access-list 4000 permit icmp6 any any neighbor-advertisement access-list 4000 permit icmp6 any any neighbor-solicitation access-list 4000 permit icmp6 any any router-advertisement access-list 4000 permit udp any any eq 546 access-list 4000 permit udp any eq 500 any eq 500 access-list 4000 permit 50 any any access-list 4009 deny ipv6 any any access-list 4010 spi ipv6 any any ! ip route 172.16.0.2 255.255.255.255 192.168.0.2 ! ipv6 route ::/0 dhcp port-channel 2 ! ipv6 dhcp client-profile ipv6dns_client option-request dns-server retries infinity exit ! logging buffer level informational ! hostname IPsecGW1 ! crypto ipsec replay-check disable crypto ipsec sequence-overflow disable ! crypto ipsec policy IPsec_POLICY set pfs group14 set security-association rekey always set security-association lifetime seconds 28800 set security-association transform-keysize aes 256 256 256 set security-association transform esp-aes esp-sha256-hmac set ip df-bit 0 set ip fragment post sa-up route exit ! crypto ipsec selector SELECTOR1 src 1 ipv4 any dst 1 ipv4 any exit ! crypto ipsec group-security policy GSA_POLICY set security-association transform esp-aes esp-sha256-hmac set security-association transform-keysize aes 256 set security-association lifetime seconds 600 set security-association softlimit seconds 60 rollover 30 30 spi mask hex ffcfffff 00200000 exit ! crypto group-security server ha local-address 172.16.0.1 remote-address 172.16.0.2 crypto group-security server ha keepalive-interval 10 crypto group-security server ha keepalive-timeout 20 crypto group-security server priority 254 crypto isakmp keepalive interval 60 always-send crypto isakmp log session detail crypto isakmp log negotiation-fail crypto isakmp log gsa ! crypto isakmp policy ISAKMP_POLICY authentication pre-share encryption aes encryption-keysize aes 256 256 256 group 14 lifetime 86400 hash sha-256 exit ! crypto isakmp profile ISAPROF_1 self-identity fqdn IPsecGW1.example.jp set isakmp-policy ISAKMP_POLICY set ipsec-policy IPsec_POLICY set group-security-policy GSA_POLICY ike-version 2 local-key SecretKey exit ! crypto session release ipsec-lost-time 1 crypto session release reset delete-send ! crypto map MAP_1 ipsec-isakmp dynamic match address SELECTOR1 set isakmp-profile ISAPROF_1 exit ! interface GigaEthernet 1/1 vlan-id 1 bridge-group 1 channel-group 1 exit ! interface GigaEthernet 2/1 vlan-id 2 bridge-group 2 channel-group 2 ipv6 access-group 4000 in ipv6 access-group 4009 in ipv6 access-group 4010 out exit ! interface Loopback 1 ip address 172.16.0.1 exit ! interface Port-channel 2 ipv6 enable ipv6 address autoconfig ipv6 nd receive-ra ipv6 dhcp service client ipv6 dhcp client-profile ipv6dns_client mtu 1500 ddns-client address ipv6 action http-client 1 delay 10 interval 60 exit ! interface Port-channel 1 ip address 192.168.0.1 255.255.255.0 exit ! router bgp 65000 bgp router-id 172.16.0.1 bgp log-neighbor-changes bgp listen range 0.0.0.0/0 peer-group PEER_GROUP_1 neighbor 192.168.0.254 remote-as 65001 neighbor PEER_GROUP_1 passive neighbor PEER_GROUP_1 remote-as 65000 neighbor PEER_GROUP_1 update-source loopback 1 neighbor PEER_GROUP_1 peer-group ! address-family ipv4 unicast neighbor 192.168.0.254 route-map RMAP_LAN_LOCPRF_SET in neighbor 192.168.0.254 route-map RMAP_PE_MED_SET out neighbor PEER_GROUP_1 route-reflector-client neighbor PEER_GROUP_1 disable-nexthop-validation redistribute connected route-map RMAP_LAN_LOCPRF_SET exit ! exit ! route-map RMAP_LAN_LOCPRF_SET permit 1 set local-preference 200 exit ! route-map RMAP_PE_MED_SET permit 1 set metric 100 exit ! http-client 1 request-timeout 10 retry 5 method 1 get url https://ddnsapi-v6.e-ntt.jp/api/renew/ <ホストキー> $i6 reference-interface port-channel 2 source-interface port-channel 2 logging on exit ! end
