いぬちゃんダイアリー powered by Bluetooth™

いぬちゃんからのお知らせ

Thank you for visiting my blog site, but most of the entries are written in Japanese. If you have any question, please leave your message by clicking 'コメント' located in bottom of each entry.

「いぬちゃん」 は、かとうけんそう先生が生んだ、どうぶつアイドル!
 ∥HOME

スポンサーサイト

上記の広告は1ヶ月以上更新のないブログに表示されています。
新しい記事を書く事で広告が消せます。
  1. --/--/--(--) --:--:--|
  2. スポンサー広告|
  3. Translate by google|
  4. トラックバック(-)|
  5. コメント(-)




UNIVERGE IX3110 IX2215 IX2105 3拠点 (フレッツひかり電話あり・なし・auひかり 混在環境) における IPsec IPv4 over IPv6 トンネリング & L2TP 設定ファイル

下記の設定ファイルは、いぬちゃんがマニュアル等を参考にしながら適当に作成したため、脆弱性や不具合を含んでいる可能性があります。
第三者によるチェック等は全く行われていませんので、実際の環境で設定の一部/全部を使用する場合は、十分お気を付けください。わんわん


目的
・ 3拠点すべてにおけるIPv6環境
・ 3拠点を常時VPN接続(IPsec IPv4 over IPv6 トンネリング)
・ ある拠点から別拠点の各種サーバーにNetBIOSネーム(=Windowsのコンピューター名)でアクセス(要WINSサーバー)
・ ある拠点から別拠点のプリンタへの印刷
・ 各拠点にノートパソコン・スマホ等で外部からPPTP接続(IPv4 最大2接続/拠点)

インフラ
拠点A: フレッツ東 ギガファミリー・スマートタイプ (v6オプション, ひかり電話あり) + @NIFTY (IPv6接続オプション)
拠点B: auひかり ホーム (IPv6アドレス自動配布) + @NIFTY
拠点C: フレッツ東 マンション・ハイスピードタイプ (v6オプション, ひかり電話なし) + @NIFTY (IPv6接続オプション)

機器
拠点A: 壁 - GE-PON-ONUタイプD - VG430i - IX3110 (LAN:192.168.0.1) - 色々
拠点B: 壁 - ONU (機種失念) - BL190HW (LAN:192.168.100.1) - IX2105 (WAN:192.168.100.2/LAN:192.168.1.1) - 色々
拠点C: 壁 - ONU (機種失念) - IX2215 (LAN:192.168.2.1) - 色々

拠点B: BL190HW の設定 繋いでおかないと、auひかりが24時間ごとに行っているIEEE802.1X認証で蹴られてしまう (>_<)
IPv4 → DHCP無効 DMZホストのIPアドレス:192.168.100.2 (あらゆるパケットが IX2105 に到達する設定)
IPv6 → RA:プレフィックス配布 DHCPv6:プレフィックス配布

IPv6 アドレス
IX3110: ZONE:AAAA:IPV6:ADDR::1 (@NIFTY 固定)
IX2105: ZONE:BBBB:IPV6:ADDR::1 (auひかり 固定と思われるが、念のためDDNS使用)
IX2215: ZONE:CCCC:IPV6:ADDR::1 (@NIFTY 固定)

DDNS: MyDNS.JP
IX3110: AA.XX.mydns.jp
IX2105: BB.XX.mydns.jp
IX2215: CC.XX.mydns.jp

