! ip route 0.0.0.0 0.0.0.0 10.0.0.1 ! hardware-fault-detection action reboot ! local-breakout enable local-breakout PROF1 10.0.0.2 ! lbo-profile PROF1 dns-snooping enable dns-snooping expire 300 domain *.example1.com domain *.example2.com exit ! logging fixed-facility local7 logging host 172.30.20.229 level informational logging buffer level informational ! aaa authentication login default local aaa authorization exec default local ! ntp server 172.30.20.229 ! username test privilege 15 password 2 $1$0waS9.Pg$EBfAUoLq.p3tbMBuJARAo0 ! hostname F220 ! interface GigaEthernet 1/1 vlan-id 1 bridge-group 1 channel-group 1 exit ! interface GigaEthernet 2/1 vlan-id 2 bridge-group 2 channel-group 2 exit ! interface Port-channel 1 ip address 10.128.0.1 255.255.255.0 exit ! interface Port-channel 2 ip address 10.0.0.254 255.255.255.0 dns-snooping enable exit ! line console exec-timeout 0 authorization exec default local exit ! line telnet exec-timeout 0 exit ! end !
access-list 100 permit udp any eq 500 192.0.2.1 0.0.0.0 eq 500 access-list 100 permit 50 any 192.0.2.1 0.0.0.0 access-list 111 deny ip any any access-list 121 spi ip any any ! ip route 0.0.0.0 0.0.0.0 192.168.0.1 ip route 192.168.1.0 255.255.255.0 tunnel 2 ip route 192.168.1.0 255.255.255.0 null 0 250 ! hostname CENTER ! crypto ipsec policy P2-POLICY set pfs group14 set security-association lifetime seconds 28800 set security-association transform-keysize aes 256 256 256 set security-association transform esp-aes esp-sha256-hmac set mtu 1454 set ip df-bit 0 set ip fragment post exit ! crypto ipsec selector SELECTOR src 1 ipv4 any dst 1 ipv4 any exit ! crypto isakmp keepalive logging level informational crypto isakmp log sa crypto isakmp log session crypto isakmp log negotiation-fail crypto isakmp tunnel-route ip interface tunnel 1 ! crypto isakmp policy P1-POLICY authentication pre-share encryption aes encryption-keysize aes 256 256 256 group 14 lifetime 86400 hash sha-256 initiate-mode aggressive exit ! crypto isakmp profile PROF0001 match identity user id-kyoten local-address 192.0.2.1 set isakmp-policy P1-POLICY set ipsec-policy P2-POLICY ike-version 1 local-key SECRET-VPN exit ! crypto map KYOTEN ipsec-isakmp match address SELECTOR set isakmp-profile PROF0001 exit ! interface GigaEthernet 1/1 vlan-id 1 bridge-group 1 channel-group 1 exit ! interface GigaEthernet 2/1 vlan-id 2 bridge-group 2 pppoe enable exit ! interface Port-channel 1 ip address 192.168.0.254 255.255.255.0 mss 1300 exit ! interface Tunnel 1 description FLETS ip address 192.0.2.1 255.255.255.255 ip access-group 100 in ip access-group 111 in ip access-group 121 out tunnel mode pppoe profile PPPOE_PROF pppoe interface gigaethernet 2/1 exit ! interface Tunnel 2 tunnel mode ipsec map KYOTEN link-state sync-sa exit ! pppoe profile PPPOE_PROF account abc012@***.***.ne.jp xxxyyyzzz exit ! end
access-list 100 permit udp 192.0.2.1 0.0.0.0 eq 500 any eq 500 access-list 100 permit 50 192.0.2.1 0.0.0.0 any access-list 111 deny ip any any access-list 121 spi ip any any ! ip route 192.0.2.1 255.255.255.255 tunnel 1 ip route 0.0.0.0 0.0.0.0 tunnel 2 ip name-server 192.168.0.100 ip name-server source-interface port-channel 1 ip nat list 1 192.168.1.0 0.0.0.255 ! ip dhcp server-profile lan1 address 192.168.1.1 192.168.1.200 lease-time 28800 dns 192.168.0.100 gateway 192.168.1.254 exit ! crypto ipsec policy P2-POLICY set pfs group14 set security-association always-up set security-association lifetime seconds 28800 set security-association transform-keysize aes 256 256 256 set security-association transform esp-aes esp-sha256-hmac set mtu 1454 set ip df-bit 0 set ip fragment post exit ! crypto ipsec selector SELECTOR src 1 ipv4 any dst 1 ipv4 any exit ! crypto isakmp keepalive logging level informational crypto isakmp log sa crypto isakmp log session crypto isakmp log negotiation-fail ! hostname KYOTEN ! crypto isakmp policy P1-POLICY authentication pre-share encryption aes encryption-keysize aes 256 256 256 group 14 lifetime 86400 hash sha-256 initiate-mode aggressive exit ! crypto isakmp profile PROF0001 self-identity user-fqdn id-kyoten set isakmp-policy P1-POLICY set ipsec-policy P2-POLICY set peer 192.0.2.1 ike-version 1 local-key SECRET-VPN exit ! crypto map CENTER ipsec-isakmp match address SELECTOR set isakmp-profile PROF0001 exit ! interface GigaEthernet 1/1 vlan-id 1 bridge-group 1 channel-group 1 exit ! interface GigaEthernet 2/1 vlan-id 2 bridge-group 2 pppoe enable exit ! interface Port-channel 1 ip address 192.168.1.254 255.255.255.0 ip dhcp service server ip dhcp server-profile lan1 mss 1300 exit ! interface Tunnel 1 description FLETS ip access-group 100 in ip access-group 111 in ip access-group 121 out ip nat inside source list 1 interface tunnel mode pppoe profile PPPOE_PROF pppoe interface gigaethernet 2/1 exit ! interface Tunnel 2 tunnel mode ipsec map CENTER dns-snooping enable exit ! pppoe profile PPPOE_PROF account abc345@***.***.ne.jp zzzyyyxxx exit ! local-breakout enable local-breakout LBO1 tunnel 1 ! lbo-profile LBO1 o365 enable dns-snooping enable exit ! end
ページトップへ