<前頁 次頁> << >> ↓ 目次 (番号順 (詳細)・ 回線別 (詳細)・ 機能別 (詳細))
CentreCOM ARX640S 設定例集 5.1.5 #22
センター側にマスター/バックアップルーターを各1台ずつ設置してVRRPを使用した冗長構成を構築します。マスタールーターでは拠点間通信にCUG(Closed Users Group)サービス(フレッツ・VPNワイド、フレッツ・グループアクセス(NTT東日本)、フレッツ・グループ(NTT西日本)など)を利用し、バックアップルーターではバックアップ回線としてインターネットVPNを利用するネットワークを構築します。
PPPユーザー名 | center@isp | user@3gnet.co.jp |
PPPパスワード | centpass | 3gpasswd |
アクセスポイント名 | 指定なし | 3gnet.co.jp |
CID | - | 10 |
IPアドレス | 200.100.10.1/32 | 動的割り当て |
DNSサーバー | 接続時に通知される |
PPPユーザー名 | center | branch |
PPPパスワード | passwdA | passwdC |
PPPoEサービス名 | 指定なし | |
使用できるIPアドレス | 動的割り当て(172.16.0.1/32固定) | 動的割り当て(172.16.0.2/32固定) |
接続形態 | 端末型 |
VRID | 1 | |
VRIP | 192.168.10.1/24 | |
Priority | 101 | 99 |
VRRP Status | Master | Backup |
実IP | 192.168.10.253/24 | 192.168.10.254/24 |
WAN側物理インターフェース | gigabitEthernet 0 | gigabitEthernet 0 | usb 0 | |
WAN側IPアドレス | 172.16.0.1/32 | 200.100.10.1/32 | 172.16.0.2/32 | 動的割り当て |
WAN側(gigabitEthernet 1)IPアドレス | 192.168.20.1/24 | 192.168.20.2/24 | - | |
LAN側(vlan 1)IPアドレス | 192.168.10.253/24 | 192.168.10.254/24 | 192.168.1.1/24 | |
VPN接続設定 | ||||
ローカルセキュアグループ | 0.0.0.0/0 | 192.168.1.0/24 | ||
リモートセキュアグループ | 192.168.1.0/24 | 0.0.0.0/0 | ||
トンネル終端アドレス | 172.16.0.2/32 | 不定 | 172.16.0.1/32 | 200.100.10.1/32 |
IKE設定 | ||||
交換モード | Mainモード | Aggressiveモード | Mainモード | Aggressiveモード |
認証方式 | 事前共有鍵(pre-shared key) | |||
事前共有鍵 | secret(文字列) | |||
ローカルID/リモートID | - | なし/client | - | client/なし |
暗号化認証アルゴリズム | 3DES & SHA1-DH2 | |||
有効期限 | 21600秒(6時間)(デフォルト) | |||
DPDによる死活監視 | 行う | |||
起動時のISAKMPネゴシエーション | 行う | |||
IPsec設定 | ||||
SAモード | トンネルモード | |||
セキュリティープロトコル | ESP | |||
暗号化認証アルゴリズム | 3DES & SHA1 | |||
PFSグループ | なし | |||
有効期限 | 3600秒(1時間)(デフォルト) |
ルーターAの設定 |
ppp profile pppoe0 ↓ my-username center password passwdA ↓
interface gigabitEthernet 0 ↓ no shutdown ↓
interface gigabitEthernet 0.1 ↓ ip address ipcp ↓ ip tcp mss auto ↓ no shutdown ↓ pppoe enable ↓ ppp bind-profile pppoe0 ↓
interface gigabitEthernet 1 ↓ ip address 192.168.20.1/24 ↓ no shutdown ↓
interface vlan 1 ↓ ip address 192.168.10.253/24 ↓
router vrrp 1 vlan 1 ↓ virtual-ip 192.168.10.1 backup ↓ priority 101 ↓ enable ↓
ip address-up-always ↓
ip route default 192.168.20.2 ↓
ip route 172.16.0.2/32 gigabitEthernet 0.1 ↓ ip route 172.16.0.2/32 Null 254 ↓
isakmp proposal isakmp encryption 3des hash sha1 group 2 ↓ isakmp policy vpn ↓ peer 172.16.0.2 ↓ auth preshared key secret ↓ proposal isakmp ↓ keepalive enable ↓ keepalive interval 10 ↓
access-list ip extended ipsec ↓ permit ip any any ↓ ipsec proposal ipsec esp encryption 3des hash sha1 ↓ ipsec policy vpn ↓ peer 172.16.0.2 ↓ access-list ipsec ↓ local-id 0.0.0.0/0 ↓ remote-id 192.168.1.0/24 ↓ proposal ipsec ↓ always-up-sa ↓
interface tunnel 0 ↓ tunnel mode ipsec ↓ ip unnumbered vlan 1 ↓ ip tcp mss auto ↓ no shutdown ↓ tunnel policy vpn ↓
ip route 192.168.1.0/24 tunnel 0 ↓
event-group polling_down ↓ event keepalive ip 192.168.1.1 src 192.168.10.253 out-if tunnel 0 ↓ action 10 ip shutdown-vrrp 1 vlan 1 ↓ action 20 ipsec clear-sa ↓ action 30 event-group tunnel0_up enable ↓ action 40 event-group polling_down disable ↓ option keepalive interval 5 ↓ trigger enable ↓
