# set security ipsec vpn ar-vpn ike proxy-identity remote 192.168.20.0/24 root# set security ipsec vpn ar-vpn ike proxy-identity service any root# edit security policies from-zone trust to-zone trust policy vpn-policy root# set match source-address net10 root# set match destination-address net20 root# set match application any root# set then permit root# top root# edit security policies from-zone trust to-zone trust policy vpn-policy-re root# set match source-address net20 root# set match destination-address net10 root# set match application any root# set then permit root# top root# set routing-options static route 192.168.20.0/24 next-hop st0.0 root# commit