<前頁 次頁> << >> ↓ 目次 (番号順 (詳細)・ 回線別 (詳細)・ 機能別 (詳細))
CentreCOM ARX640S 設定例集 5.1.5 #32
NTT東日本・NTT西日本が提供するフレッツ 光ネクスト回線でIPv6 PPPoEを用いてIPv6インターネットに接続し、IPv6アドレスで2つの拠点をIPsec(IPv4 over IPv6 IPsec)で結ぶVPN構築例です。本設定例は固定的にIPv6プレフィックスが割り当てられる拠点間をIPsecのトンネルで接続します。
PPPユーザー名 | user@ispA | user@ispB |
PPPパスワード | isppasswdA | isppasswdB |
PPPoEサービス名 | 指定なし | |
割り当てIPv6プレフィックス | 2001:1:1:1000::/56 | 2001:1:1:2000::/56 |
WAN側物理インターフェース | gigabitEthernet 0 | |
WAN側(gigabitEthernet 0.1)IPv6アドレス | リンクローカルアドレス | |
LAN側(vlan1)IPv6アドレス | 2001:1:1:1001::1/64 | 2001:1:1:2001::1/64 |
LAN側(vlan1)IPv4アドレス | 192.168.10.1/24 | 192.168.20.1/24 |
VPN接続設定 | ||
ローカルセキュアグループ | 192.168.10.0/24 | 192.168.20.0/24 |
リモートセキュアグループ | 192.168.20.0/24 | 192.168.10.0/24 |
トンネル終端アドレス | 2001:1:1:2001::1 | 2001:1:1:1001::1 |
IKE設定 | ||
交換モード | Mainモード | |
認証方式 | 事前共有鍵(pre-shared key) | |
事前共有鍵 | secret(文字列) | |
ローカルID/リモートID | なし/なし | |
暗号化認証アルゴリズム | AES256 & SHA1-DH2 | |
有効期限 | 21600秒 (6時間)(デフォルト) | |
DPDによる死活監視 | 行う | |
起動時のISAKMPネゴシエーション | 行う | |
IPsec設定 | ||
SAモード | トンネルモード | |
セキュリティープロトコル | ESP | |
暗号化認証アルゴリズム | AES256 & SHA1 | |
PFSグループ | なし | |
有効期限 | 3600秒(1時間)(デフォルト) |
ルーターAの設定 |
ppp profile v6-pppoe ↓ my-username user@ispA password isppasswdA ↓ lcp keepalive echo-interval 60 ↓
interface gigabitEthernet 0 ↓ ipv6 enable ↓ no shutdown ↓
interface gigabitEthernet 0.1 ↓ ipv6 enable ↓ ipv6 unnumbered vlan 1 ↓ no shutdown ↓ pppoe enable ↓ ppp bind-profile v6-pppoe ↓ ipv6 ids in protect ↓
interface vlan 1 ↓ ip address 192.168.10.1/24 ↓ ipv6 enable ↓
ipv6 address-up-always ↓
ipv6 route default gigabitEthernet 0.1 ↓
access-list ipv6 extended v6pppoe-in ↓ dynamic permit udp any interface gigabitEthernet 0.1 eq 546 ↓ dynamic permit udp any interface vlan 1 eq 500 ↓ dynamic permit icmpv6 any any ↓ access-list ipv6 extended v6pppoe-out ↓ dynamic permit ipv6 any any ↓ interface gigabitEthernet 0.1 ↓ ipv6 traffic-filter v6pppoe-in in ↓ ipv6 traffic-filter v6pppoe-out out ↓
isakmp proposal isakmp encryption aes256 hash sha1 group 2 ↓ isakmp policy isakmp ↓ peer 2001:1:1:2001::1 ↓ auth preshared key secret ↓ proposal isakmp ↓ keepalive enable ↓
access-list ip extended ipsec ↓ permit ip any any ↓ ipsec proposal ipsec esp encryption aes256 hash sha1 ↓ ipsec policy ipsec ↓ peer 2001:1:1:2001::1 ↓ access-list ipsec ↓ local-id 192.168.10.0/24 ↓ remote-id 192.168.20.0/24 ↓ proposal ipsec ↓ always-up-sa ↓
interface tunnel 0 ↓ tunnel mode ipsec ↓ ip unnumbered vlan 1 ↓ ip tcp mss auto ↓ no shutdown ↓ tunnel policy ipsec ↓
ip route 192.168.20.0/24 tunnel 0 ↓ ip route 192.168.20.0/24 Null 254 ↓
interface gigabitEthernet 0.1 ↓ ipv6 dhcp client isp-v6 ↓ ipv6 dhcp client-profile isp-v6 ↓ ia-pd configure vlan 1 ::1:0:0:0:1/64 ↓