IX ファームウェア
ver.8.11.11

設定ファイル 拠点A: IX3110 フレッツ(ひかり電話あり) @NIFTY
hostname IX3110-Zone-A
timezone +09 00
!
syslog ip host SYSLOG_HOST_ADDR
syslog timestamp datetime
!
username USER_NAME_FOR_IX3110_ZONE_A password plain PASSWORD_FOR_IX3110_ZONE_A administrator
!
ntp ipv6 enable
ntp server 2001:3a0:0:2001::27:123 ! ntp1.v6.mfeed.ad.jp
ntp server 2001:3a0:0:2005::57:123 ! ntp2.v6.mfeed.ad.jp
ntp server 2001:3a0:0:2006::87:123 ! ntp3.v6.mfeed.ad.jp
ntp interval 7200
!
logging buffered 2097152
logging subsystem all warn
logging timestamp datetime
!
ids ip type all action detect ! fimware version 8.10 or later required
ids ip type ip-header action discard
ids ip type icmp action discard
!
ip ufs-cache enable
ip route default GigaEthernet0.1
ip route 192.168.1.0/24 Tunnel1.0
ip route 192.168.2.0/24 Tunnel2.0
ip route 192.168.100.0/24 Tunnel1.0 ! to access BL190HW at Zone B
ip dhcp enable
ip access-list block-list deny ip src any dest any
ip access-list l2tp-list permit udp src any sport any dest any dport eq 500
ip access-list l2tp-list permit udp src any sport any dest any dport eq 4500
ip access-list permit-list permit ip src any dest any
ip access-list console-list permit ip src 192.168.0.0/24 dest 192.168.0.1/32
ip access-list console-list permit ip src 192.168.1.0/24 dest 192.168.0.1/32
ip access-list console-list permit ip src 192.168.2.0/24 dest 192.168.0.1/32
ip access-list dynamic dflt-list access permit-list
!
ipv6 ufs-cache enable
ipv6 dhcp enable
ipv6 access-list block-list deny ip src any dest any
ipv6 access-list console-list permit ip src ZONE:AAAA:IPV6:AD00::/56 dest ZONE:AAAA:IPV6:ADDR::1/128
ipv6 access-list dhcpv6-list permit udp src any sport eq 547 dest any dport eq 546
ipv6 access-list dhcpv6-list permit udp src any sport eq 546 dest any dport eq 547
ipv6 access-list icmpv6-list permit icmp src any dest any
ipv6 access-list permit-list permit ip src any dest any
ipv6 access-list zone-list permit ip src ZONE:CCCC:IPV6:ADDR::1/128 dest ZONE:AAAA:IPV6:ADDR::1/128
ipv6 access-list zone-list permit ip src-domain BB.XX.mydns.jp dest ZONE:AAAA:IPV6:ADDR::1/128
ipv6 access-list dynamic dflt-list access permit-list
!
ike nat-traversal
!
ike proposal ike-l2tp-1 encryption aes-256 hash sha group 1024-bit
ike proposal ike-l2tp-2 encryption aes hash sha group 1024-bit
ike proposal ike-l2tp-3 encryption 3des hash sha group 1024-bit
ike proposal ike-prop encryption aes-256 hash sha2-256 group 1024-bit
!
ike policy ike-policy-1 peer-fqdn-ipv6 BB.XX.mydns.jp key AUTH_KEY_FOR_TUNNEL_ZONE_A-B ike-prop
!
