設定例 > IPsec負荷分散+冗長設定 |
2.F1000×2台、F100(PPPoEとEWANの2回線)でIPsec負荷分散を行う |
F1000-1側 | 192.168.3.1 |
F1000-2側 | 192.168.3.20 |
F100側 | 172.16.0.1 |
回線1 | PPPoE1 |
回線2 | EWAN2 |
! ! ! LAN側IPアドレスを設定します。 ! Router> enable Enter password: super ←パスワードを入力します。(実際は表示されない) Router# Router# configure terminal Router(config)# Router(config)# interface lan 1 Router(config-if lan 1)# ip address 192.168.3.1 255.255.255.0 Router(config-if lan 1)# exit ! ! ! PPPoE1インタフェース設定モードに移行します。 ! Router(config)# interface pppoe 1 Router(config-if pppoe 1)# ! ! ! PPPoEの各種設定をします。 ! Router(config-if pppoe 1)# ip address 10.0.0.2 Router(config-if pppoe 1)# pppoe server A-Provider Router(config-if pppoe 1)# pppoe account user@xxxx.ne.jp secret Router(config-if pppoe 1)# pppoe type host Router(config-if pppoe 1)# crypto map map1 Router(config-if pppoe 1)# exit ! ! ! RIPの設定をします。 ! Router(config)#router rip Router(config-rip)# network lan 1 Router(config-rip)# redistribute local-prot1 route-map AAA Router(config-rip)# exit ! ! ! 負荷分散用の設定をします。 ! Router(config)# route-map AAA permit 1 Router(config-rmap AAA permit 1)# set metric 6 Router(config-rmap AAA permit 1)# set weight 0 Router(config-rmap AAA permit 1)# exit ! ! ! ルート情報を設定します。 ! Router(config)# ip route 172.16.0.1 255.255.255.255 pppoe 1 ! ! ! ホストネームを指定します。 ! Router(config)# hostname F1000-1 ! ! ! 暗号化を使用する設定します。 ! Router(config)# vpn enable ewan 1 Router(config)# vpnlog enable Router(config)#ipsec access-list 10 ipsec ip 192.168.3.0 0.0.0.255 172.16.0.0 0.0.255.255 Router(config)# ipsec access-list 64 bypass ip any any Router(config)# crypto isakmp policy 1 Router(config-isakmp)# authentication prekey Router(config-isakmp)# key ascii furukawa Router(config-isakmp)# peer-identity host kyoten1 Router(config-isakmp)# keepalive-icmp peer-address 172.16.0.1 Router(config-isakmp)# keepalive-icmp source-interface lan 1 Router(config-isakmp)# keepalive-icmp multi-path interface pppoe 1 Router(config-isakmp)# keepalive icmp always-send Router(config-isakmp)# exit Router(config)#crypto map map1 1 Router(config-crypto-map)# match address 10 Router(config-crypto-map)# set peer host kyoten1 Router(config-crypto-map)# sa-up route address 10.0.0.1 local-prot1 100 Router(config-crypto-map)# exit Router(config)# crypto security-association Router(config-crypto-sa)# tunnel-route interface pppoe 1 Router(config-crypto-sa)# exit Router(config)# end Router# save SIDE-A.cfg % saving working-config % finished saving |
FITELnet-F1000-2の設定
ip route 192.168.100.1 255.255.255.255 192.168.200.2 ip route 172.16.0.1 255.255.255.255 192.168.200.2 ! vpn enable ewan 1 vpnlog enable ! ipsec access-list 10 ipsec ip 192.168.3.0 0.0.0.255 172.16.0.0 0.0.255.255 ipsec access-list 64 bypass ip any any ! hostname F1000-2 ! interface ewan 1 crypto map map2 ip address 192.168.200.1 255.255.255.0 exit interface lan 1 ip address 192.168.3.20 255.255.255.0 exit ! crypto isakmp policy 1 authentication prekey keepalive icmp always-send keepalive-icmp peer-address 172.16.0.1 keepalive-icmp source-interface lan 1 keepalive-icmp multi-path address 192.168.200.2 key ascii furukawa peer-identity address 192.168.100.1 exit crypto map map2 1 match address 10 set peer address 192.168.100.1 sa-up route address 192.168.200.2 local-prot2 150 exit ! route-map AAA permit 1 set metric 10 set weight 0 exit ! router rip network lan 1 redistribute local-prot2 route-map AAA exit ! end |
FITELnet-F100の設定
ip route 10.0.0.2 255.255.255.255 pppoe 1 ip route 192.168.200.1 255.255.255.255 192.168.100.2 ! access-list 99 permit any ! vpn enable vpnlog enable ! ipsec access-list 32 ipsec ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255 ipsec access-list 64 bypass ip any any ! service dhcp-server ! hostname F100-1 ! ip dhcp pool lan1 default-router 172.16.0.1 exit interface ewan 2 crypto map map2 ip address 192.168.100.1 255.255.255.0 exit interface lan 1 ip address 172.16.0.1 255.255.0.0 exit interface pppoe 1 crypto map map1 ip nat inside source list 99 interface pppoe server test pppoe account xyz@furukawa.co.jp xyz pppoe type host exit ! crypto isakmp policy 1 keepalive icmp always-send keepalive-icmp peer-address 192.168.3.1 keepalive-icmp source-interface lan 1 keepalive-icmp multi-path interface pppoe 1 key ascii furukawa negotiation-mode aggressive my-identity kyoten1 peer-identity address 10.0.0.2 exit crypto isakmp policy 2 keepalive icmp always-send keepalive-icmp peer-address 192.168.3.20 keepalive-icmp source-interface lan 1 keepalive-icmp multi-path address 192.168.100.2 key ascii furukawa peer-identity address 192.168.200.1 exit crypto map map1 1 match address 32 multi-path set peer address 10.0.0.2 set security-association always-up sa-up route interface pppoe 1 exit crypto map map2 2 match address 32 multi-path set peer address 192.168.200.1 set security-association always-up sa-up route address 192.168.100.2 exit crypto security-association alive freq 30 exit ! end |