copy running-config startup-config ↓
ルーターBの設定 |
ppp profile v6-pppoe ↓ my-username user@ispB password isppasswdB ↓ lcp keepalive echo-interval 60 ↓
interface gigabitEthernet 0 ↓ ipv6 enable ↓ no shutdown ↓
interface gigabitEthernet 0.1 ↓ ipv6 enable ↓ ipv6 unnumbered vlan 1 ↓ no shutdown ↓ pppoe enable ↓ ppp bind-profile v6-pppoe ↓ ipv6 ids in protect ↓
interface vlan 1 ↓ ip address 192.168.20.1/24 ↓ ipv6 enable ↓
ipv6 address-up-always ↓
ipv6 route default gigabitEthernet 0.1 ↓
access-list ipv6 extended v6pppoe-in ↓ dynamic permit udp any interface gigabitEthernet 0.1 eq 546 ↓ dynamic permit udp any interface vlan 1 eq 500 ↓ dynamic permit icmpv6 any any ↓ access-list ipv6 extended v6pppoe-out ↓ dynamic permit ipv6 any any ↓ interface gigabitEthernet 0.1 ↓ ipv6 traffic-filter v6pppoe-in in ↓ ipv6 traffic-filter v6pppoe-out out ↓
isakmp proposal isakmp encryption aes256 hash sha1 group 2 ↓ isakmp policy isakmp ↓ peer 2001:1:1:1001::1 ↓ auth preshared key secret ↓ proposal isakmp ↓ keepalive enable ↓
access-list ip extended ipsec ↓ permit ip any any ↓ ipsec proposal ipsec esp encryption aes256 hash sha1 ↓ ipsec policy ipsec ↓ peer 2001:1:1:1001::1 ↓ access-list ipsec ↓ local-id 192.168.20.0/24 ↓ remote-id 192.168.10.0/24 ↓ proposal ipsec ↓ always-up-sa ↓
interface tunnel 0 ↓ tunnel mode ipsec ↓ ip unnumbered vlan 1 ↓ ip tcp mss auto ↓ no shutdown ↓ tunnel policy ipsec ↓
ip route 192.168.10.0/24 tunnel 0 ↓ ip route 192.168.10.0/24 Null 254 ↓
interface gigabitEthernet 0.1 ↓ ipv6 dhcp client isp-v6 ↓ ipv6 dhcp client-profile isp-v6 ↓ ia-pd configure vlan 1 ::1:0:0:0:1/64 ↓
copy running-config startup-config ↓
まとめ |
ルーターAのコンフィグ
! service password-encryption ! clock timezone JST 9 ! ! ! ! ipv6 address-up-always ppp profile v6-pppoe my-username user@ispA password 8 e$QNKMe2ohmPDFBWKSYxCJz8gAA lcp keepalive echo-interval 60 ! interface gigabitEthernet 0 ipv6 enable no shutdown ! interface gigabitEthernet 0.1 ipv6 enable ipv6 unnumbered vlan 1 no shutdown pppoe enable ppp bind-profile v6-pppoe ipv6 traffic-filter v6pppoe-in in ipv6 traffic-filter v6pppoe-out out ipv6 dhcp client isp-v6 ipv6 ids in protect ! interface gigabitEthernet 1 shutdown ! interface gigabitEthernet 2 no shutdown ! interface gigabitEthernet 3 no shutdown ! interface gigabitEthernet 4 no shutdown ! interface gigabitEthernet 5 no shutdown ! interface loop 0 shutdown ! interface loop 1 shutdown ! interface tunnel 0 tunnel mode ipsec ip unnumbered vlan 1 ip tcp mss auto no shutdown tunnel policy ipsec ! interface vlan 1 ip address 192.168.10.1/24 ipv6 enable no shutdown ! ip route 192.168.20.0/24 tunnel 0 ip route 