ike policy ike-policy-2 peer ZONE:CCCC:IPV6:ADDR::1 key AUTH_KEY_FOR_TUNNEL_ZONE_A-C ike-prop
!
ike policy ike-l2tp peer any key AUTH_KEY_FOR_L2TP_ZONE_A ike-l2tp-1,ike-l2tp-2,ike-l2tp-3
!
ipsec autokey-proposal ipsec-l2tp-1 esp-aes-256 esp-sha
ipsec autokey-proposal ipsec-l2tp-2 esp-aes esp-sha
ipsec autokey-proposal ipsec-l2tp-3 esp-3des esp-sha
ipsec autokey-proposal ipsec-prop esp-aes-256 esp-sha2-256
!
ipsec autokey-map ipsec-map-1 permit-list peer-fqdn-ipv6 BB.XX.mydns.jp ipsec-prop pfs 1024-bit
ipsec local-id ipsec-map-1 192.168.0.0/24
ipsec remote-id ipsec-map-1 192.168.1.0/24
!
ipsec autokey-map ipsec-map-2 permit-list peer ZONE:CCCC:IPV6:ADDR::1 ipsec-prop pfs 1024-bit
ipsec local-id ipsec-map-2 192.168.0.0/24
ipsec remote-id ipsec-map-2 192.168.2.0/24
!
ipsec dynamic-map ipsec-map permit-list ipsec-l2tp-1,ipsec-l2tp-2,ipsec-l2tp-3
!
ipv6 name-server 2404:1a8:7f01:a::3 ! Flets IPv6 DNS Primary
ipv6 name-server 2404:1a8:7f01:b::3 ! Flets IPv6 DNS Secondary
ip name-server 202.248.175.138 ! @NIFTY IPv4 DNS Primary for IPv6 option user
ip name-server 202.248.20.157 ! @NIFTY IPv4 DNS Secondary for IPv6 option user
dns cache enable
dns cache max-records 2048
!
proxy-dns ip enable
proxy-dns ip query-interval 1
proxy-dns ipv6 enable
proxy-dns ipv6 query-interval 1
!
ssh-server ip enable
ssh-server ip access-list console-list
ssh-server ipv6 enable
ssh-server ipv6 access-list console-list
!
http-server username USER_NAME_FOR_IX3110_ZONE_A
http-server ip access-list console-list
http-server ip enable
!
ddns enable
!
ppp profile @nifty-ipv4
authentication myname NIFTY_ID_FOR_ZONE_A
authentication password NIFTY_ID_FOR_ZONE_A NIFTY_PASSWORD_FOR_ZONE_A
!
ppp profile l2tp-ipsec
authentication request chap
authentication password L2TP_ID_FOR_ZONE_A L2TP_PASSWORD_FOR_ZONE_A
lcp pfc
lcp acfc
ipcp ip-compression
ipcp provide-remote-dns 202.248.175.138 202.248.20.157 ! useful from a certain country ;-)
ipcp provide-ip-address range 192.168.0.241 192.168.0.245
!
ip dhcp profile dhcpv4-sv
assignable-range 192.168.0.101 192.168.0.199
default-gateway 192.168.0.1
dns-server 192.168.0.1
option 44 ip WINS_SVR_ADDR_1 WINS_SVR_ADDR_2 ! to resolve NetBIOS name
!
ipv6 dhcp client-profile dhcpv6-cl
option-request dns-servers
ia-pd subscriber GigaEthernet1.0
!
ipv6 dhcp server-profile dhcpv6-sv
dns-server dhcp
!
ddns profile MyDNS-IPv4 ! MyDNS account required, visit http://www.mydns.jp for details.
url http://ipv4.mydns.jp/login.html
account MYDNS_ID_FOR_ZONE_A
password plain MYDNS_PASSWORD_FOR_ZONE_A
transport ip
source GigaEthernet0.1