access-list 4000 permit icmp6 any any neighbor-advertisement access-list 4000 permit icmp6 any any neighbor-solicitation access-list 4000 permit icmp6 any any router-advertisement access-list 4000 permit udp any any eq 546 access-list 4000 permit udp any eq 500 any eq 500 access-list 4000 permit 50 any any access-list 4009 deny ipv6 any any access-list 4010 spi ipv6 any any ! ip route 172.16.0.1 255.255.255.255 192.168.0.1 ! ipv6 route ::/0 dhcp port-channel 2 ! ipv6 dhcp client-profile ipv6dns_client option-request dns-server retries infinity exit ! logging buffer level informational ! hostname IPsecGW2 ! crypto ipsec replay-check disable crypto ipsec sequence-overflow disable ! crypto ipsec policy IPsec_POLICY set pfs group14 set security-association rekey always set security-association lifetime seconds 28800 set security-association transform-keysize aes 256 256 256 set security-association transform esp-aes esp-sha256-hmac set ip df-bit 0 set ip fragment post sa-up route exit ! crypto ipsec selector SELECTOR1 src 1 ipv4 any dst 1 ipv4 any exit ! crypto ipsec group-security policy GSA_POLICY set security-association transform esp-aes esp-sha256-hmac set security-association transform-keysize aes 256 set security-association lifetime seconds 600 set security-association softlimit seconds 60 rollover 30 30 spi mask hex ffcfffff 00300000 exit ! crypto group-security server ha local-address 172.16.0.2 remote-address 172.16.0.1 crypto group-security server ha keepalive-interval 10 crypto group-security server ha keepalive-timeout 20 crypto group-security server priority 253 crypto isakmp keepalive interval 60 always-send crypto isakmp log session detail crypto isakmp log negotiation-fail crypto isakmp log gsa ! crypto isakmp policy ISAKMP_POLICY authentication pre-share encryption aes encryption-keysize aes 256 256 256 group 14 lifetime 86400 hash sha-256 exit ! crypto isakmp profile ISAPROF_1 self-identity fqdn IPsecGW2.example.jp set isakmp-policy ISAKMP_POLICY set ipsec-policy IPsec_POLICY set group-security-policy GSA_POLICY ike-version 2 local-key SecretKey exit ! crypto session release ipsec-lost-time 1 crypto session release reset delete-send ! crypto map MAP_1 ipsec-isakmp dynamic match address SELECTOR1 set isakmp-profile ISAPROF_1 exit ! interface GigaEthernet 1/1 vlan-id 1 bridge-group 1 channel-group 1 exit ! interface GigaEthernet 2/1 vlan-id 2 bridge-group 2 channel-group 2 ipv6 access-group 4000 in ipv6 access-group 4009 in ipv6 access-group 4010 out exit ! interface Loopback 1 ip address 172.16.0.2 exit ! interface Port-channel 2 ipv6 enable ipv6 address autoconfig ipv6 nd receive-ra ipv6 dhcp service client ipv6 dhcp client-profile ipv6dns_client mtu 1500 ddns-client address ipv6 action http-client 1 delay 10 interval 60 exit ! interface Port-channel 1 ip address 192.168.0.2 255.255.255.0 exit ! router bgp 65000 bgp router-id 172.16.0.2 bgp log-neighbor-changes bgp listen range 0.0.0.0/0 peer-group PEER_GROUP_1 neighbor 192.168.0.254 remote-as 65001 neighbor PEER_GROUP_1 passive neighbor PEER_GROUP_1 remote-as 65000 neighbor PEER_GROUP_1 update-source loopback 1 neighbor PEER_GROUP_1 peer-group ! address-family ipv4 unicast neighbor 192.168.0.254 route-map RMAP_LAN_LOCPRF_SET in neighbor 192.168.0.254 route-map RMAP_PE_MED_SET out neighbor PEER_GROUP_1 route-reflector-client neighbor PEER_GROUP_1 disable-nexthop-validation redistribute connected route-map RMAP_LAN_LOCPRF_SET exit ! exit ! route-map RMAP_LAN_LOCPRF_SET permit 1 set local-preference 100 exit ! route-map RMAP_PE_MED_SET permit 1 set metric 200 exit ! http-client 1 request-timeout 10 retry 5 method 1 get url https://ddnsapi-v6.e-ntt.jp/api/renew/ <ホストキー> $i6 reference-interface port-channel 2 source-interface port-channel 2 logging on exit ! end