192.168.20.0/24 Null 254 ! access-list ip extended ipsec permit ip any any ! ipv6 route default gigabitEthernet 0.1 ! access-list ipv6 extended v6pppoe-in dynamic permit udp any interface gigabitEthernet 0.1 eq 546 dynamic permit udp any interface vlan 1 eq 500 dynamic permit icmpv6 any any access-list ipv6 extended v6pppoe-out dynamic permit ipv6 any any ! isakmp proposal isakmp encryption aes256 hash sha1 group 2 ! isakmp policy isakmp peer 2001:1:1:2001::1 auth preshared key 8 e$I3eQu7yNuLxQA proposal isakmp keepalive enable ! ipsec proposal ipsec esp encryption aes256 hash sha1 ! ipsec policy ipsec peer 2001:1:1:2001::1 access-list ipsec local-id 192.168.10.0/24 remote-id 192.168.20.0/24 proposal ipsec always-up-sa ! ! ! ipv6 dhcp client-profile isp-v6 ia-pd configure vlan 1 ::1:0:0:0:1/64 ! ! end |
ルーターBのコンフィグ
! service password-encryption ! clock timezone JST 9 ! ! ! ! ipv6 address-up-always ppp profile v6-pppoe my-username user@ispB password 8 e$QNKMe2ohmPDGyL5Yl1OWFlAAA lcp keepalive echo-interval 60 ! interface gigabitEthernet 0 ipv6 enable no shutdown ! interface gigabitEthernet 0.1 ipv6 enable ipv6 unnumbered vlan 1 no shutdown pppoe enable ppp bind-profile v6-pppoe ipv6 traffic-filter v6pppoe-in in ipv6 traffic-filter v6pppoe-out out ipv6 dhcp client isp-v6 ipv6 ids in protect ! interface gigabitEthernet 1 shutdown ! interface gigabitEthernet 2 no shutdown ! interface gigabitEthernet 3 no shutdown ! interface gigabitEthernet 4 no shutdown ! interface gigabitEthernet 5 no shutdown ! interface loop 0 shutdown ! interface loop 1 shutdown ! interface tunnel 0 tunnel mode ipsec ip unnumbered vlan 1 ip tcp mss auto no shutdown tunnel policy ipsec ! interface vlan 1 ip address 192.168.20.1/24 ipv6 enable no shutdown ! ip route 192.168.10.0/24 tunnel 0 ip route 192.168.10.0/24 Null 254 ! access-list ip extended ipsec permit ip any any ! ipv6 route default gigabitEthernet 0.1 ! access-list ipv6 extended v6pppoe-in dynamic permit udp any interface gigabitEthernet 0.1 eq 546 dynamic permit udp any interface vlan 1 eq 500 dynamic permit icmpv6 any any access-list ipv6 extended v6pppoe-out dynamic permit ipv6 any any ! isakmp proposal isakmp encryption aes256 hash sha1 group 2 ! isakmp policy isakmp peer 2001:1:1:1001::1 auth preshared key 8 e$I3eQu7yNuLxQA proposal isakmp keepalive enable ! ipsec proposal ipsec esp encryption aes256 hash sha1 ! ipsec policy ipsec peer 2001:1:1:1001::1 access-list ipsec local-id 192.168.20.0/24 remote-id 192.168.10.0/24 proposal ipsec always-up-sa ! ! ! ipv6 dhcp client-profile isp-v6 ia-pd configure vlan 1 ::1:0:0:0:1/64 ! ! end |
(C) 2011-2014 アライドテレシスホールディングス株式会社
PN: 613-001568 Rev.E