update-interval 12
!
ddns profile MyDNS-IPv6
url http://ipv6.mydns.jp/login.html
account MYDNS_ID_FOR_ZONE_A
password plain MYDNS_PASSWORD_FOR_ZONE_A
transport ipv6
source GigaEthernet0.0
update-interval 12
!
device GigaEthernet0
!
device GigaEthernet1
!
device GigaEthernet2
shutdown
!
device GigaEthernet3
shutdown
!
interface GigaEthernet0.0
description IPv6 IPoE via flets
no ip address
ipv6 enable
ipv6 interface-identifier 00:00:00:00:00:00:00:01 ! to force addressed ::1
ipv6 address autoconfig receive-default
ipv6 dhcp client dhcpv6-cl
ipv6 tcp adjust-mss auto
ipv6 filter dhcpv6-list 1 in
ipv6 filter icmpv6-list 2 in
ipv6 filter zone-list 3 in
ipv6 filter block-list 100 in
ipv6 filter dhcpv6-list 1 out
ipv6 filter icmpv6-list 2 out
ipv6 filter dflt-list 100 out
no shutdown
!
interface GigaEthernet1.0
description IX3110 Zone A Intra
ip address 192.168.0.1/24
ip proxy-arp
ip dhcp binding dhcpv4-sv
ipv6 enable
ipv6 interface-identifier 00:00:00:00:00:00:00:01
ipv6 dhcp server dhcpv6-sv
ipv6 nd ra enable
ipv6 nd ra other-config-flag
no shutdown
!
interface GigaEthernet2.0
no ip address
shutdown
!
interface GigaEthernet3.0
no ip address
shutdown
!
interface GigaEthernet0.1
description @NIFTY IPv4 PPPoE via flets
encapsulation pppoe
auto-connect
ppp binding @nifty-ipv4
ip address ipcp
ip tcp adjust-mss auto
ip nat enable
ip nat translation max-entries 65535
ip napt enable
ip napt translation max-entries 65535
ip napt static GigaEthernet0.1 udp 500
ip napt static GigaEthernet0.1 udp 4500
ip filter l2tp-list 1 in
ip filter block-list 100 in
ip filter dflt-list 100 out
no shutdown
!
interface Loopback0.0
no ip address
!
interface Loopback1.0
no ip address
!
interface Null0.0
no ip address
!
interface Null1.0
no ip address
!
interface Tunnel1.0
description Tunnel to IX2105 Zone B
tunnel mode ipsec
ip unnumbered GigaEthernet1.0
ip tcp adjust-mss auto
ipsec policy tunnel ipsec-map-1 df-bit ignore out
no shutdown
!
interface Tunnel2.0
description Tunnel to IX2215 Zone C
tunnel mode ipsec
ip unnumbered GigaEthernet1.0
ip tcp adjust-mss auto
ipsec policy tunnel ipsec-map-2 df-bit ignore out
no shutdown
!
interface Tunnel10.0
description L2TP/IPsec 0
ppp binding l2tp-ipsec
tunnel mode l2tp ipsec ! fimware version 8.10 or later required
ip unnumbered GigaEthernet1.0
ip tcp adjust-mss auto
ipsec policy transport ipsec-map
no shutdown
!
interface Tunnel11.0
description L2TP/IPsec 1
ppp binding l2tp-ipsec
tunnel mode l2tp ipsec
ip unnumbered GigaEthernet1.0
ip tcp adjust-mss auto
ipsec policy transport ipsec-map
no shutdown


