キャンセル
次の結果を表示 
次の代わりに検索 
もしかして: 
cancel
告知

 AMATopBanner2021.4.JPG

 2021Apr.TopBanner.JPG

 

フレッツ・VPN プライオにおけるIPsec+スタティックルーティング構成の設定例(Cisco1111)

2086
閲覧回数
0
いいね!
0
コメント

 

NTT東日本様が提供する「フレッツ・VPNプライオ」を利用した構成における弊社IOSルータのサンプル設定を公開します。

 

*「フレッツ・VPNプライオ」については、こちらを参照ください

https://business.ntt-east.co.jp/service/vpnprio/

 

トポロジ

 

c891_ipsec.png

 

プラットフォーム

 

Cisco1111

 

拠点LAN側設定情報

 

  LAN側サブネット
A拠点 192.168.10.0/24
B拠点 192.168.11.0/24
C拠点 192.168.12.0/24

 

R1(A拠点)

crypto ikev2 proposal PHASE1-prop 
 encryption aes-cbc-128
 integrity md5
 group 2
!
crypto ikev2 policy site-pol 
 proposal PHASE1-prop
!
crypto ikev2 keyring KEYRNG
 peer Branch
  address 0.0.0.0 0.0.0.0
  pre-shared-key local cisco
  pre-shared-key remote cisco
 !
!
crypto ikev2 profile IKEV2-SETUP
 match identity remote address 0.0.0.0 
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRNG
!
crypto ipsec transform-set PRIOSET esp-aes esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile PRIO
 set transform-set PRIOSET 
 set ikev2-profile IKEV2-SETUP
!
!
!
!
!
!
! 
! 
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
 ip unnumbered Loopback0
 ip mtu 1374
 tunnel source 192.168.10.2
 tunnel mode ipsec ipv4
 tunnel destination 192.168.11.2
 tunnel protection ipsec profile PRIO
!
interface Tunnel1
 ip unnumbered Loopback0
 ip mtu 1374
 tunnel source 192.168.10.2
 tunnel mode ipsec ipv4
 tunnel destination 192.168.12.2
 tunnel protection ipsec profile PRIO
!
interface GigabitEthernet0/0/0
 ip address 192.168.10.2 255.255.255.0
 negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Vlan1
 ip address 172.16.1.254 255.255.255.0
 ip tcp adjust-mss 1334
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip route 172.16.2.0 255.255.255.0 Tunnel0
ip route 172.16.3.0 255.255.255.0 Tunnel1
ip route 192.168.11.0 255.255.255.0 192.168.10.1
ip route 192.168.12.0 255.255.255.0 192.168.10.1

 

 

R2(B拠点)

 

crypto ikev2 proposal PHASE1-prop 
 encryption aes-cbc-128
 integrity md5
 group 2
!
crypto ikev2 policy site-pol 
 proposal PHASE1-prop
!
crypto ikev2 keyring KEYRNG
 peer Center
  address 192.168.10.2 255.255.255.0
  pre-shared-key local cisco
  pre-shared-key remote cisco
 !
!
crypto ikev2 profile IKEV2-SETUP
 match identity remote address 192.168.10.2 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRNG
!
crypto ipsec transform-set PRIOSET esp-aes esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile PRIO
 set transform-set PRIOSET 
 set ikev2-profile IKEV2-SETUP
!
!
!
!
!
!
! 
! 
!
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
 ip unnumbered Loopback0
 ip mtu 1374
 tunnel source 192.168.11.2
 tunnel mode ipsec ipv4
 tunnel destination 192.168.10.2
 tunnel protection ipsec profile PRIO
!
interface GigabitEthernet0/0/0
 ip address 192.168.11.2 255.255.255.0
 negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Vlan1
 ip address 172.16.2.254 255.255.255.0
 ip tcp adjust-mss 1334
!
ip route 0.0.0.0 0.0.0.0 Tunnel0
ip route 192.168.10.0 255.255.255.0 192.168.11.1

 

 

R3(C拠点)

 

crypto ikev2 proposal PHASE1-prop 
 encryption aes-cbc-128
 integrity md5
 group 2
!
crypto ikev2 policy site-pol 
 proposal PHASE1-prop
!
crypto ikev2 keyring KEYRNG
 peer Center
  address 192.168.10.2 255.255.255.0
  pre-shared-key local cisco
  pre-shared-key remote cisco
 !
!
crypto ikev2 profile IKEV2-SETUP
 match identity remote address 192.168.10.2 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRNG
!
crypto ipsec transform-set PRIOSET esp-aes esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile PRIO
 set transform-set PRIOSET 
 set ikev2-profile IKEV2-SETUP
!
!
!
!
!
!
! 
! 
!
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
 ip unnumbered Loopback0
 ip mtu 1374
 tunnel source 192.168.12.2
 tunnel mode ipsec ipv4
 tunnel destination 192.168.10.2
 tunnel protection ipsec profile PRIO
!
interface GigabitEthernet0/0/0
 ip address 192.168.12.2 255.255.255.0
 negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Vlan1
 ip address 172.16.3.254 255.255.255.0
 ip tcp adjust-mss 1334
!
ip route 0.0.0.0 0.0.0.0 Tunnel0
ip route 192.168.10.0 255.255.255.0 192.168.12.1
Content for Community-Ad



このウィジェットは表示できません。