event-group tunnel0_up ↓ event interface tunnel 0 up ↓ action 10 ip resume-vrrp 1 vlan 1 ↓ action 20 event-group polling_down enable ↓ action 30 event-group tunnel0_up disable ↓
event-group ge1_down ↓ event interface gigabitEthernet 1 down ↓ action 10 interface gigabitEthernet 0.1 shutdown ↓ action 20 ipsec clear-sa ↓ trigger enable ↓
event-group ge1_up ↓ event interface gigabitEthernet 1 up ↓ action 10 interface gigabitEthernet 0.1 resume ↓ trigger enable ↓
copy running-config startup-config ↓
ルーターBの設定 |
ppp profile pppoe0 ↓ my-username center@isp password centpass ↓
interface gigabitEthernet 0 ↓ no shutdown ↓
interface gigabitEthernet 0.1 ↓ ip address 200.100.10.1/32 ↓ ip tcp mss auto ↓ no shutdown ↓ pppoe enable ↓ ppp bind-profile pppoe0 ↓ ip napt inside any ↓ ip ids in protect ↓
interface gigabitEthernet 1 ↓ ip address 192.168.20.2/24 ↓ no shutdown ↓
interface vlan 1 ↓ ip address 192.168.10.254/24 ↓
router vrrp 1 vlan 1 ↓ virtual-ip 192.168.10.1 backup ↓ priority 99 ↓ enable ↓
ip address-up-always ↓
ip route default gigabitEthernet 0.1 ↓
ip route 192.168.1.0/24 192.168.20.1 ↓
access-list ip extended pppoe0-in ↓ dynamic permit udp any interface gigabitEthernet 0.1 eq 500 ↓ access-list ip extended pppoe0-out ↓ dynamic permit ip any any ↓ interface gigabitEthernet 0.1 ↓ ip traffic-filter pppoe0-in in ↓ ip traffic-filter pppoe0-out out ↓
isakmp proposal isakmp encryption 3des hash sha1 group 2 ↓ isakmp policy vpn ↓ peer any ↓ mode aggressive ↓ auth preshared key secret ↓ remote-id client ↓ proposal isakmp ↓ keepalive enable ↓ keepalive interval 10 ↓
access-list ip extended ipsec ↓ permit ip any any ↓ ipsec proposal ipsec esp encryption 3des hash sha1 ↓ ipsec policy vpn ↓ peer any ↓ access-list ipsec ↓ local-id 0.0.0.0/0 ↓ remote-id 192.168.1.0/24 ↓ proposal ipsec ↓ always-up-sa ↓
interface tunnel 0 ↓ tunnel mode ipsec ↓ ip unnumbered vlan 1 ↓ ip tcp mss auto ↓ no shutdown ↓ tunnel policy vpn ↓
ip route 192.168.1.0/24 tunnel 0 10 ↓
event-group tunnel0_up ↓ event interface tunnel 0 up ↓ action 10 ip shutdown-route 192.168.1.0/24 192.168.20.1 ↓ trigger enable ↓
event-group tunnel0_down ↓ event interface tunnel 0 down ↓ action 10 ip resume-route 192.168.1.0/24 192.168.20.1 ↓ trigger enable ↓
copy running-config startup-config ↓
ルーターCの設定 |
ppp profile pppoe0 ↓ my-username branch password passwdC ↓
interface gigabitEthernet 0 ↓ no shutdown ↓
interface gigabitEthernet 0.1 ↓ ip address ipcp ↓ ip tcp mss auto ↓ no shutdown ↓ pppoe enable ↓ ppp bind-profile pppoe0 ↓
ppp profile 3gnet ↓ my-username user@3gnet.co.jp password 3gpasswd ↓ mobile access-point-name 3gnet.co.jp cid 10 ↓ idle-timeout 300 ↓
Note - 従量アクセスポイントの場合、接続時間および送受信するデータ量に応じた料金が発生しますので、設定に間違いがないことを確認してください。
interface ppp 0 ↓ ip address ipcp ↓ ip tcp mss auto ↓ no shutdown ↓ ppp bind-device usb 0 ↓ ppp bind-profile 3gnet ↓ ip napt inside any ↓ ip ids in protect ↓
