NTT東日本様が提供する「フレッツ・VPNプライオ」を利用した構成における弊社IOSルータのサンプル設定を公開します。
*「フレッツ・VPNプライオ」については、こちらを参照ください
https://business.ntt-east.co.jp/service/vpnprio/
トポロジ
プラットフォーム
Cisco891
拠点LAN側設定情報
| LAN側サブネット | |
| A拠点 | 192.168.10.0/24 |
| B拠点 | 192.168.11.0/24 |
| C拠点 | 192.168.12.0/24 |
R1(A拠点)
crypto ikev2 proposal PHASE1-prop encryption aes-cbc-128 integrity md5 group 2 ! crypto ikev2 policy site-pol proposal PHASE1-prop ! crypto ikev2 keyring KEYRNG peer Branch address 0.0.0.0 0.0.0.0 pre-shared-key local cisco pre-shared-key remote cisco ! ! crypto ikev2 profile IKEV2-SETUP match identity remote address 0.0.0.0 authentication remote pre-share authentication local pre-share keyring local KEYRNG ! crypto ipsec transform-set PRIOSET esp-aes esp-sha-hmac mode tunnel ! crypto ipsec profile PRIO set transform-set PRIOSET set ikev2-profile IKEV2-SETUP ! ! ! ! ! ! ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface Tunnel0 ip unnumbered Loopback0 ip mtu 1374 tunnel source 192.168.10.2 tunnel mode ipsec ipv4 tunnel destination 192.168.11.2 tunnel protection ipsec profile PRIO ! interface Tunnel1 ip unnumbered Loopback0 ip mtu 1374 tunnel source 192.168.10.2 tunnel mode ipsec ipv4 tunnel destination 192.168.12.2 tunnel protection ipsec profile PRIO ! interface GigabitEthernet0 no ip address ! interface GigabitEthernet8 ip address 192.168.10.2 255.255.255.0 duplex auto speed auto ! interface Vlan1 ip address 172.16.1.254 255.255.255.0 ip tcp adjust-mss 1334 ! ip route 0.0.0.0 0.0.0.0 172.16.1.1 ip route 172.16.2.0 255.255.255.0 Tunnel0 ip route 172.16.3.0 255.255.255.0 Tunnel1 ip route 192.168.11.0 255.255.255.0 192.168.10.1 ip route 192.168.12.0 255.255.255.0 192.168.10.1 !
R2(B拠点)
crypto ikev2 proposal PHASE1-prop encryption aes-cbc-128 integrity md5 group 2 ! crypto ikev2 policy site-pol proposal PHASE1-prop ! crypto ikev2 keyring KEYRNG peer Center address 192.168.10.2 255.255.255.0 pre-shared-key local cisco pre-shared-key remote cisco ! ! crypto ikev2 profile IKEV2-SETUP match identity remote address 192.168.10.2 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local KEYRNG ! crypto ipsec transform-set PRIOSET esp-aes esp-sha-hmac mode tunnel ! crypto ipsec profile PRIO set transform-set PRIOSET set ikev2-profile IKEV2-SETUP ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface Tunnel0 ip unnumbered Loopback0 ip mtu 1374 tunnel source 192.168.11.2 tunnel mode ipsec ipv4 tunnel destination 192.168.10.2 tunnel protection ipsec profile PRIO ! ! interface GigabitEthernet0 no ip address ! interface GigabitEthernet8 ip address 192.168.11.2 255.255.255.0 duplex auto speed auto ! interface Vlan1 ip address 172.16.2.254 255.255.255.0 ip tcp adjust-mss 1334 ! ip route 0.0.0.0 0.0.0.0 Tunnel0 ip route 192.168.10.0 255.255.255.0 192.168.11.1 !
R3(C拠点)
crypto ikev2 proposal PHASE1-prop encryption aes-cbc-128 integrity md5 group 2 ! crypto ikev2 policy site-pol proposal PHASE1-prop ! crypto ikev2 keyring KEYRNG peer Center address 192.168.10.2 255.255.255.0 pre-shared-key local cisco pre-shared-key remote cisco ! ! crypto ikev2 profile IKEV2-SETUP match identity remote address 192.168.10.2 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local KEYRNG ! crypto ipsec transform-set PRIOSET esp-aes esp-sha-hmac mode tunnel ! crypto ipsec profile PRIO set transform-set PRIOSET set ikev2-profile IKEV2-SETUP ! interface Loopback0 ip address 3.3.3.3 255.255.255.255 ! interface Tunnel0 ip unnumbered Loopback0 ip mtu 1374 tunnel source 192.168.12.2 tunnel mode ipsec ipv4 tunnel destination 192.168.10.2 tunnel protection ipsec profile PRIO ! ! interface GigabitEthernet0 no ip address ! interface GigabitEthernet8 ip address 192.168.12.2 255.255.255.0 duplex auto speed auto ! interface Vlan1 ip address 172.16.3.254 255.255.255.0 ip tcp adjust-mss 1334 ! ip route 0.0.0.0 0.0.0.0 Tunnel0 ip route 192.168.10.0 255.255.255.0 192.168.12.1 !
