設定例 > 冗長設定 |
3.F100単体冗長、トンネルルート使用 |
<設定条件>
設定環境は図のとおり
IPsecおよび冗長の対象とする中継パケット | 192.168.3.0/24 ⇔ 192.168.1.0/24 |
L3監視先IPアドレス | 192.168.1.1 |
拠点側ISDNインタフェースのIPアドレス | 192.168.100.3 |
IPsec Phase1ポリシー | Pre-shared Key DES/MD5 Oakley-Group2 |
IPsec Phase2ポリシー | DES/HMAC-MD5 PFS(Group2) |
Router> enable Enter password: super ←パスワードを入力します。(実際は表示されない) Router# Router# configure terminal ! ! ! デフォルトルートを設定します。 ! Router(config)#ip route 192.168.1.1 255.255.255.255 pppoe 1 Router(config)# ! ! ! NAT用のアクセスリストを登録します。 ! Router(config)#access-list 1 permit 192.168.3.0 0.0.0.255 Router(config)# ! ! ! ProxyDNSの設定をします。 ! Router(config)#proxydns mode v4 Router(config)# ! ! ! DHCPサーバの設定をします。 ! Router(config)#service dhcp-server Router(config)# Router(config)#ip dhcp pool lan1 Router(config-dhcp-pool)# dns-server 0.0.0.0 Router(config-dhcp-pool)# default-router 0.0.0.0 Router(config-dhcp-pool)#exit Router(config)# ! ! ! VPNの設定をします。 ! Router(config)#vpn enable Router(config)#vpnlog enable Router(config)#ipsec access-list 1 ipsec ip 192.168.3.0 0.0.0.255 any Router(config)#ipsec access-list 64 bypass ip any any Router(config)#ipsec transform-set P2-des-md5 esp-des esp-md5-hmac Router(config)# Router(config)#crypto isakmp policy 1 Router(config-isakmp)# authentication prekey Router(config-isakmp)# encryption des Router(config-isakmp)# hash md5 Router(config-isakmp)# idtype-pre userfqdn Router(config-isakmp)# key ascii mucho Router(config-isakmp)# my-identity f100kyoten Router(config-isakmp)# negotiation-mode aggressive Router(config-isakmp)# peer-identity address 192.168.1.1 Router(config-isakmp)#exit Router(config)# Router(config)#crypto map kyoten 1 Router(config-crypto-map)# match address 1 Router(config-crypto-map)# set peer address 192.168.1.1 Router(config-crypto-map)# set transform-set P2-des-md5 Router(config-crypto-map)#exit Router(config)# ! ! ! L3監視の設定を行ないます。 ! Router(config)#redundancy pathcheck-list 1 Router(config-red-pathcheck-list 1)# ip address 192.168.1.1 Router(config-red-pathcheck-list 1)# route pppoe 1 Router(config-red-pathcheck-list 1)# source-interface lan 1 Router(config-red-pathcheck-list 1)#exit Router(config)# ! ! ! 冗長対象パケットの設定を行ないます。 ! Router(config)#redundancy pathfilter-list 1 Router(config-red-pathfilter-list 1)# destination 0.0.0.0 0.0.0.0 Router(config-red-pathfilter-list 1)# athcheck-list 1 Router(config-red-pathfilter-list 1)# 1st pppoe 1 Router(config-red-pathfilter-list 1)# 2nd dialer 1 Router(config-red-pathfilter-list 1)# exit ! ! ! ダイヤルアップ用の設定をします。 ! Router(config)#interface bri 1 Router(config-if bri 1)#exit Router(config)# Router(config)#interface dialer 1 Router(config-if dialer 1)# dialer map ip broadcast 0123456798 Router(config-if dialer 1)# dialer interface bri 1 Router(config-if dialer 1)# ip address 192.168.100.3 255.255.255.0 Router(config-if dialer 1)# ip nat inside source list 1 interface Router(config-if dialer 1)#exit Router(config)# ! ! ! LAN側IPアドレスを設定します。 ! Router(config)#interface lan 1 Router(config-if lan 1)# ip address 192.168.3.1 255.255.255.0 Router(config-if lan 1)#exit Router(config)# ! ! ! PPPoEの設定をします。 ! Router(config)#interface pppoe 1 Router(config-if pppoe 1)# crypto map kyoten Router(config-if pppoe 1)# ip nat inside source list 1 interface Router(config-if pppoe 1)# pppoe server ProviderA Router(config-if pppoe 1)# pppoe account user@xxxx.ne.jp secret Router(config-if pppoe 1)# pppoe type host Router(config-if pppoe 1)# exit Router(config)#end Router# save SIDE-A.cfg % saving working-config % finished saving |