interface vlan 1 ↓ ip address 192.168.1.1/24 ↓
ip address-up-always ↓
ip route 172.16.0.1/32 gigabitEthernet 0.1 ↓ ip route 172.16.0.1/32 Null 254 ↓
access-list ip extended ppp0-in ↓ access-list ip extended ppp0-out ↓ dynamic permit ip any any ↓ interface ppp 0 ↓ ip traffic-filter ppp0-in in ↓ ip traffic-filter ppp0-out out ↓
isakmp proposal isakmp encryption 3des hash sha1 group 2 ↓
isakmp policy vpn1 ↓ peer 172.16.0.1 ↓ auth preshared key secret ↓ proposal isakmp ↓ keepalive enable ↓ keepalive interval 10 ↓
isakmp policy vpn2 ↓ peer 200.100.10.1 ↓ mode aggressive ↓ auth preshared key secret ↓ local-id client ↓ proposal isakmp ↓ keepalive enable ↓ keepalive interval 10 ↓
access-list ip extended ipsec ↓ permit ip any any ↓ ipsec proposal ipsec esp encryption 3des hash sha1 ↓
ipsec policy vpn1 ↓ peer 172.16.0.1 ↓ access-list ipsec ↓ local-id 192.168.1.0/24 ↓ remote-id 0.0.0.0/0 ↓ proposal ipsec ↓ always-up-sa ↓
ipsec policy vpn2 ↓ peer 200.100.10.1 ↓ access-list ipsec ↓ local-id 192.168.1.0/24 ↓ remote-id 0.0.0.0/0 ↓ proposal ipsec ↓ always-up-sa ↓
interface tunnel 0 ↓ tunnel mode ipsec ↓ ip unnumbered vlan 1 ↓ ip tcp mss auto ↓ no shutdown ↓ tunnel policy vpn1 ↓
interface tunnel 1 ↓ tunnel mode ipsec ↓ ip unnumbered vlan 1 ↓ ip tcp mss auto ↓ no shutdown ↓ tunnel policy vpn2 ↓
ip route default tunnel 0 ↓
ip route default tunnel 1 10 ↓
ip route 200.100.10.1/32 Null 254 ↓
event-group polling_down ↓ event keepalive ip 192.168.10.1 src 192.168.1.1 out-if tunnel 0 ↓ action 10 ip shutdown-route default tunnel 0 ↓ action 20 ipsec clear-sa policy vpn1 ↓ action 30 ip resume-route 200.100.10.1/32 ppp 0 ↓ action 40 event-group tunnel0_up enable ↓ action 50 event-group polling_down disable ↓ option keepalive interval 5 ↓ trigger enable ↓
event-group tunnel0_up ↓ event interface tunnel 0 up ↓ action 10 ip shutdown-route 200.100.10.1/32 ppp 0 ↓ action 20 ipsec clear-sa policy vpn2 ↓ action 30 ip resume-route default tunnel 0 ↓ action 40 event-group polling_down enable ↓ action 50 event-group tunnel0_up disable ↓
copy running-config startup-config ↓
まとめ |
ルーターAのコンフィグ
! service password-encryption ! clock timezone JST 9 ! ! ip address-up-always ppp profile pppoe0 my-username center password 8 e$Ih7p7xgv6c0kA ! interface gigabitEthernet 0 no shutdown ! interface gigabitEthernet 0.1 ip address ipcp ip tcp mss auto no shutdown pppoe enable ppp bind-profile pppoe0 ! interface gigabitEthernet 1 ip address 192.168.20.1/24 no shutdown ! interface gigabitEthernet 2 no shutdown ! interface gigabitEthernet 3 no shutdown ! interface gigabitEthernet 4 no shutdown ! interface gigabitEthernet 5 no shutdown ! interface loop 0 shutdown ! interface loop 1 shutdown ! interface tunnel 0 tunnel mode ipsec ip unnumbered vlan 1 ip tcp mss auto no shutdown tunnel policy vpn ! interface vlan 1 ip address 192.168.10.253/24 no shutdown ! router vrrp 1 vlan 1 virtual-ip 192.168.10.1 backup priority 101 enable ! ip route default 192.168.20.2 ip route 172.16.0.2/32 gigabitEthernet 