| 設定例 > 冗長設定 |
| 3.F100単体冗長、トンネルルート使用 |
<設定条件>
設定環境は図のとおり
| IPsecおよび冗長の対象とする中継パケット | 192.168.3.0/24 ⇔ 192.168.1.0/24 |
| L3監視先IPアドレス | 192.168.1.1 |
| 拠点側ISDNインタフェースのIPアドレス | 192.168.100.3 |
| IPsec Phase1ポリシー | Pre-shared Key DES/MD5 Oakley-Group2 |
| IPsec Phase2ポリシー | DES/HMAC-MD5 PFS(Group2) |
Router> enable Enter password: super ←パスワードを入力します。(実際は表示されない) Router# Router# configure terminal ! ! ! デフォルトルートを設定します。 ! Router(config)#ip route 192.168.1.1 255.255.255.255 pppoe 1 Router(config)# ! ! ! NAT用のアクセスリストを登録します。 ! Router(config)#access-list 1 permit 192.168.3.0 0.0.0.255 Router(config)# ! ! ! ProxyDNSの設定をします。 ! Router(config)#proxydns mode v4 Router(config)# ! ! ! DHCPサーバの設定をします。 ! Router(config)#service dhcp-server Router(config)# Router(config)#ip dhcp pool lan1 Router(config-dhcp-pool)# dns-server 0.0.0.0 Router(config-dhcp-pool)# default-router 0.0.0.0 Router(config-dhcp-pool)#exit Router(config)# ! ! ! VPNの設定をします。 ! Router(config)#vpn enable Router(config)#vpnlog enable Router(config)#ipsec access-list 1 ipsec ip 192.168.3.0 0.0.0.255 any Router(config)#ipsec access-list 64 bypass ip any any Router(config)#ipsec transform-set P2-des-md5 esp-des esp-md5-hmac Router(config)# Router(config)#crypto isakmp policy 1 Router(config-isakmp)# authentication prekey Router(config-isakmp)# encryption des Router(config-isakmp)# hash md5 Router(config-isakmp)# idtype-pre userfqdn Router(config-isakmp)# key ascii mucho Router(config-isakmp)# my-identity f100kyoten Router(config-isakmp)# negotiation-mode aggressive Router(config-isakmp)# peer-identity address 192.168.1.1 Router(config-isakmp)#exit Router(config)# Router(config)#crypto map kyoten 1 Router(config-crypto-map)# match address 1 Router(config-crypto-map)# set peer address 192.168.1.1 Router(config-crypto-map)# set transform-set P2-des-md5 Router(config-crypto-map)#exit Router(config)# ! ! ! L3監視の設定を行ないます。 ! Router(config)#redundancy pathcheck-list 1 Router(config-red-pathcheck-list 1)# ip address 192.168.1.1 Router(config-red-pathcheck-list 1)# route pppoe 1 Router(config-red-pathcheck-list 1)# source-interface lan 1 Router(config-red-pathcheck-list 1)#exit Router(config)# ! ! ! 冗長対象パケットの設定を行ないます。 ! Router(config)#redundancy pathfilter-list 1 Router(config-red-pathfilter-list 1)# destination 0.0.0.0 0.0.0.0 Router(config-red-pathfilter-list 1)# athcheck-list 1 Router(config-red-pathfilter-list 1)# 1st pppoe 1 Router(config-red-pathfilter-list 1)# 2nd dialer 1 Router(config-red-pathfilter-list 1)# exit ! ! ! ダイヤルアップ用の設定をします。 ! Router(config)#interface bri 1 Router(config-if bri 1)#exit Router(config)# Router(config)#interface dialer 1 Router(config-if dialer 1)# dialer map ip broadcast 0123456798 Router(config-if dialer 1)# dialer interface bri 1 Router(config-if dialer 1)# ip address 192.168.100.3 255.255.255.0 Router(config-if dialer 1)# ip nat inside source list 1 interface Router(config-if dialer 1)#exit Router(config)# ! ! ! LAN側IPアドレスを設定します。 ! Router(config)#interface lan 1 Router(config-if lan 1)# ip address 192.168.3.1 255.255.255.0 Router(config-if lan 1)#exit Router(config)# ! ! ! PPPoEの設定をします。 ! Router(config)#interface pppoe 1 Router(config-if pppoe 1)# crypto map kyoten Router(config-if pppoe 1)# ip nat inside source list 1 interface Router(config-if pppoe 1)# pppoe server ProviderA Router(config-if pppoe 1)# pppoe account user@xxxx.ne.jp secret Router(config-if pppoe 1)# pppoe type host Router(config-if pppoe 1)# exit Router(config)#end Router# save SIDE-A.cfg % saving working-config % finished saving |