access-list 4000 permit icmp6 any any neighbor-advertisement access-list 4000 permit icmp6 any any neighbor-solicitation access-list 4000 permit icmp6 any any router-advertisement access-list 4000 permit udp any any eq 546 access-list 4000 permit udp any eq 500 any eq 500 access-list 4000 permit 50 any any access-list 4009 deny ipv6 any any access-list 4010 spi ipv6 any any ! ip route 172.16.0.1 255.255.255.255 tunnel 1 ip route 172.16.0.2 255.255.255.255 tunnel 2 ! ipv6 route ::/0 dhcp port-channel 2 ! ipv6 dhcp client-profile ipv6dns_client option-request dns-server retries infinity exit ! logging buffer level informational ! hostname kyoten-a ! crypto ipsec security-association softlimit initiate seconds 90 crypto ipsec security-association softlimit respond seconds 90 crypto ipsec replay-check disable crypto ipsec sequence-overflow disable ! crypto ipsec policy IPsec_POLICY set pfs group14 set security-association always-up set security-association rekey always set security-association lifetime seconds 28800 set security-association transform-keysize aes 256 256 256 set security-association transform esp-aes esp-sha256-hmac set ip df-bit 0 set ip fragment post exit ! crypto ipsec selector SELECTOR1 src 1 ipv4 172.16.0.101 255.255.255.255 dst 1 ipv4 any exit ! crypto isakmp keepalive interval 60 always-send crypto isakmp log session detail crypto isakmp log negotiation-fail crypto isakmp log gsa crypto isakmp negotiation retry timer 10 limit 3 timer-max 30 guard-time 0 crypto isakmp negotiation expire-time 90 crypto isakmp negotiation always-up-params interval 100 max-initiate 10 max-pending 1 delay 1 ! crypto isakmp policy ISAKMP_POLICY authentication pre-share encryption aes encryption-keysize aes 256 256 256 group 14 lifetime 86000 hash sha-256 exit ! crypto isakmp profile ISAPROF_1 match identity host IPsecGW1.example.jp self-identity user-fqdn kyoten-a@example.jp set isakmp-policy ISAKMP_POLICY set ipsec-policy IPsec_POLICY set peer domain fitelnet-ipsecgw1.i.e-ntt.jp v6 group-security client spi mask hex ffdfffff 00200000 ike-version 2 local-key SecretKey exit ! crypto isakmp profile ISAPROF_2 match identity host IPsecGW2.example.jp self-identity user-fqdn kyoten-a@example.jp set isakmp-policy ISAKMP_POLICY set ipsec-policy IPsec_POLICY set peer domain fitelnet-ipsecgw2.i.e-ntt.jp v6 group-security client spi mask hex ffdfffff 00200000 ike-version 2 local-key SecretKey exit ! crypto session release ipsec-lost-time 1 crypto session release reset delete-send ! crypto map MAP_1 ipsec-isakmp match address SELECTOR1 set isakmp-profile ISAPROF_1 exit ! crypto map MAP_2 ipsec-isakmp match address SELECTOR1 set isakmp-profile ISAPROF_2 exit ! interface GigaEthernet 1/1 vlan-id 1 bridge-group 1 channel-group 1 exit ! interface GigaEthernet 2/1 vlan-id 2 bridge-group 2 channel-group 2 ipv6 access-group 4000 in ipv6 access-group 4009 in ipv6 access-group 4010 out exit ! interface Loopback 1 ip address 172.16.0.101 exit ! interface Port-channel 2 ipv6 enable ipv6 address autoconfig ipv6 nd receive-ra ipv6 dhcp service client ipv6 dhcp client-profile ipv6dns_client mtu 1500 exit ! interface Port-channel 1 ip address 192.168.101.1 255.255.255.0 exit ! interface Tunnel 1 tunnel mode ipsec map MAP_1 exit ! interface Tunnel 2 tunnel mode ipsec map MAP_2 exit ! interface Tunnel 3 tunnel mode ipsec crypto group-security map MAP_1 crypto group-security map MAP_2 exit ! router bgp 65000 bgp router-id 172.16.0.101 bgp log-neighbor-changes neighbor 172.16.0.1 remote-as 65000 neighbor 172.16.0.1 update-source loopback 1 neighbor 172.16.0.2 remote-as 65000 neighbor 172.16.0.2 update-source loopback 1 ! address-family ipv4 unicast neighbor 172.16.0.1 disable-nexthop-validation neighbor 172.16.0.1 encap endpoint ipv6 interface port-channel 2 neighbor 172.16.0.1 encap type ipsec-tunnel neighbor 172.16.0.2 disable-nexthop-validation neighbor 172.16.0.2 encap endpoint ipv6 interface port-channel 2 neighbor 172.16.0.2 encap type ipsec-tunnel redistribute connected exit ! exit ! ip name-server ::1 ! crypto ip name-server ::1 ! dns-server ipv6 enable ! proxydns domain 1 any * any dhcp ipv6 port-channel 2 proxydns address 1 any dhcp ipv6 port-channel 2 ! end
