VPN(トンネル・エンドポイント・ディスカバリ 6)
「VPN(トンネル・エンドポイント・ディスカバリ 5)」の続きです。
ここでは、各ルータのコンフィグを紹介していきます。
※Router_B、Router_CのE0は、「no keepalive」コマンドで、強制的にUPさせます。
各ルータの設定は、以下のようになります。
●Router_Aの設定
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_A
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 25
!
ip cef
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TS-IPSEC esp-3des esp-sha-hmac
!
crypto dynamic-map MAP-IPSEC 1
set transform-set TS-IPSEC
match address 100
crypto dynamic-map MAP-IPSEC 2
set transform-set TS-IPSEC
match address 101
!
crypto map TEDTAG 1 ipsec-isakmp dynamic MAP-IPSEC discover
!
interface Ethernet0
ip address 172.16.0.1 255.255.0.0
half-duplex
!
interface FastEthernet0
ip address 20.0.0.1 255.0.0.0
speed auto
crypto map TEDTAG
!
ip forward-protocol nd
ip route 172.17.0.0 255.255.0.0 20.0.0.2
ip route 172.18.0.0 255.255.0.0 20.0.0.3
no ip http server
no ip http secure-server
!
access-list 100 permit ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 101 permit ip 172.16.0.0 0.0.255.255 172.18.0.0 0.0.255.255
!
control-plane
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
●Router_Bの設定
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_B
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 25
!
ip cef
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TS-IPSEC esp-3des esp-sha-hmac
!
crypto dynamic-map MAP-IPSEC 1
set transform-set TS-IPSEC
match address 100
crypto dynamic-map MAP-IPSEC 2
set transform-set TS-IPSEC
match address 101
!
crypto map TEDTAG 1 ipsec-isakmp dynamic MAP-IPSEC discover
!
interface Ethernet0
ip address 172.17.0.1 255.255.0.0
half-duplex
no keepalive
!
interface FastEthernet0
ip address 20.0.0.2 255.0.0.0
speed auto
crypto map TEDTAG
!
ip forward-protocol nd
ip route 172.16.0.0 255.255.0.0 20.0.0.1
ip route 172.18.0.0 255.255.0.0 20.0.0.3
no ip http server
no ip http secure-server
!
access-list 100 permit ip 172.17.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 101 permit ip 172.17.0.0 0.0.255.255 172.18.0.0 0.0.255.255
!
control-plane
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
●Router_Cの設定
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_C
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 25
!
ip cef
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TS-IPSEC esp-3des esp-sha-hmac
!
crypto dynamic-map MAP-IPSEC 1
set transform-set TS-IPSEC
match address 100
crypto dynamic-map MAP-IPSEC 2
set transform-set TS-IPSEC
match address 101
!
crypto map TEDTAG 1 ipsec-isakmp dynamic MAP-IPSEC discover
!
interface Ethernet0
ip address 172.18.0.1 255.255.0.0
half-duplex
no keepalive
!
interface FastEthernet0
ip address 20.0.0.3 255.0.0.0
speed auto
crypto map TEDTAG
!
ip forward-protocol nd
ip route 172.16.0.0 255.255.0.0 20.0.0.1
ip route 172.17.0.0 255.255.0.0 20.0.0.2
no ip http server
no ip http secure-server
!
access-list 100 permit ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 101 permit ip 172.18.0.0 0.0.255.255 172.17.0.0 0.0.255.255
!
control-plane
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
続きは、次の「VPN(トンネル・エンドポイント・ディスカバリ 7)」で、設定した3拠点によるTEDの構成を検証していきます。