<センター側FITELnet-F100の設定>
"clear working.cfg"実行後、以下の設定を貼り付けてください。
ip route 192.168.3.0 255.255.255.0 pppoe
1 ip route 192.168.100.0 255.255.255.0 192.168.1.2 ip route 0.0.0.0 0.0.0.0 192.168.1.3 access-list 1 permit 192.168.1.0 0.0.0.255 proxydns mode v4 vpn enable vpnlog enable ipsec access-list 1 ipsec ip any 192.168.3.0 0.0.0.255 ipsec transform-set P2-des-md5 esp-des esp-md5-hmac service dhcp-server hostname F100_1 ip dhcp pool lan1 dns-server 0.0.0.0 default-router 0.0.0.0 exit interface lan 1 ip address 192.168.1.1 255.255.255.0 ip rip receive version 1 exit interface pppoe 1 crypto map kyoten ip nat inside source list 1 interface pppoe server A-Provider pppoe account f100@furukawa.co.jp pppoe type host exit crypto isakmp policy 2 authentication prekey encryption des hash md5 idtype-pre userfqdn key ascii mucho negotiation-mode aggressive peer-identity host f100kyoten exit crypto map kyoten 1 match address 1 set peer host f100kyoten set transform-set P2-des-md5 exit crypto security-association tunnel-route interface pppoe 1 exit |
<センター側FITELnet-E30の設定>
"reset -d"(デフォルトリスタート)実行後、以下の設定を貼り付けてください。
wan isdn single hostname add 1 nameserver=off netbiosserver=off domainname="" defaultgw=off hostname add 2 nameserver=off netbiosserver=off domainname="" defaultgw=off hostname add 3 nameserver=off netbiosserver=off domainname="" defaultgw=off hostname add 4 nameserver=off netbiosserver=off domainname="" defaultgw=off target add name=3 dial=9876543210 key=nn, speed=64 continuouslimiter=600,on\ callinglimiter=40,on cbmode=off dialcheckmask=0 isdn dialcheck=off recvcheck=off sendcheck=off multimode=off limiter=12\ congestiontimer=1 isdn -1 dial=* dial2=* retrytimes=8 idletimer=60,60 target=2 mode=traffic\ recvidletimer=off globalnumber=allow isdn -2 dial=* dial2=* retrytimes=8 idletimer=60,60 target=3 recvidletimer=off\ globalnumber=allow isdn -dp dial=* dial2=* retrytimes=8 idletimer=60,60 recvidletimer=off\ globalnumber=allow iptarget add addr=192.168.100.3 name=3 targetinterface add name=2 interface=isdn1 ipripstatic add dst=192.168.3.0,255.255.255.0 nexthop=192.168.100.3 metric=16\ preference=50 ipripstatic add dst=0.0.0.0,0.0.0.0 nexthop=192.168.1.3 metric=16 preference=50 identifier node="" manager="" location="" loadsplit congestiontimer=1 lsplitcheckinterval=300 sendrate=90,60\ recvrate=90,60 poolrate=90,60 connecttimer retry1=5 retry2=180 retry3=6 addrlist 3 add 1 dial=9876543210 datalink -hsd restarttimer=100 restarttimes=10 looptimer=10 watching=on\ compress=off,rfc,nopfc vjcomp=31 datalink -1 restarttimer=100 restarttimes=10 looptimer=10 interface=normal\ watching=off compress=off,rfc,nopfc vjcomp=31 datalink -2 restarttimer=100 restarttimes=10 looptimer=10 interface=normal\ watching=off