設定ファイル 拠点B: IX2105 auひかり
hostname IX2105-Zone-B
timezone +09 00
!
syslog ip host SYSLOG_HOST_ADDR
syslog timestamp datetime
!
username USER_NAME_FOR_IX2105_ZONE_B password plain PASSWORD_FOR_IX2105_ZONE_B administrator
!
ntp ipv6 enable
ntp server 2001:3a0:0:2001::27:123
ntp server 2001:3a0:0:2005::57:123
ntp server 2001:3a0:0:2006::87:123
ntp interval 7200
!
logging buffered 2097152
logging subsystem all warn
logging timestamp datetime
!
ids ip type all action detect
ids ip type ip-header action discard
ids ip type icmp action discard
!
ip ufs-cache enable
ip route default 192.168.100.1 GigaEthernet0.0 ! routing to the Internet via BL190HW
ip route 192.168.0.0/24 Tunnel0.0
ip route 192.168.2.0/24 Tunnel2.0
ip dhcp enable
ip access-list block-list deny ip src any dest any
ip access-list l2tp-list permit udp src any sport any dest any dport eq 500
ip access-list l2tp-list permit udp src any sport any dest any dport eq 4500
ip access-list permit-list permit ip src any dest any
ip access-list console-list permit ip src 192.168.0.0/24 dest 192.168.1.1/32
ip access-list console-list permit ip src 192.168.1.0/24 dest 192.168.1.1/32
ip access-list console-list permit ip src 192.168.2.0/24 dest 192.168.1.1/32
ip access-list dynamic dflt-list access permit-list
!
ipv6 ufs-cache enable
ipv6 dhcp enable
ipv6 access-list block-list deny ip src any dest any
ipv6 access-list console-list permit ip src ZONE:BBBB:IPV6:ADDY::/64 dest ZONE:BBBB:IPV6:ADDR::1/128
ipv6 access-list console-list permit ip src ZONE:BBBB:IPV6:ADDZ::/64 dest ZONE:BBBB:IPV6:ADDR::1/128
ipv6 access-list dhcpv6-list permit udp src any sport any dest any dport eq 547
ipv6 access-list dhcpv6-list permit udp src any sport any dest any dport eq 546
ipv6 access-list icmpv6-list permit icmp src any dest any
ipv6 access-list permit-list permit ip src any dest any
ipv6 access-list zone-list permit ip src ZONE:AAAA:IPV6:ADDR::1/128 dest-domain BB.XX.mydns.jp
ipv6 access-list zone-list permit ip src ZONE:CCCC:IPV6:ADDR::1/128 dest-domain BB.XX.mydns.jp
ipv6 access-list dynamic dflt-list access permit-list
!
ike nat-traversal
!
ike proposal ike-l2tp-1 encryption aes-256 hash sha group 1024-bit
ike proposal ike-l2tp-2 encryption aes hash sha group 1024-bit
ike proposal ike-l2tp-3 encryption 3des hash sha group 1024-bit
ike proposal ike-prop encryption aes-256 hash sha2-256 group 1024-bit
!
ike policy ike-policy-0 peer ZONE:AAAA:IPV6:ADDR::1 key AUTH_KEY_FOR_TUNNEL_ZONE_A-B ike-prop
!
ike policy ike-policy-2 peer ZONE:CCCC:IPV6:ADDR::1 key AUTH_KEY_FOR_TUNNEL_ZONE_B-C ike-prop
!
ike policy ike-l2tp peer any key AUTH_KEY_FOR_L2TP_ZONE_B ike-l2tp-1,ike-l2tp-2,ike-l2tp-3
!
ipsec autokey-proposal ipsec-l2tp-1 esp-aes-256 esp-sha
ipsec autokey-proposal ipsec-l2tp-2 esp-aes esp-sha
ipsec autokey-proposal ipsec-l2tp-3 esp-3des esp-sha
ipsec autokey-proposal ipsec-prop esp-aes-256 esp-sha2-256
!
ipsec autokey-map ipsec-map-0 permit-list peer ZONE:AAAA:IPV6:ADDR::1 ipsec-prop pfs 1024-bit
ipsec local-id ipsec-map-0 192.168.1.0/24
ipsec remote-id ipsec-map-0 192.168.0.0/24
!
ipsec autokey-map ipsec-map-2 permit-list peer ZONE:CCCC:IPV6:ADDR::1 ipsec-prop pfs 1024-bit
ipsec local-id ipsec-map-2 192.168.1.0/24
ipsec remote-id ipsec-map-2 192.168.2.0/24
!
ipsec dynamic-map ipsec-map permit-list ipsec-l2tp-1,ipsec-l2tp-2,ipsec-l2tp-3
!
ipv6 name-server 2001:268:fd07:4::1 ! cdns01.kddi.ne.jp
ipv6 name-server 2001:268:fd08:4::1 ! cdns02.kddi.ne.jp
ip name-server 106.187.2.33 ! cdns01.kddi.ne.jp
ip name-server 106.187.2.41 ! cdns02.kddi.ne.jp
dns cache enable
dns cache max-records 2048
!
proxy-dns ip enable