0.1 ip route 172.16.0.2/32 Null 254 ip route 192.168.1.0/24 tunnel 0 ! access-list ip extended ipsec permit ip any any ! isakmp proposal isakmp encryption 3des hash sha1 group 2 ! isakmp policy vpn peer 172.16.0.2 auth preshared key 8 e$I3eQu7yNuLxQA proposal isakmp keepalive enable keepalive interval 10 ! ipsec proposal ipsec esp encryption 3des hash sha1 ! ipsec policy vpn peer 172.16.0.2 access-list ipsec local-id 0.0.0.0/0 remote-id 192.168.1.0/24 proposal ipsec always-up-sa ! ! ! ! event-group ge1_down event interface gigabitEthernet 1 down action 10 interface gigabitEthernet 0.1 shutdown action 20 ipsec clear-sa trigger enable event-group ge1_up event interface gigabitEthernet 1 up action 10 interface gigabitEthernet 0.1 resume trigger enable event-group polling_down event keepalive ip 192.168.1.1 src 192.168.10.253 out-if tunnel 0 action 10 ip shutdown-vrrp 1 vlan 1 action 20 ipsec clear-sa action 30 event-group tunnel0_up enable action 40 event-group polling_down disable option keepalive interval 5 trigger enable event-group tunnel0_up event interface tunnel 0 up action 10 ip resume-vrrp 1 vlan 1 action 20 event-group polling_down enable action 30 event-group tunnel0_up disable ! end |
ルーターBのコンフィグ
! service password-encryption ! clock timezone JST 9 ! ! ip address-up-always ppp profile pppoe0 my-username center@isp password 8 e$QrAq9z74BzW1jk1bEKE2+RAAA ! interface gigabitEthernet 0 no shutdown ! interface gigabitEthernet 0.1 ip address 200.100.10.1/32 ip tcp mss auto no shutdown pppoe enable ppp bind-profile pppoe0 ip napt inside any ip traffic-filter pppoe0-in in ip traffic-filter pppoe0-out out ip ids in protect ! interface gigabitEthernet 1 ip address 192.168.20.2/24 no shutdown ! interface gigabitEthernet 2 no shutdown ! interface gigabitEthernet 3 no shutdown ! interface gigabitEthernet 4 no shutdown ! interface gigabitEthernet 5 no shutdown ! interface loop 0 shutdown ! interface loop 1 shutdown ! interface tunnel 0 tunnel mode ipsec ip unnumbered vlan 1 ip tcp mss auto no shutdown tunnel policy vpn ! interface vlan 1 ip address 192.168.10.254/24 no shutdown ! router vrrp 1 vlan 1 virtual-ip 192.168.10.1 backup priority 99 enable ! ip route default gigabitEthernet 0.1 ip route 192.168.1.0/24 192.168.20.1 ip route 192.168.1.0/24 tunnel 0 10 ! access-list ip extended ipsec permit ip any any access-list ip extended pppoe0-in dynamic permit udp any interface gigabitEthernet 0.1 eq 500 access-list ip extended pppoe0-out dynamic permit ip any any ! isakmp proposal isakmp encryption 3des hash sha1 group 2 ! isakmp policy vpn peer any mode aggressive auth preshared key 8 e$I3eQu7yNuLxQA remote-id client proposal isakmp keepalive enable keepalive interval 10 ! ipsec proposal ipsec esp encryption 3des hash sha1 ! ipsec policy vpn peer any access-list ipsec local-id 0.0.0.0/0 remote-id 192.168.1.0/24 proposal ipsec always-up-sa ! ! ! ! event-group tunnel0_down event interface tunnel 0 down action 10 ip resume-route 192.168.1.0/24 192.168.20.1 trigger enable event-group tunnel0_up event interface tunnel 0 up action 10 ip shutdown-route 192.168.1.0/24 192.168.20.1 trigger enable ! end |
