三歩あるけば物も忘れる

2.InternetVPN-ルータ設定

ルータのコンフィグ

環境は壊しているので、ほぼそのまま載せています。
グローバルIPとかプロバイダのID/PASS等は、自身の環境に合わせてください。
ルータのコンフィグ詳細

        
          
          
              
              version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime year
service timestamps log datetime localtime year
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 512000
!
no aaa new-model
memory-size iomem 15
clock timezone JST 9 0
clock calendar-valid
!
ip dhcp pool local
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1
 dns-server 8.8.8.8
 lease 0 12
!
no ip bootp server
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto keyring keyring-vpn-0ada7a730210c6111-1
  local-address [グローバルIP]
  pre-shared-key address 54.150.123.186 key q9ZYd6cgI0lJ2H.a3.W5JbPtULcmVudb
crypto keyring keyring-vpn-0ada7a730210c6111-0
  local-address [グローバルIP]
  pre-shared-key address 13.114.74.240 key 61UDVs4fNMCf7o8SAxFFafpSottRt9lP
!
crypto isakmp policy 200
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 201
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp keepalive 10 10
crypto isakmp profile isakmp-vpn-0ada7a730210c6111-0
   keyring keyring-vpn-0ada7a730210c6111-0
   match identity address 13.114.74.240 255.255.255.255
   local-address [グローバルIP]
crypto isakmp profile isakmp-vpn-0ada7a730210c6111-1
   keyring keyring-vpn-0ada7a730210c6111-1
   match identity address 54.150.123.186 255.255.255.255
   local-address [グローバルIP]
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set ipsec-prop-vpn-0ada7a730210c6111-0 esp-aes esp-sha-hmac
 mode tunnel
crypto ipsec transform-set ipsec-prop-vpn-0ada7a730210c6111-1 esp-aes esp-sha-hmac
 mode tunnel
crypto ipsec df-bit clear
!
!
crypto ipsec profile ipsec-vpn-0ada7a730210c6111-0
 set transform-set ipsec-prop-vpn-0ada7a730210c6111-0
 set pfs group2
!
crypto ipsec profile ipsec-vpn-0ada7a730210c6111-1
 set transform-set ipsec-prop-vpn-0ada7a730210c6111-1
 set pfs group2
!
interface Tunnel1
 ip address 169.254.57.246 255.255.255.252
 ip virtual-reassembly in
 ip tcp adjust-mss 1379
 tunnel source [グローバルIP]
 tunnel mode ipsec ipv4
 tunnel destination 13.114.74.240
 tunnel protection ipsec profile ipsec-vpn-0ada7a730210c6111-0
!
interface Tunnel2
 ip address 169.254.175.90 255.255.255.252
 ip virtual-reassembly in
 ip tcp adjust-mss 1379
 tunnel source [グローバルIP]
 tunnel mode ipsec ipv4
 tunnel destination 54.150.123.186
 tunnel protection ipsec profile ipsec-vpn-0ada7a730210c6111-1
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 no ip address
 spanning-tree portfast
!
interface GigabitEthernet1
 no ip address
 spanning-tree portfast
!
interface GigabitEthernet2
 no ip address
 spanning-tree portfast
!
interface GigabitEthernet3
 no ip address
 spanning-tree portfast
!
interface GigabitEthernet4
 no ip address
 spanning-tree portfast
!
interface GigabitEthernet5
 no ip address
 spanning-tree portfast
!
interface GigabitEthernet6
 no ip address
 spanning-tree portfast
!
interface GigabitEthernet7
 no ip address
 spanning-tree portfast
!
interface GigabitEthernet8
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Async3
 no ip address
 encapsulation slip
!
interface Dialer1
 mtu 1454
 bandwidth 1048576
 ip address negotiated
 ip access-group 100 in
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1414
 dialer pool 1
 dialer-group 1
 ppp mtu adaptive
 ppp authentication chap callin
 ppp chap hostname [プロバイダのID]
 ppp chap password [プロバイダのPASS]
 no cdp enable
!
router bgp 65000
 bgp log-neighbor-changes
 neighbor 169.254.57.245 remote-as 64512
 neighbor 169.254.57.245 timers 10 30 30
 neighbor 169.254.175.89 remote-as 64512
 neighbor 169.254.175.89 timers 10 30 30
 !
 address-family ipv4
  network 0.0.0.0
  neighbor 169.254.57.245 activate
  neighbor 169.254.57.245 default-originate
  neighbor 169.254.57.245 soft-reconfiguration inbound
  neighbor 169.254.175.89 activate
  neighbor 169.254.175.89 default-originate
  neighbor 169.254.175.89 soft-reconfiguration inbound
 exit-address-family
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
dialer-list 1 protocol ip permit
no cdp run
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 deny   tcp any any range 137 139
access-list 100 deny   tcp any range 137 139 any
access-list 100 deny   udp any any range netbios-ns netbios-ss
access-list 100 deny   udp any range netbios-ns netbios-ss any
access-list 100 deny   tcp any any eq 445
access-list 100 deny   tcp any eq 445 any
access-list 100 deny   udp any any eq 445
access-list 100 deny   udp any eq 445 any
access-list 100 deny   tcp any any eq telnet
access-list 100 deny   tcp any any eq bgp
access-list 100 permit esp any any
access-list 100 permit udp any any eq isakmp
access-list 100 permit udp any any eq non500-isakmp
access-list 100 permit ip any any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 exec-timeout 0 0
 no modem enable
line aux 0
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 exec-timeout 0 0
 password [PASS]
 login
 transport input all
!
scheduler allocate 20000 1000
!
end

            

        
      
AWS, VPN, VPC
2.InternetVPN-ルータ設定

ルータのコンフィグ

ルータのコンフィグ詳細

コメント
