<前頁 次頁> << >> ↓ 目次 (番号順 (詳細)・ 回線別 (詳細)・ 機能別 (詳細))
CentreCOM ARX640S 設定例集 5.1.5 #13
CUG(Closed Users Group)サービス(フレッツ・VPNワイド、フレッツ・グループアクセス(NTT東日本)、フレッツ・グループ(NTT西日本)など)において3つの拠点間(ハブ&スポーク型)でIPsec VPNを張り、センター側ではPPPoEセッションを2本使い片方はCUG、もう片方はインターネット(ISP)へ接続します。この例では本社と各支社のみを接続する構成とし、支社間の通信は本社経由で行うものとします。
PPPユーザー名 | user@isp |
PPPパスワード | isppasswd |
PPPoEサービス名 | 指定なし |
IPアドレス | グローバルアドレス1個(動的割り当て) |
接続形態 | 端末型(アドレス1個不定) |
PPPユーザー名 | userA | userB | userC |
PPPパスワード | passwdA | passwdB | passwdC |
使用できるIPアドレス | 10.1.1.1/32(端末型) | 10.1.1.2/32(端末型) | 10.1.1.3/32(端末型) |
WAN側物理インターフェース | gigabitEthernet 0 | ||
WAN側(gigabitEthernet 0.1)IPアドレス | 10.1.1.1/32 | 10.1.1.2/32 | 10.1.1.3/32 |
WAN側(gigabitEthernet 0.2)IPアドレス | 動的割り当て | - | |
LAN側(vlan 1)IPアドレス | 192.168.10.1/24 | 192.168.20.1/24 | 192.168.30.1/24 |
VPN接続設定 | |||
ローカルセキュアグループ | 0.0.0.0/0 | 192.168.20.0/24 | 192.168.30.0/24 |
リモートセキュアグループ | 192.168.20.0/24、192.168.30.0/24 | 0.0.0.0/0 | |
トンネル終端アドレス | 10.1.1.2、10.1.1.3 | 10.1.1.1 | |
IKE設定 | |||
交換モード | Mainモード | ||
認証方式 | 事前共有鍵(pre-shared key) | ||
事前共有鍵 | secret-ab(文字列)、secret-ac(文字列) | secret-ab(文字列) | secret-ac(文字列) |
ローカルID/リモートID | - | ||
暗号化認証アルゴリズム | 3DES & SHA1-DH2 | ||
有効期限 | 21600秒(6時間)(デフォルト) | ||
DPDによる死活監視 | 行う | ||
起動時のISAKMPネゴシエーション | 行う | ||
IPsec設定 | |||
SAモード | トンネルモード | ||
セキュリティープロトコル | ESP | ||
暗号化認証アルゴリズム | 3DES & SHA1 | ||
PFSグループ | なし | ||
有効期限 | 3600秒(1時間)(デフォルト) |
ルーターAの設定 |
ppp profile pppoe0 ↓ my-username userA password passwdA ↓
ppp profile pppoe1 ↓ my-username user@isp password isppasswd ↓
interface gigabitEthernet 0 ↓ no shutdown ↓
interface gigabitEthernet 0.1 ↓ ip address 10.1.1.1/32 ↓ ip tcp mss auto ↓ no shutdown ↓ pppoe enable ↓ ppp bind-profile pppoe0 ↓
interface gigabitEthernet 0.2 ↓ ip address ipcp ↓ ip tcp mss auto ↓ no shutdown ↓ pppoe enable ↓ ppp bind-profile pppoe1 ↓ ip napt inside any ↓ ip ids in protect ↓
interface vlan 1 ↓ ip address 192.168.10.1/24 ↓
ip address-up-always ↓
ip route default gigabitEthernet 0.2 ↓
ip route 10.1.1.0/29 gigabitEthernet 0.1 ↓
access-list ip extended pppoe1-in ↓ access-list ip extended pppoe1-out ↓ dynamic permit ip any any ↓ interface gigabitEthernet 0.2 ↓ ip traffic-filter pppoe1-in in ↓ ip traffic-filter pppoe1-out out ↓
isakmp proposal isakmp encryption 3des hash sha1 group 2 ↓
isakmp policy i_B ↓ peer 10.1.1.2 ↓ auth preshared key secret-ab ↓ proposal isakmp ↓ keepalive enable ↓
isakmp policy i_C ↓ peer 10.1.1.3 ↓ auth preshared key secret-ac ↓ proposal isakmp ↓ keepalive enable ↓
access-list ip extended ipsec ↓ permit ip any any ↓ ipsec proposal ipsec esp encryption 3des hash sha1 ↓
ipsec policy vpn_B ↓ peer 10.1.1.2 ↓ access-list ipsec ↓ local-id 0.0.0.0/0 ↓ remote-id 192.168.20.0/24 ↓ proposal ipsec ↓ always-up-sa ↓
ipsec policy vpn_C ↓ peer 10.1.1.3 ↓ access-list ipsec ↓ local-id 0.0.0.0/0 ↓ remote-id 192.168.30.0/24 ↓ proposal ipsec ↓ always-up-sa ↓
interface tunnel 0 ↓ tunnel mode ipsec ↓ ip unnumbered vlan 1 ↓ ip tcp mss auto ↓ no shutdown ↓ tunnel policy vpn_B ↓
interface tunnel 1 ↓ tunnel mode ipsec ↓ ip unnumbered vlan 1 ↓ ip tcp mss auto ↓ no shutdown ↓ tunnel policy vpn_C ↓
ip route 192.168.20.0/24 tunnel 0 ↓ ip route 192.168.20.0/24 Null 254 ↓
ip route 192.168.30.0/24 tunnel 1 ↓ ip route 192.168.30.0/24 Null 254 ↓
copy running-config startup-config ↓