ルーターCのコンフィグ
! service password-encryption ! clock timezone JST 9 ! ! ip address-up-always ppp profile pppoe0 my-username branch password 8 e$Ilf24hTCHeMQA ppp profile 3gnet my-username user@3gnet.co.jp password 8 e$QcmDz+RpjEh7KH7j9YuTf4wAA idle-timeout 300 mobile access-point-name 3gnet.co.jp cid 10 ! interface gigabitEthernet 0 no shutdown ! interface gigabitEthernet 0.1 ip address ipcp ip tcp mss auto no shutdown pppoe enable ppp bind-profile pppoe0 ! interface gigabitEthernet 1 shutdown ! interface gigabitEthernet 2 no shutdown ! interface gigabitEthernet 3 no shutdown ! interface gigabitEthernet 4 no shutdown ! interface gigabitEthernet 5 no shutdown ! interface loop 0 shutdown ! interface loop 1 shutdown ! interface ppp 0 ip address ipcp ip tcp mss auto no shutdown ppp bind-device usb 0 ppp bind-profile 3gnet ip napt inside any ip traffic-filter ppp0-in in ip traffic-filter ppp0-out out ip ids in protect ! interface tunnel 0 tunnel mode ipsec ip unnumbered vlan 1 ip tcp mss auto no shutdown tunnel policy vpn1 ! interface tunnel 1 tunnel mode ipsec ip unnumbered vlan 1 ip tcp mss auto no shutdown tunnel policy vpn2 ! interface vlan 1 ip address 192.168.1.1/24 no shutdown ! ip route default tunnel 0 ip route default tunnel 1 10 ip route 172.16.0.1/32 gigabitEthernet 0.1 ip route 172.16.0.1/32 Null 254 ip route 200.100.10.1/32 Null 254 ! access-list ip extended ipsec permit ip any any access-list ip extended ppp0-in access-list ip extended ppp0-out dynamic permit ip any any ! isakmp proposal isakmp encryption 3des hash sha1 group 2 ! isakmp policy vpn1 peer 172.16.0.1 auth preshared key 8 e$I3eQu7yNuLxQA proposal isakmp keepalive enable keepalive interval 10 ! isakmp policy vpn2 peer 200.100.10.1 mode aggressive auth preshared key 8 e$I3eQu7yNuLxQA local-id client proposal isakmp keepalive enable keepalive interval 10 ! ipsec proposal ipsec esp encryption 3des hash sha1 ! ipsec policy vpn1 peer 172.16.0.1 access-list ipsec local-id 192.168.1.0/24 remote-id 0.0.0.0/0 proposal ipsec always-up-sa ! ipsec policy vpn2 peer 200.100.10.1 access-list ipsec local-id 192.168.1.0/24 remote-id 0.0.0.0/0 proposal ipsec always-up-sa ! ! ! ! event-group polling_down event keepalive ip 192.168.10.1 src 192.168.1.1 out-if tunnel 0 action 10 ip shutdown-route default tunnel 0 action 20 ipsec clear-sa policy vpn1 action 30 ip resume-route 200.100.10.1/32 ppp 0 action 40 event-group tunnel0_up enable action 50 event-group polling_down disable option keepalive interval 5 trigger enable event-group tunnel0_up event interface tunnel 0 up action 10 ip shutdown-route 200.100.10.1/32 ppp 0 action 20 ipsec clear-sa policy vpn2 action 30 ip resume-route default tunnel 0 action 40 event-group polling_down enable action 50 event-group tunnel0_up disable ! end |
(C) 2011-2014 アライドテレシスホールディングス株式会社
PN: 613-001568 Rev.E