Aws:Site-to-SiteVPN:InternetVPN-RouterSettings02
10.NAT機器配下での-ルータ設定例
構成
NECルーター(Aterm WR8750N)の設定
■基本設定
・IPアドレス:192.168.0.1
■VPN設定
・IPsecパススルー機能:有効化
■静的ルーティングエントリ
・宛先:192.168.1.0/24
・ゲートウェイ:192.168.0.254
■ポートマッピング設定
・LAN側ホスト:192.168.0.254
・プロトコル:UDP
・ポート:500と4500
カスタマーゲートウェイ(Cisco C891FJ)の設定
概要
下記設定をして、AWSのコンフィグサンプルからグローバルIPアドレスを全て「192.168.0.254」に置き換えて流し込む。
■access-list 100
・access-list 100 permit udp any any eq isakmp
・access-list 100 permit udp any any eq non500-isakmp
■GE8
・ip address 192.168.0.254 255.255.255.0
・ip access-group 100 in
■vlan10
・ip address 192.168.1.1 255.255.255.0
■GE0-7
・switchport mode access
・switchport access vlan 10
■DHCP
・ip dhcp pool local
・network 192.168.1.0 255.255.255.0
・default-router 192.168.1.1
・dns-server 8.8.8.8
・lease 0 12
コンフィグ詳細
version 15.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! aqm-register-fnf ! ! no aaa new-model memory-size iomem 15 ! ! ! ! ! ! ! ! ip dhcp pool local network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 8.8.8.8 lease 0 12 ! ! ! ip cef no ipv6 cef ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! license udi pid C891FJ-K9 sn FGL184824RF ! ! ! ! ! ! ! ! crypto keyring keyring-vpn-06b6d3b575394e660-0 local-address 192.168.0.254 pre-shared-key address 35.76.128.207 key HmXGlZz55N2mHfVeyC8UfdzW8PqDSGRy crypto keyring keyring-vpn-06b6d3b575394e660-1 local-address 192.168.0.254 pre-shared-key address 52.193.194.127 key qO6Uu.AbQluN4GdKz55v4o8sZavwNH3U ! crypto isakmp policy 200 encr aes authentication pre-share group 2 lifetime 28800 ! crypto isakmp policy 201 encr aes authentication pre-share group 2 lifetime 28800 crypto isakmp keepalive 10 10 crypto isakmp profile isakmp-vpn-06b6d3b575394e660-0 keyring keyring-vpn-06b6d3b575394e660-0 match identity address 35.76.128.207 255.255.255.255 local-address 192.168.0.254 crypto isakmp profile isakmp-vpn-06b6d3b575394e660-1 keyring keyring-vpn-06b6d3b575394e660-1 match identity address 52.193.194.127 255.255.255.255 local-address 192.168.0.254 ! crypto ipsec security-association replay window-size 128 ! crypto ipsec transform-set ipsec-prop-vpn-06b6d3b575394e660-0 esp-aes esp-sha-hmac mode tunnel crypto ipsec transform-set ipsec-prop-vpn-06b6d3b575394e660-1 esp-aes esp-sha-hmac mode tunnel crypto ipsec df-bit clear ! ! crypto ipsec profile ipsec-vpn-06b6d3b575394e660-0 set transform-set ipsec-prop-vpn-06b6d3b575394e660-0 set pfs group2 ! crypto ipsec profile ipsec-vpn-06b6d3b575394e660-1 set transform-set ipsec-prop-vpn-06b6d3b575394e660-1 set pfs group2 ! ! ! ! ! ! ! interface Tunnel1 ip address 169.254.95.90 255.255.255.252 ip virtual-reassembly in ip tcp adjust-mss 1379 tunnel source 192.168.0.254 tunnel mode ipsec ipv4 tunnel destination 35.76.128.207 tunnel protection ipsec profile ipsec-vpn-06b6d3b575394e660-0 ! interface Tunnel2 ip address 169.254.109.162 255.255.255.252 ip virtual-reassembly in ip tcp adjust-mss 1379 tunnel source 192.168.0.254 tunnel mode ipsec ipv4 tunnel destination 52.193.194.127 tunnel protection ipsec profile ipsec-vpn-06b6d3b575394e660-1 ! interface BRI0 no ip address encapsulation hdlc shutdown isdn termination multidrop ! interface FastEthernet0 no ip address shutdown duplex auto speed auto ! interface GigabitEthernet0 switchport access vlan 10 no ip address ! interface GigabitEthernet1 switchport access vlan 10 no ip address ! interface GigabitEthernet2 switchport access vlan 10 no ip address ! interface GigabitEthernet3 switchport access vlan 10 no ip address ! interface GigabitEthernet4 switchport access vlan 10 no ip address ! interface GigabitEthernet5 switchport access vlan 10 no ip address ! interface GigabitEthernet6 switchport access vlan 10 no ip address ! interface GigabitEthernet7 switchport access vlan 10 no ip address ! interface GigabitEthernet8 ip address 192.168.0.254 255.255.255.0 ip access-group 100 in duplex auto speed auto ! interface Vlan1 no ip address ! interface Vlan10 ip address 192.168.1.1 255.255.255.0 ! interface Async3 no ip address encapsulation slip ! router bgp 65000 bgp log-neighbor-changes neighbor 169.254.95.89 remote-as 64512 neighbor 169.254.95.89 timers 10 30 30 neighbor 169.254.109.161 remote-as 64512 neighbor 169.254.109.161 timers 10 30 30 ! address-family ipv4 network 0.0.0.0 neighbor 169.254.95.89 activate neighbor 169.254.95.89 default-originate neighbor 169.254.95.89 soft-reconfiguration inbound neighbor 169.254.109.161 activate neighbor 169.254.109.161 default-originate neighbor 169.254.109.161 soft-reconfiguration inbound exit-address-family ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip route 0.0.0.0 0.0.0.0 192.168.0.1 ! access-list 100 permit udp any any eq isakmp access-list 100 permit udp any any eq non500-isakmp ! control-plane ! ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! line con 0 no modem enable line aux 0 line 3 modem InOut speed 115200 flowcontrol hardware line vty 0 4 login transport input all ! scheduler allocate 20000 1000 ! end
Aws/Site-to-SiteVPN/InternetVPN-RouterSettings02.txt · 最終更新: 2023/02/09 by admin