proxy-dns ip query-interval 1
proxy-dns ipv6 enable
proxy-dns ipv6 query-interval 1
!
ssh-server ip enable
ssh-server ip access-list console-list
ssh-server ipv6 enable
ssh-server ipv6 access-list console-list
!
http-server username USER_NAME_FOR_IX2105_ZONE_B
http-server ip access-list console-list
http-server ip enable
!
ddns enable
!
! check tunnel connections alive to recconect if dead
watch-group zone-a 10
event 10 ip unreach-route 192.168.0.0/24 Tunnel0.0
action 10 ipsec clear-sa Tunnel0.0
!
network-monitor zone-a enable
network-monitor zone-a startup-delay 180
!
watch-group zone-c 10
event 10 ip unreach-route 192.168.2.0/24 Tunnel2.0
action 10 ipsec clear-sa Tunnel2.0
!
network-monitor zone-c enable
network-monitor zone-c startup-delay 180
!
ppp profile l2tp-ipsec
authentication request chap
authentication password L2TP_ID_FOR_ZONE_B L2TP_PASSWORD_FOR_ZONE_B
lcp pfc
lcp acfc
ipcp ip-compression
ipcp provide-remote-dns 106.187.2.33 106.187.2.41
ipcp provide-ip-address range 192.168.1.211 192.168.1.215
!
ip dhcp profile dhcpv4-sv
assignable-range 192.168.1.101 192.168.1.199
default-gateway 192.168.1.1
dns-server 106.187.2.33 106.187.2.41
option 44 ip WINS_SVR_ADDR_1 WINS_SVR_ADDR_2
!
ipv6 dhcp client-profile dhcpv6-cl
option-request dns-servers
ia-pd subscriber GigaEthernet1.0
!
ipv6 dhcp server-profile dhcpv6-sv
dns-server dhcp
!
ddns profile MyDNS-IPv4
url http://ipv4.mydns.jp/login.html
account MYDNS_ID_FOR_ZONE_B
password plain MYDNS_PASSWORD_FOR_ZONE_B
transport ip
source GigaEthernet0.0
update-interval 12
!
ddns profile MyDNS-IPv6
url http://ipv6.mydns.jp/login.html
account MYDNS_ID_FOR_ZONE_B
password plain MYDNS_PASSWORD_FOR_ZONE_B
transport ipv6
source GigaEthernet0.0
update-interval 12
!
device GigaEthernet0
!
device GigaEthernet1
!
interface GigaEthernet0.0 ! no authentication required for IPv4, thanks to BL190HW ;-)
description AU HIKARI
ip address 192.168.100.2/24 ! to belong to BL190HW's world
ip tcp adjust-mss auto
ip napt enable
ip filter camera 1 in
ip filter l2tp-list 2 in
ip filter block-list 100 in
ip filter dflt-list 100 out
ipv6 enable
ipv6 interface-identifier 00:00:00:00:00:00:00:01
ipv6 address autoconfig receive-default
ipv6 dhcp client dhcpv6-cl
ipv6 tcp adjust-mss auto
ipv6 filter dhcpv6-list 1 in
ipv6 filter icmpv6-list 2 in
ipv6 filter zone-list 3 in
ipv6 filter block-list 100 in
ipv6 filter dhcpv6-list 1 out
ipv6 filter icmpv6-list 2 out
ipv6 filter dflt-list 100 out
no shutdown
!
interface GigaEthernet1.0
description IX2105 Zone B Intra
ip address 192.168.1.1/24
ip proxy-arp
ip dhcp binding dhcpv4-sv
ipv6 enable
ipv6 interface-identifier 00:00:00:00:00:00:00:01
ipv6 dhcp server dhcpv6-sv
ipv6 nd ra enable
ipv6 nd ra other-config-flag
no shutdown
!
interface Loopback0.0
no ip address
!
interface Null0.0
no ip address
!
interface Null1.0
no ip address
!
interface Tunnel0.0
description Tunnel to IX3110 Zone A
tunnel mode ipsec
ip unnumbered GigaEthernet1.0
ip tcp adjust-mss auto
ipsec policy tunnel ipsec-map-0 df-bit ignore out
no shutdown
!
interface Tunnel2.0
description Tunnel to IX2215 Zone C
tunnel mode ipsec
ip unnumbered GigaEthernet1.0
ip tcp adjust-mss auto
ipsec policy tunnel ipsec-map-2 df-bit ignore out
no shutdown
!
interface Tunnel10.0
description L2TP/IPsec 0
ppp binding l2tp-ipsec
tunnel mode l2tp ipsec
ip unnumbered GigaEthernet1.0
ip tcp adjust-mss auto
ipsec policy transport ipsec-map
no shutdown
!
interface Tunnel11.0
description L2TP/IPsec 1
ppp binding l2tp-ipsec
tunnel mode l2tp ipsec
ip unnumbered GigaEthernet1.0
ip tcp adjust-mss auto
ipsec policy transport ipsec-map
no shutdown