ルーターBの設定 |
ppp profile pppoe0 ↓ my-username userB password passwdB ↓
interface gigabitEthernet 0 ↓ no shutdown ↓
interface gigabitEthernet 0.1 ↓ ip address 10.1.1.2/32 ↓ ip tcp mss auto ↓ no shutdown ↓ pppoe enable ↓ ppp bind-profile pppoe0 ↓
interface vlan 1 ↓ ip address 192.168.20.1/24 ↓
ip address-up-always ↓
ip route 10.1.1.0/29 gigabitEthernet 0.1 ↓
isakmp proposal isakmp encryption 3des hash sha1 group 2 ↓ isakmp policy i_A ↓ peer 10.1.1.1 ↓ auth preshared key secret-ab ↓ proposal isakmp ↓ keepalive enable ↓
access-list ip extended ipsec ↓ permit ip any any ↓ ipsec proposal ipsec esp encryption 3des hash sha1 ↓ ipsec policy vpn_A ↓ peer 10.1.1.1 ↓ access-list ipsec ↓ local-id 192.168.20.0/24 ↓ remote-id 0.0.0.0/0 ↓ proposal ipsec ↓ always-up-sa ↓
interface tunnel 0 ↓ tunnel mode ipsec ↓ ip unnumbered vlan 1 ↓ ip tcp mss auto ↓ no shutdown ↓ tunnel policy vpn_A ↓
ip route default tunnel 0 ↓
copy running-config startup-config ↓
ルーターCの設定 |
ppp profile pppoe0 ↓ my-username userC password passwdC ↓
interface gigabitEthernet 0 ↓ no shutdown ↓
interface gigabitEthernet 0.1 ↓ ip address 10.1.1.3/32 ↓ ip tcp mss auto ↓ no shutdown ↓ pppoe enable ↓ ppp bind-profile pppoe0 ↓
interface vlan 1 ↓ ip address 192.168.30.1/24 ↓
ip address-up-always ↓
ip route 10.1.1.0/29 gigabitEthernet 0.1 ↓
isakmp proposal isakmp encryption 3des hash sha1 group 2 ↓ isakmp policy i_A ↓ peer 10.1.1.1 ↓ auth preshared key secret-ac ↓ proposal isakmp ↓ keepalive enable ↓
access-list ip extended ipsec ↓ permit ip any any ↓ ipsec proposal ipsec esp encryption 3des hash sha1 ↓ ipsec policy vpn_A ↓ peer 10.1.1.1 ↓ access-list ipsec ↓ local-id 192.168.30.0/24 ↓ remote-id 0.0.0.0/0 ↓ proposal ipsec ↓ always-up-sa ↓
interface tunnel 0 ↓ tunnel mode ipsec ↓ ip unnumbered vlan 1 ↓ ip tcp mss auto ↓ no shutdown ↓ tunnel policy vpn_A ↓
ip route default tunnel 0 ↓
copy running-config startup-config ↓
まとめ |
ルーターAのコンフィグ
! service password-encryption ! clock timezone JST 9 ! ! ip address-up-always ppp profile pppoe0 my-username userA password 8 e$Ih7p7xgv6c0kA ppp profile pppoe1 my-username user@isp password 8 e$QNKMe2ohmPDFnghyVppETegAA ! interface gigabitEthernet 0 no shutdown ! interface gigabitEthernet 0.1 ip address 10.1.1.1/32 ip tcp mss auto no shutdown pppoe enable ppp bind-profile pppoe0 ! interface gigabitEthernet 0.2 ip address ipcp ip tcp mss auto no shutdown pppoe enable ppp bind-profile pppoe1 ip napt inside any ip traffic-filter pppoe1-in in ip traffic-filter pppoe1-out out ip ids in protect ! interface gigabitEthernet 1 shutdown ! interface gigabitEthernet 2 no shutdown ! interface gigabitEthernet 3 no shutdown ! interface gigabitEthernet 4 no shutdown ! interface gigabitEthernet 5 no shutdown ! interface loop 0 shutdown ! interface loop 1 shutdown ! interface tunnel 0 tunnel mode ipsec ip unnumbered vlan 1 ip tcp mss auto no shutdown tunnel policy vpn_B ! interface tunnel 1 tunnel mode ipsec ip unnumbered vlan 1 ip tcp mss auto no shutdown tunnel policy vpn_C ! interface vlan 1 ip address 192.168.10.1/24 no shutdown ! ip route default gigabitEthernet 0.2 ip route 10.1.1.0/29 gigabitEthernet 0.1 ip route 192.168.20.0/24 tunnel 0 ip route 192.168.20.0/24 Null 254 ip route 192.168.30.0/24 tunnel 1 ip route 192.168.30.0/24 Null 254 ! access-list ip extended ipsec permit ip any any access-list ip extended pppoe1-in access-list ip extended pppoe1-out dynamic permit ip any any ! isakmp proposal isakmp encryption 3des hash sha1 group 2 ! isakmp policy i_B peer 10.1.1.2 auth preshared key 8 e$Q8dQupIM3xK8bcuoRYavULQAA proposal isakmp keepalive enable ! isakmp policy i_C peer 10.1.1.3 auth preshared key 8 e$Q8dQupIM3xK/jvCLYInwJRAAA proposal isakmp keepalive enable ! ipsec proposal ipsec esp encryption 3des hash sha1 ! ipsec policy vpn_B peer 10.1.1.2 access-list ipsec local-id 0.0.0.0/0 remote-id 192.168.20.0/24 proposal ipsec always-up-sa ! ipsec policy vpn_C peer 10.1.1.3 access-list ipsec local-id 0.0.0.0/0 remote-id 192.168.30.0/24 proposal ipsec always-up-sa ! ! ! ! end |
ルーターBのコンフィグ
! service password-encryption ! clock timezone JST 9 ! ! ip address-up-always ppp profile pppoe0 my-username userB password 8 e$I6rT3jJQw6oIA ! interface gigabitEthernet 0 no shutdown ! interface gigabitEthernet 0.1 ip address 10.1.1.2/32 ip tcp mss auto no shutdown pppoe enable ppp bind-profile pppoe0 ! interface gigabitEthernet 1 shutdown ! interface gigabitEthernet 2 no shutdown ! interface gigabitEthernet 3 no shutdown ! interface gigabitEthernet 4 no shutdown ! interface gigabitEthernet 5 no shutdown ! interface loop 0 shutdown ! interface loop 1 shutdown ! interface tunnel 0 tunnel mode ipsec ip unnumbered vlan 1 ip tcp mss auto no shutdown tunnel policy vpn_A ! interface vlan 1 ip address 192.168.20.1/24 no shutdown ! ip route default tunnel 0 ip route 10.1.1.0/29 gigabitEthernet 0.1 ! access-list ip extended ipsec permit ip any any ! isakmp proposal isakmp encryption 3des hash sha1 group 2 ! isakmp policy i_A peer 10.1.1.1 auth preshared key 8 e$Q8dQupIM3xK8bcuoRYavULQAA proposal isakmp keepalive enable ! ipsec proposal ipsec esp encryption 3des hash sha1 ! ipsec policy vpn_A peer 10.1.1.1 access-list ipsec local-id 192.168.20.0/24 remote-id 0.0.0.0/0 proposal ipsec always-up-sa ! ! ! ! end |
ルーターCのコンフィグ
! service password-encryption ! clock timezone JST 9 ! ! ip address-up-always ppp profile pppoe0 my-username userC password 8 e$Ilf24hTCHeMQA ! interface gigabitEthernet 0 no shutdown ! interface gigabitEthernet 0.1 ip address 10.1.1.3/32 ip tcp mss auto no shutdown pppoe enable ppp bind-profile pppoe0 ! interface gigabitEthernet 1 shutdown ! interface gigabitEthernet 2 no shutdown ! interface gigabitEthernet 3 no shutdown ! interface gigabitEthernet 4 no shutdown ! interface gigabitEthernet 5 no shutdown ! interface loop 0 shutdown ! interface loop 1 shutdown ! interface tunnel 0 tunnel mode ipsec ip unnumbered vlan 1 ip tcp mss auto no shutdown tunnel policy vpn_A ! interface vlan 1 ip address 192.168.30.1/24 no shutdown ! ip route default tunnel 0 ip route 10.1.1.0/29 gigabitEthernet 0.1 ! access-list ip extended ipsec permit ip any any ! isakmp proposal isakmp encryption 3des hash sha1 group 2 ! isakmp policy i_A peer 10.1.1.1 auth preshared key 8 e$Q8dQupIM3xK/jvCLYInwJRAAA proposal isakmp keepalive enable ! ipsec proposal ipsec esp encryption 3des hash sha1 ! ipsec policy vpn_A peer 10.1.1.1 access-list ipsec local-id 192.168.30.0/24 remote-id 0.0.0.0/0 proposal ipsec always-up-sa ! ! ! ! end |
(C) 2011-2014 アライドテレシスホールディングス株式会社
PN: 613-001568 Rev.E