<センター側FITELnet-F100の設定>
"clear working.cfg"実行後、以下の設定を貼り付けてください。
| ip route 192.168.3.0 255.255.255.0 pppoe
1 ip route 192.168.100.0 255.255.255.0 192.168.1.2 ip route 0.0.0.0 0.0.0.0 192.168.1.3 access-list 1 permit 192.168.1.0 0.0.0.255 proxydns mode v4 vpn enable vpnlog enable ipsec access-list 1 ipsec ip any 192.168.3.0 0.0.0.255 ipsec transform-set P2-des-md5 esp-des esp-md5-hmac service dhcp-server hostname F100_1 ip dhcp pool lan1 dns-server 0.0.0.0 default-router 0.0.0.0 exit interface lan 1 ip address 192.168.1.1 255.255.255.0 ip rip receive version 1 exit interface pppoe 1 crypto map kyoten ip nat inside source list 1 interface pppoe server A-Provider pppoe account f100@furukawa.co.jp pppoe type host exit crypto isakmp policy 2 authentication prekey encryption des hash md5 idtype-pre userfqdn key ascii mucho negotiation-mode aggressive peer-identity host f100kyoten exit crypto map kyoten 1 match address 1 set peer host f100kyoten set transform-set P2-des-md5 exit crypto security-association tunnel-route interface pppoe 1 exit |
<センター側FITELnet-E30の設定>
"reset -d"(デフォルトリスタート)実行後、以下の設定を貼り付けてください。
wan isdn single
hostname add 1 nameserver=off netbiosserver=off domainname="" defaultgw=off
hostname add 2 nameserver=off netbiosserver=off domainname="" defaultgw=off
hostname add 3 nameserver=off netbiosserver=off domainname="" defaultgw=off
hostname add 4 nameserver=off netbiosserver=off domainname="" defaultgw=off
target add name=3 dial=9876543210 key=nn, speed=64 continuouslimiter=600,on\
callinglimiter=40,on cbmode=off dialcheckmask=0
isdn dialcheck=off recvcheck=off sendcheck=off multimode=off limiter=12\
congestiontimer=1
isdn -1 dial=* dial2=* retrytimes=8 idletimer=60,60 target=2 mode=traffic\
recvidletimer=off globalnumber=allow
isdn -2 dial=* dial2=* retrytimes=8 idletimer=60,60 target=3 recvidletimer=off\
globalnumber=allow
isdn -dp dial=* dial2=* retrytimes=8 idletimer=60,60 recvidletimer=off\
globalnumber=allow
iptarget add addr=192.168.100.3 name=3
targetinterface add name=2 interface=isdn1
ipripstatic add dst=192.168.3.0,255.255.255.0 nexthop=192.168.100.3 metric=16\
preference=50
ipripstatic add dst=0.0.0.0,0.0.0.0 nexthop=192.168.1.3 metric=16 preference=50
identifier node="" manager="" location=""
loadsplit congestiontimer=1 lsplitcheckinterval=300 sendrate=90,60\
recvrate=90,60 poolrate=90,60
connecttimer retry1=5 retry2=180 retry3=6
addrlist 3 add 1 dial=9876543210
datalink -hsd restarttimer=100 restarttimes=10 looptimer=10 watching=on\
compress=off,rfc,nopfc vjcomp=31
datalink -1 restarttimer=100 restarttimes=10 looptimer=10 interface=normal\
watching=off compress=off,rfc,nopfc vjcomp=31
datalink -2 restarttimer=100 restarttimes=10 looptimer=10 interface=normal\