設定ファイル 拠点C: IX2215 フレッツ(ひかり電話なし) @NIFTY
hostname IX2215-Zone-C
timezone +09 00
!
syslog ip host SYSLOG_HOST_ADDR
syslog timestamp datetime
!
username USER_NAME_FOR_IX2215_ZONE_C password plain PASSWORD_FOR_IX2215_ZONE_C administrator
!
ntp ipv6 enable
ntp server 2001:3a0:0:2001::27:123
ntp server 2001:3a0:0:2005::57:123
ntp server 2001:3a0:0:2006::87:123
ntp interval 7200
!
logging buffered 2097152
logging subsystem all warn
logging timestamp datetime
!
! MAC filter for IPv6 bridging
access-list mflt-list permit src any dest any type ipv6
access-list mflt-list permit src any dest any type ip ! once make IPv4 permitted here and...
!
ids ip type all action detect
ids ip type ip-header action discard
ids ip type icmp action discard
!
ip ufs-cache enable
ip route default GigaEthernet0.1
ip route 192.168.0.0/24 Tunnel0.0
ip route 192.168.1.0/24 Tunnel1.0
ip route 192.168.100.0/24 Tunnel1.0
ip dhcp enable
ip access-list block-list deny ip src any dest any
ip access-list l2tp-list permit udp src any sport any dest any dport eq 500
ip access-list l2tp-list permit udp src any sport any dest any dport eq 4500
ip access-list permit-list permit ip src any dest any
ip access-list console-list permit ip src 192.168.0.0/24 dest 192.168.2.1/32
ip access-list console-list permit ip src 192.168.1.0/24 dest 192.168.2.1/32
ip access-list console-list permit ip src 192.168.2.0/24 dest 192.168.2.1/32
ip access-list dynamic dflt-list access permit-list
!
ipv6 ufs-cache enable
ipv6 access-list block-list deny ip src any dest any
ipv6 access-list icmpv6-list permit icmp src any dest any
ipv6 access-list permit-list permit ip src any dest any
ipv6 access-list zone-list permit ip src ZONE:AAAA:IPV6:ADDR::1/128 dest ZONE:CCCC:IPV6:ADDR::1/128
ipv6 access-list zone-list permit ip src-domain BB.XX.mydns.jp dest ZONE:CCCC:IPV6:ADDR::1/128
ipv6 access-list dynamic dflt-list access permit-list
!
ike nat-traversal
!
ike proposal ike-l2tp-1 encryption aes-256 hash sha group 1024-bit
ike proposal ike-l2tp-2 encryption aes hash sha group 1024-bit
ike proposal ike-l2tp-3 encryption 3des hash sha group 1024-bit
ike proposal ike-prop encryption aes-256 hash sha2-256 group 1024-bit
!
ike policy ike-policy-0 peer ZONE:AAAA:IPV6:ADDR::1 key AUTH_KEY_FOR_TUNNEL_ZONE_A-C ike-prop
!
ike policy ike-policy-1 peer-fqdn-ipv6 BB.XX.mydns.jp key AUTH_KEY_FOR_TUNNEL_ZONE_B-C ike-prop
!
ike policy ike-l2tp peer any key AUTH_KEY_FOR_L2TP_ZONE_C ike-l2tp-1,ike-l2tp-2,ike-l2tp-3
!
ipsec autokey-proposal ipsec-l2tp-1 esp-aes-256 esp-sha
ipsec autokey-proposal ipsec-l2tp-2 esp-aes esp-sha
ipsec autokey-proposal ipsec-l2tp-3 esp-3des esp-sha
ipsec autokey-proposal ipsec-prop esp-aes-256 esp-sha2-256
!
ipsec autokey-map ipsec-map-0 permit-list peer ZONE:AAAA:IPV6:ADDR::1 ipsec-prop pfs 1024-bit
ipsec local-id ipsec-map-0 192.168.2.0/24
ipsec remote-id ipsec-map-0 192.168.0.0/24
!
ipsec autokey-map ipsec-map-1 permit-list peer-fqdn-ipv6 BB.XX.mydns.jp ipsec-prop pfs 1024-bit
ipsec local-id ipsec-map-1 192.168.2.0/24
ipsec remote-id ipsec-map-1 192.168.1.0/24
!
ipsec dynamic-map ipsec-map permit-list ipsec-l2tp-1,ipsec-l2tp-2,ipsec-l2tp-3
!
bridge irb enable ! IPv6 bridging configuration
no bridge 1 bridge ip ! ...and make IPv4 not to be bridged
!
ipv6 name-server 2404:1a8:7f01:a::3
ipv6 name-server 2404:1a8:7f01:b::3
ip name-server 202.248.175.138
ip name-server 202.248.20.157
dns cache enable
dns cache max-records 2048
!
proxy-dns ip enable
proxy-dns ip query-interval 1
proxy-dns ipv6 enable
proxy-dns ipv6 query-interval 1
!
ssh-server ip enable
