VPNで接続した通信を携帯網によりトンネルバックアップするための設定例
((main)) <<==========================IPsec========================>> ISP1 ISP3 +------+ +====main====+ +----------+ +===main===+ +------+ PC1----| |(lan2)------------>>| |<<-------(lan2)| |----PC2 | RT-A | | Internet | | RT-B | | |(usb1)---mobile--->>| |<<-------(lan3)| | +------+ +===backup===+ +----------+ +==backup==+ +------+ ISP2 ISP4 <<==========================IPsec========================>> ((backup))2点間をインターネットVPNで接続し、障害が発生した場合に携帯網によって通信経路をトンネルバックアップします。
RT-AはRTX1200を使用します。
[RT-A config例]
[RT-B config例]
(N905iを使用した場合) console info on login timer clear ip route default gateway pp 1 ip route 192.168.200.0/24 gateway tunnel 1 ip route (RT-B PP1のIPアドレス) gateway pp 1 ip route (RT-B PP2のIPアドレス) gateway pp 2 ip lan1 address 192.168.100.1/24 pp select 1 pp always-on on pppoe use lan2 pp auth accept pap chap pp auth myname (ISP1接続用ID) (ISP1接続用パスワード) ppp lcp mru on 1454 ppp ipcp ipaddress on ppp ipcp msext on ppp ccp type none ppp ipv6cp use off ip pp nat descriptor 1 pp enable 1 pp select 2 pp bind usb1 pp auth accept pap chap pp auth myname (ISP2接続用ID) (ISP2接続用パスワード) ppp lcp mru off 1792 ppp lcp accm on ppp lcp pfc on ppp lcp acfc on ppp ipcp ipaddress on ppp ipcp msext on ppp ipv6cp use off ip pp nat descriptor 1 mobile auto connect on mobile disconnect time 30 mobile disconnect input time off mobile disconnect output time off mobile access-point name mopera.net cid=3 mobile access limit length off mobile access limit time off mobile display caller id on pp enable 2 tunnel select 1 ipsec tunnel 1 ipsec sa policy 1 1 esp aes-cbc sha-hmac ipsec ike keepalive use 1 on heartbeat 5 3 ipsec ike local name 1 (RT-A側セキュリティ・ゲートウェイ1の名前) key-id ipsec ike pre-shared-key 1 text (パスワード1) ipsec ike remote address 1 (RT-B PP1のIPアドレス) tunnel backup tunnel 2 tunnel enable 1 tunnel select 2 ipsec tunnel 2 ipsec sa policy 2 2 esp aes-cbc sha-hmac ipsec ike local name 2 (RT-A側セキュリティ・ゲートウェイ100の名前) key-id ipsec ike pre-shared-key 2 text (パスワード2) ipsec ike remote address 2 (RT-B PP2のIPアドレス) tunnel enable 2 nat descriptor type 1 masquerade nat descriptor masquerade static 1 1 192.168.100.1 udp 500 nat descriptor masquerade static 1 2 192.168.100.1 esp ipsec auto refresh on dhcp service server dhcp server rfc2131 compliant except remain-silent dhcp scope 1 192.168.100.2-192.168.100.191/24 dns server select 1 pp 1 any . restrict pp 1 dns server select 2 pp 2 any . restrict pp 2 mobile use usb1 on mobile type usb1 auto (A2502を使用した場合) *PPの設定のみ抜粋 pp select 2 pp bind usb1 pp auth accept pap chap pp auth myname (ISP2接続用ID) (ISP2接続用パスワード) ppp lcp mru off 1792 ppp lcp accm on ppp lcp pfc on ppp lcp acfc on ppp ipcp ipaddress on ppp ipcp msext on ppp ipv6cp use off ip pp nat descriptor 1 mobile auto connect on mobile disconnect time 30 mobile disconnect input time off mobile disconnect output time off mobile access-point name mopera.net cid=3 mobile access limit length off mobile access limit time off mobile display caller id off pp enable 2
console info on login timer clear ip route default gateway pp 1 keepalive 1 gateway pp 2 weight 0 ip route 192.168.100.0/24 gateway tunnel 1 keepalive 1 gateway tunnel 2 weight 0 ip keepalive 1 icmp-echo 5 5 (RT-A PP1のIPアドレス) ip lan1 address 192.168.200.1/24 pp select 1 pp always-on on pppoe use lan2 pppoe auto disconnect off pp auth accept pap chap (ISP3接続用ID) (ISP3接続用パスワード) pp auth myname ppp lcp mru on 1454 ppp ipcp ipaddress on ppp ipcp msext on ppp ccp type none ppp ipv6cp use off ip pp mtu 1454 ip pp nat descriptor 1 pp enable 1 pp select 2 pp always-on on pppoe use lan3 pppoe auto disconnect off pp auth accept pap chap pp auth myname (ISP4接続用ID) (ISP4接続用パスワード) ppp lcp mru on 1454 ppp ipcp ipaddress on ppp ipcp msext on ppp ccp type none ppp ipv6cp use off ip pp mtu 1454 ip pp nat descriptor 2 pp enable 2 tunnel select 1 ipsec tunnel 1 ipsec sa policy 1 1 esp aes-cbc sha-hmac ipsec ike keepalive use 1 on heartbeat 5 3 ipsec ike pre-shared-key 1 text (パスワード1) ipsec ike remote address 1 any ipsec ike remote name 1 (RT-A側セキュリティ・ゲートウェイ1の名前) tunnel enable 1 tunnel select 2 ipsec tunnel 2 ipsec sa policy 2 2 esp aes-cbc sha-hmac ipsec ike pre-shared-key 2 text (パスワード2) ipsec ike remote address 2 any ipsec ike remote name 2 (RT-A側セキュリティ・ゲートウェイ2の名前) tunnel enable 2 nat descriptor type 1 masquerade nat descriptor masquerade static 1 1 192.168.200.1 udp 500 nat descriptor masquerade static 1 2 192.168.200.1 esp nat descriptor type 2 masquerade nat descriptor masquerade static 2 1 192.168.200.1 udp 500 nat descriptor masquerade static 2 2 192.168.200.1 esp ipsec auto refresh on dhcp service server dhcp server rfc2131 compliant except remain-silent dhcp scope 1 192.168.200.2-192.168.200.191/24 dns server select 1 pp 1 any . restrict pp 1 dns server select 2 pp 2 any . restrict pp 2
関連資料
|