設定例  > IPsec負荷分散+冗長設定
設定例



2.F1000×2台、F100(PPPoEとEWANの2回線)でIPsec負荷分散を行う  



F1000-1側 192.168.3.1
F1000-2側 192.168.3.20
F100側 172.16.0.1
回線1 PPPoE1
回線2 EWAN2


<コマンド操作>

FITELnet-F1000-1の設定                                   この設定を適用したい方は
!
!
! LAN側IPアドレスを設定します。
!
Router> enable
Enter password: super ←パスワードを入力します。(実際は表示されない)

Router#
Router# configure terminal
Router(config)#
Router(config)# interface lan 1
Router(config-if lan 1)# ip address 192.168.3.1 255.255.255.0
Router(config-if lan 1)# exit
!
!
! PPPoE1インタフェース設定モードに移行します。
!
Router(config)# interface pppoe 1
Router(config-if pppoe 1)#
!
! 
! PPPoEの各種設定をします。
!
Router(config-if pppoe 1)# ip address 10.0.0.2
Router(config-if pppoe 1)# pppoe server A-Provider
Router(config-if pppoe 1)# pppoe account user@xxxx.ne.jp secret
Router(config-if pppoe 1)# pppoe type host
Router(config-if pppoe 1)# crypto map map1
Router(config-if pppoe 1)# exit
!
!
! RIPの設定をします。
!
Router(config)#router rip
Router(config-rip)# network lan 1
Router(config-rip)# redistribute local-prot1 route-map AAA
Router(config-rip)# exit
!
!
! 負荷分散用の設定をします。
!
Router(config)# route-map AAA permit 1
Router(config-rmap AAA permit 1)# set metric 6
Router(config-rmap AAA permit 1)# set weight 0
Router(config-rmap AAA permit 1)# exit
!
!
! ルート情報を設定します。
!
Router(config)# ip route 172.16.0.1 255.255.255.255 pppoe 1
!
!
! ホストネームを指定します。
!
Router(config)# hostname F1000-1
!
!
! 暗号化を使用する設定します。
!
Router(config)# vpn enable ewan 1
Router(config)# vpnlog enable
Router(config)#ipsec access-list 10 ipsec ip 192.168.3.0 0.0.0.255 172.16.0.0 0.0.255.255
Router(config)# ipsec access-list 64 bypass ip any any
Router(config)# crypto isakmp policy 1
Router(config-isakmp)# authentication prekey
Router(config-isakmp)# key ascii furukawa
Router(config-isakmp)# peer-identity host kyoten1
Router(config-isakmp)# keepalive-icmp peer-address 172.16.0.1
Router(config-isakmp)# keepalive-icmp source-interface lan 1
Router(config-isakmp)# keepalive-icmp multi-path interface pppoe 1
Router(config-isakmp)# keepalive icmp always-send
Router(config-isakmp)# exit
Router(config)#crypto map map1 1
Router(config-crypto-map)# match address 10
Router(config-crypto-map)# set peer host kyoten1
Router(config-crypto-map)# sa-up route address 10.0.0.1 local-prot1 100
Router(config-crypto-map)# exit
Router(config)# crypto security-association
Router(config-crypto-sa)# tunnel-route interface pppoe 1
Router(config-crypto-sa)# exit
Router(config)# end
Router# save SIDE-A.cfg
% saving working-config
% finished saving



FITELnet-F1000-2の設定 
ip route 192.168.100.1 255.255.255.255 192.168.200.2
ip route 172.16.0.1 255.255.255.255 192.168.200.2
!
vpn enable ewan 1
vpnlog enable
!
ipsec access-list 10 ipsec ip 192.168.3.0 0.0.0.255 172.16.0.0 0.0.255.255
ipsec access-list 64 bypass ip any any
!
hostname F1000-2
!
interface ewan 1
 crypto map map2
 ip address 192.168.200.1 255.255.255.0
exit
interface lan 1
 ip address 192.168.3.20 255.255.255.0
exit
!
crypto isakmp policy 1
 authentication prekey
 keepalive icmp always-send
 keepalive-icmp peer-address 172.16.0.1
 keepalive-icmp source-interface lan 1
 keepalive-icmp multi-path address 192.168.200.2
 key ascii furukawa
 peer-identity address 192.168.100.1
exit
crypto map map2 1
 match address 10
 set peer address 192.168.100.1
 sa-up route address 192.168.200.2 local-prot2 150
exit
!
route-map AAA permit 1
 set metric 10
 set weight 0
exit
!
router rip
 network lan 1
 redistribute local-prot2 route-map AAA
exit
!
end



FITELnet-F100の設定 

ip route 10.0.0.2 255.255.255.255 pppoe 1
ip route 192.168.200.1 255.255.255.255 192.168.100.2
!
access-list 99 permit any
!
vpn enable
vpnlog enable
!
ipsec access-list 32 ipsec ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255
ipsec access-list 64 bypass ip any any
!
service dhcp-server
!
hostname F100-1
!
ip dhcp pool lan1
 default-router 172.16.0.1
exit
interface ewan 2
 crypto map map2
 ip address 192.168.100.1 255.255.255.0
exit
interface lan 1
 ip address 172.16.0.1 255.255.0.0
exit
interface pppoe 1
 crypto map map1
 ip nat inside source list 99 interface
 pppoe server test
 pppoe account xyz@furukawa.co.jp xyz
 pppoe type host
exit
!
crypto isakmp policy 1
 keepalive icmp always-send
 keepalive-icmp peer-address 192.168.3.1
 keepalive-icmp source-interface lan 1
 keepalive-icmp multi-path interface pppoe 1
 key ascii furukawa
 negotiation-mode aggressive
 my-identity kyoten1
 peer-identity address 10.0.0.2
exit
crypto isakmp policy 2
 keepalive icmp always-send
 keepalive-icmp peer-address 192.168.3.20
 keepalive-icmp source-interface lan 1
 keepalive-icmp multi-path address 192.168.100.2
 key ascii furukawa
 peer-identity address 192.168.200.1
exit
crypto map map1 1
 match address 32 multi-path
 set peer address 10.0.0.2
 set security-association always-up
 sa-up route interface pppoe 1
exit
crypto map map2 2
 match address 32 multi-path
 set peer address 192.168.200.1
 set security-association always-up
 sa-up route address 192.168.100.2
exit
crypto security-association
 alive freq 30
exit
!
end



ページトップへ