ssh-server ip access-list console-list
!
http-server username USER_NAME_FOR_IX2215_ZONE_C
http-server ip access-list console-list
http-server ip enable
!
ddns enable
!
ppp profile @nifty-ipv4
authentication myname NIFTY_ID_FOR_ZONE_C
authentication password NIFTY_ID_FOR_ZONE_C NIFTY_PASSWORD_FOR_ZONE_C
!
ppp profile l2tp-ipsec
authentication request chap
authentication password L2TP_ID_FOR_ZONE_C L2TP_PASSWORD_FOR_ZONE_C
lcp pfc
lcp acfc
ipcp ip-compression
ipcp provide-remote-dns 202.248.175.138 202.248.20.157
ipcp provide-ip-address range 192.168.2.201 192.168.2.205
!
ip dhcp profile dhcpv4-sv
assignable-range 192.168.2.101 192.168.2.199
dns-server 192.168.2.1
option 44 ip WINS_SVR_ADDR_1 WINS_SVR_ADDR_2
!
ddns profile MyDNS-IPv4
url http://ipv4.mydns.jp/login.html
account MYDNS_ID_FOR_ZONE_C
password plain MYDNS_PASSWORD_FOR_ZONE_C
transport ip
source GigaEthernet0.1
update-interval 12
!
ddns profile MyDNS-IPv6
url http://ipv6.mydns.jp/login.html
account MYDNS_ID_FOR_ZONE_C
password plain MYDNS_PASSWORD_FOR_ZONE_C
transport ipv6
source GigaEthernet0.0
update-interval 12
!
device GigaEthernet0
!
device GigaEthernet1
shutdown
!
device GigaEthernet2
!
device BRI0 ! cannot be shutdowned physically...
isdn switch-type hsd128k
!
device USB0
shutdown
!
interface GigaEthernet0.0
description IPv6 IPoE via flets
filter mflt-list 1 in
no ip address
ipv6 enable
ipv6 interface-identifier 00:00:00:00:00:00:00:01
ipv6 address autoconfig receive-default
ipv6 tcp adjust-mss auto
ipv6 filter icmpv6-list 1 in
ipv6 filter flt-list 2 in
ipv6 filter block-list 100 in
ipv6 filter icmpv6-list 1 out
ipv6 filter dflt-list 100 out
bridge-group 1 ! IPv6 bridging configuration
no shutdown
!
interface GigaEthernet1.0
no ip address
shutdown
!
interface GigaEthernet2.0 ! GigaEthernet1 is usually used for local network.
description IX2215 Zone C Intra
filter mflt-list 1 in
ip address 192.168.2.1/24
ip proxy-arp
ip dhcp binding dhcpv4-sv
bridge-group 1 ! IPv6 bridging configuration
no shutdown
!
interface BRI0.0
encapsulation ppp
no auto-connect
no ip address
shutdown
!
interface USB-Serial0.0
encapsulation ppp
no auto-connect
no ip address
shutdown
!
interface GigaEthernet0.1
description @NIFTY IPv4 PPPoE via flets
encapsulation pppoe
auto-connect
ppp binding @nifty-ipv4
ip address ipcp
ip tcp adjust-mss auto
ip napt enable
ip napt static GigaEthernet0.1 udp 500
ip napt static GigaEthernet0.1 udp 4500
ip filter l2tp-list 1 in
ip filter block-list 100 in
ip filter dflt-list 100 out
no shutdown
!
interface Loopback0.0
no ip address
!
interface Null0.0
no ip address
!
interface Null1.0
no ip address
!
interface Tunnel0.0
description Tunnel to IX3110 Zone A
tunnel mode ipsec
ip unnumbered GigaEthernet2.0
ip tcp adjust-mss auto
ipsec policy tunnel ipsec-map-0 df-bit ignore out
no shutdown
!
interface Tunnel1.0
description Tunnel to IX2105 Zone B
tunnel mode ipsec
ip unnumbered GigaEthernet2.0
ip tcp adjust-mss auto
ipsec policy tunnel ipsec-map-1 df-bit ignore out
no shutdown
!
interface Tunnel10.0
description L2TP/IPsec 0
ppp binding l2tp-ipsec
tunnel mode l2tp ipsec
ip unnumbered GigaEthernet2.0
ip tcp adjust-mss auto
ipsec policy transport ipsec-map
no shutdown
!
interface Tunnel11.0
description L2TP/IPsec 1
ppp binding l2tp-ipsec
tunnel mode l2tp ipsec
ip unnumbered GigaEthernet2.0
ip tcp adjust-mss auto
ipsec policy transport ipsec-map
no shutdown

スポンサーサイト
  1. 2014/08/15(金) 18:09:50|
  2. UNIVERGE|
  3. Translate by google|
  4. トラックバック:0|
  5. コメント:0




 ∥HOME

  

上記広告は1ヶ月以上更新のないブログに表示されています。新しい記事を書くことで広告を消せます。