watching=off compress=off,rfc,nopfc vjcomp=31
datalink -async restarttimer=300 restarttimes=10 looptimer=30 interface=normal\
compress=off,rfc,nopfc vjcomp=31
datalink -dp interface=normal
mtu off size=300
pppecho linktesttimeout=25 replytimer=5 intervaltimer=1
bridging off pvc=off filtering=off ageout=300 delay=200
prioritycontrol off fast=70 medium=20
interface ip lan addr=192.168.1.2,255.255.255.0 broadcast=192.168.1.255
interface ip hsd down
interface ip isdn1 addr=192.168.100.1,255.255.255.0 broadcast=192.168.100.255
interface ip isdn2 down
interface ip async down
interface ip dp down
async speed=57600 recvcheck=off sendcheck=off multimode=off limiter=off\
idletimer=60,60 recvidletimer=off target=3
rtcontrol ip lan sendinterval=30 send=rip1 recv=rip1rip2 metric=0 ageout=180\
rip2password=
rtcontrol ip hsd sendinterval=off send=off recv=off metric=0 ageout=off\
rip2password=
rtcontrol ip isdn1 sendinterval=off send=off recv=off metric=0 ageout=off\
rip2password=
rtcontrol ip isdn2 sendinterval=off send=off recv=off metric=0 ageout=off\
rip2password=
rtcontrol ip async sendinterval=off send=off recv=off metric=0 ageout=off\
rip2password=
iprouting on proxyarp=shortcut filtering=on sealed=off\
sealedinterface=hsd,isdn1,isdn2,async,dp rip=off ifaccept=exclude\
ifpropagate=exclude
ipfiltering -f add dst=0.0.0.0,0.0.0.0 dstport=0,65535 src=0.0.0.0,0.0.0.0\
srcport=0,65535 prot=all recvif=lan,hsd,isdn1,isdn2,async,dp\
sendif=lan,hsd,isdn1,isdn2,async,dp full
ipfiltering -d add dst=0.0.0.0,0.0.0.0 dstport=0,65535 src=0.0.0.0,0.0.0.0\
srcport=137,139 prot=udp recvif=lan,hsd,isdn1,isdn2,async,dp\
sendif=lan,hsd,isdn1,isdn2,async,dp full
snmp on authtrap=on
sntp off server=0.0.0.0,0.0.0.0 schedule=off,60 retryinterval=64 retryterm=1024
manager add 1 addr=0.0.0.0 name=public mode=r srcipaddr=normal
dhcpserver off gateway=on sendarpnum=16 arptimeout=10 sendarpcount=1\
allocateaddr=0.0.0.0 allocatewidth=254 leasetime=infinity
syslogcontrol off autoconn=off
syslogtable addr=0.0.0.0 err=off warning=off info=off facility=1\
srcipaddr=normal
bacp off protocol=new learning=off
rbod routing=normal audio=normal called=on calling=on
nat group=1 off if=hsd,isdn1 t1=1440 t2=5 t3=60 t4=1 t5=1 t6=60 t7=1
nat group=2 off if=hsd,isdn1 t1=1440 t2=5 t3=60 t4=1 t5=1 t6=60 t7=1
nat group=3 off if=hsd,isdn1 t1=1440 t2=5 t3=60 t4=1 t5=1 t6=60 t7=1
nat group=4 off if=hsd,isdn1 t1=1440 t2=5 t3=60 t4=1 t5=1 t6=60 t7=1
radius off auth=chappap maxretry=3 retryinterval=1
modem add init reqcmd=ATE0V0 rspcode=OK,0 timer=3,0
modem add disc reqcmd=ATH rspcode=OK,0 timer=3,0
modem dial=tone hdflow=rscs
dchpacket lcgn=0 dbit=off craddr=off chargereq=off chargeacc=off packetlen=off\
windows=off
vpn off
vpnopt vpnlog=off
vpnparam retrytimer=20 retrymax=1 newsai=90 newsar=30 p1lifesec=0
rgrouping off preference=0 udpport=55555 gipaddr=0.0.0.0 dupchktimer=3\
sendinterval=5 agingtimer=15 recvwaittimer=5
pathchk off pingtrial=2
remoteconfig off sendinterval=20 udpport=49152 ipaddr=0.0.0.0
unicastrip off
lcd chargeinfo=on
proxydns nameserverip=0.0.0.0,0.0.0.0 timeout=3 retry=2 ageout=1440
mail to= errorto= inform=
mail off
multiroute off
|