access-list 4000 permit icmp6 any any neighbor-advertisement access-list 4000 permit icmp6 any any neighbor-solicitation access-list 4000 permit icmp6 any any router-advertisement access-list 4000 permit udp any any eq 546 access-list 4000 permit udp any eq 500 any eq 500 access-list 4000 permit 50 any any access-list 4009 deny ipv6 any any access-list 4010 spi ipv6 any any ! ip route 172.16.0.1 255.255.255.255 tunnel 1 ip route 172.16.0.2 255.255.255.255 tunnel 2 ! ipv6 route ::/0 dhcp port-channel 2 ! ipv6 dhcp client-profile ipv6dns_client option-request dns-server retries infinity exit ! logging buffer level informational ! hostname kyoten-b ! crypto ipsec security-association softlimit initiate seconds 90 crypto ipsec security-association softlimit respond seconds 90 crypto ipsec replay-check disable crypto ipsec sequence-overflow disable ! crypto ipsec policy IPsec_POLICY set pfs group14 set security-association always-up set security-association rekey always set security-association lifetime seconds 28800 set security-association transform-keysize aes 256 256 256 set security-association transform esp-aes esp-sha256-hmac set ip df-bit 0 set ip fragment post exit ! crypto ipsec selector SELECTOR1 src 1 ipv4 172.16.0.102 255.255.255.255 dst 1 ipv4 any exit ! crypto isakmp keepalive interval 60 always-send crypto isakmp log session detail crypto isakmp log negotiation-fail crypto isakmp log gsa crypto isakmp negotiation retry timer 10 limit 3 timer-max 30 guard-time 0 crypto isakmp negotiation expire-time 90 crypto isakmp negotiation always-up-params interval 100 max-initiate 10 max-pending 1 delay 1 ! crypto isakmp policy ISAKMP_POLICY authentication pre-share encryption aes encryption-keysize aes 256 256 256 group 14 lifetime 86000 hash sha-256 exit ! crypto isakmp profile ISAPROF_1 match identity host IPsecGW1.example.jp self-identity user-fqdn kyoten-b@example.jp set isakmp-policy ISAKMP_POLICY set ipsec-policy IPsec_POLICY set peer domain fitelnet-ipsecgw1.i.e-ntt.jp v6 group-security client spi mask hex ffdfffff 00200000 ike-version 2 local-key SecretKey exit ! crypto isakmp profile ISAPROF_2 match identity host IPsecGW2.example.jp self-identity user-fqdn kyoten-b@example.jp set isakmp-policy ISAKMP_POLICY set ipsec-policy IPsec_POLICY set peer domain fitelnet-ipsecgw2.i.e-ntt.jp v6 group-security client spi mask hex ffdfffff 00200000 ike-version 2 local-key SecretKey exit ! crypto session release ipsec-lost-time 1 crypto session release reset delete-send ! crypto map MAP_1 ipsec-isakmp match address SELECTOR1 set isakmp-profile ISAPROF_1 exit ! crypto map MAP_2 ipsec-isakmp match address SELECTOR1 set isakmp-profile ISAPROF_2 exit ! interface GigaEthernet 1/1 vlan-id 1 bridge-group 1 channel-group 1 exit ! interface GigaEthernet 2/1 vlan-id 2 bridge-group 2 channel-group 2 ipv6 access-group 4000 in ipv6 access-group 4009 in ipv6 access-group 4010 out exit ! interface Loopback 1 ip address 172.16.0.102 exit ! interface Port-channel 2 ipv6 enable ipv6 address autoconfig ipv6 nd receive-ra ipv6 dhcp service client ipv6 dhcp client-profile ipv6dns_client mtu 1500 exit ! interface Port-channel 1 ip address 192.168.102.1 255.255.255.0 exit ! interface Tunnel 1 tunnel mode ipsec map MAP_1 exit ! interface Tunnel 2 tunnel mode ipsec map MAP_2 exit ! interface Tunnel 3 tunnel mode ipsec crypto group-security map MAP_1 crypto group-security map MAP_2 exit ! router bgp 65000 bgp router-id 172.16.0.102 bgp log-neighbor-changes neighbor 172.16.0.1 remote-as 65000 neighbor 172.16.0.1 update-source loopback 1 neighbor 172.16.0.2 remote-as 65000 neighbor 172.16.0.2 update-source loopback 1 ! address-family ipv4 unicast neighbor 172.16.0.1 disable-nexthop-validation neighbor 172.16.0.1 encap endpoint ipv6 interface port-channel 2 neighbor 172.16.0.1 encap type ipsec-tunnel neighbor 172.16.0.2 disable-nexthop-validation neighbor 172.16.0.2 encap endpoint ipv6 interface port-channel 2 neighbor 172.16.0.2 encap type ipsec-tunnel redistribute connected exit ! exit ! ip name-server ::1 ! crypto ip name-server ::1 ! dns-server ipv6 enable ! proxydns domain 1 any * any dhcp ipv6 port-channel 2 proxydns address 1 any dhcp ipv6 port-channel 2 ! end
ページトップへ