compress=off,rfc,nopfc vjcomp=31 datalink -async restarttimer=300 restarttimes=10 looptimer=30 interface=normal\ compress=off,rfc,nopfc vjcomp=31 datalink -dp interface=normal mtu off size=300 pppecho linktesttimeout=25 replytimer=5 intervaltimer=1 bridging off pvc=off filtering=off ageout=300 delay=200 prioritycontrol off fast=70 medium=20 interface ip lan addr=192.168.1.2,255.255.255.0 broadcast=192.168.1.255 interface ip hsd down interface ip isdn1 addr=192.168.100.1,255.255.255.0 broadcast=192.168.100.255 interface ip isdn2 down interface ip async down interface ip dp down async speed=57600 recvcheck=off sendcheck=off multimode=off limiter=off\ idletimer=60,60 recvidletimer=off target=3 rtcontrol ip lan sendinterval=30 send=rip1 recv=rip1rip2 metric=0 ageout=180\ rip2password= rtcontrol ip hsd sendinterval=off send=off recv=off metric=0 ageout=off\ rip2password= rtcontrol ip isdn1 sendinterval=off send=off recv=off metric=0 ageout=off\ rip2password= rtcontrol ip isdn2 sendinterval=off send=off recv=off metric=0 ageout=off\ rip2password= rtcontrol ip async sendinterval=off send=off recv=off metric=0 ageout=off\ rip2password= iprouting on proxyarp=shortcut filtering=on sealed=off\ sealedinterface=hsd,isdn1,isdn2,async,dp rip=off ifaccept=exclude\ ifpropagate=exclude ipfiltering -f add dst=0.0.0.0,0.0.0.0 dstport=0,65535 src=0.0.0.0,0.0.0.0\ srcport=0,65535 prot=all recvif=lan,hsd,isdn1,isdn2,async,dp\ sendif=lan,hsd,isdn1,isdn2,async,dp full ipfiltering -d add dst=0.0.0.0,0.0.0.0 dstport=0,65535 src=0.0.0.0,0.0.0.0\ srcport=137,139 prot=udp recvif=lan,hsd,isdn1,isdn2,async,dp\ sendif=lan,hsd,isdn1,isdn2,async,dp full snmp on authtrap=on sntp off server=0.0.0.0,0.0.0.0 schedule=off,60 retryinterval=64 retryterm=1024 manager add 1 addr=0.0.0.0 name=public mode=r srcipaddr=normal dhcpserver off gateway=on sendarpnum=16 arptimeout=10 sendarpcount=1\ allocateaddr=0.0.0.0 allocatewidth=254 leasetime=infinity syslogcontrol off autoconn=off syslogtable addr=0.0.0.0 err=off warning=off info=off facility=1\ srcipaddr=normal bacp off protocol=new learning=off rbod routing=normal audio=normal called=on calling=on nat group=1 off if=hsd,isdn1 t1=1440 t2=5 t3=60 t4=1 t5=1 t6=60 t7=1 nat group=2 off if=hsd,isdn1 t1=1440 t2=5 t3=60 t4=1 t5=1 t6=60 t7=1 nat group=3 off if=hsd,isdn1 t1=1440 t2=5 t3=60 t4=1 t5=1 t6=60 t7=1 nat group=4 off if=hsd,isdn1 t1=1440 t2=5 t3=60 t4=1 t5=1 t6=60 t7=1 radius off auth=chappap maxretry=3 retryinterval=1 modem add init reqcmd=ATE0V0 rspcode=OK,0 timer=3,0 modem add disc reqcmd=ATH rspcode=OK,0 timer=3,0 modem dial=tone hdflow=rscs dchpacket lcgn=0 dbit=off craddr=off chargereq=off chargeacc=off packetlen=off\ windows=off vpn off vpnopt vpnlog=off vpnparam retrytimer=20 retrymax=1 newsai=90 newsar=30 p1lifesec=0 rgrouping off preference=0 udpport=55555 gipaddr=0.0.0.0 dupchktimer=3\ sendinterval=5 agingtimer=15 recvwaittimer=5 pathchk off pingtrial=2 remoteconfig off sendinterval=20 udpport=49152 ipaddr=0.0.0.0 unicastrip off lcd chargeinfo=on proxydns nameserverip=0.0.0.0,0.0.0.0 timeout=3 retry=2 ageout=1440 mail to= errorto= inform= mail off multiroute off |