monitor-group monitor2 enable
14.3. 同一 IP に複数 IPsec トンネルを設定して迂回する
同一
IP
アドレスに対して複数のIPsec
トンネルを設定することができます。以下では、同一
IP
アドレスに対して2つのIPsec
トンネルを設定して、片方のIPsec
経路 の障害時にもう片方のIPsec
に経路を切り替える設定を説明します。本設定は、以下の環境を想定した設定例です。
・装置Aは、
PPPoE
回線経由ならびに内蔵モジュールを使用したモバイル回線経由で、装置Bと
IPsec
による通信を行います。・装置Aには、装置Bの1つの
WAN
インタフェースIP
アドレスに対して、2つのIPsec
トンネルを設定しておきます。・通常時、
IP
アドレス10.0.0
系の通信はIPsec1
を経由、192.168.1
系の通信はIPsec2
を 経由した通信を行います。・装置Aと装置Bは、ネットワークモニタ機能により
IPsec1
経由で互いにホスト監視しま す。監視経路で障害が発生すると、通信経路をIPsec2
経路に切り替えます。■接続構成
■設定概要
以下の設定を行います。
・
LAN
インタフェース設定・
WAN
インタフェース設定・ ルーティング設定
・
IPsec
インタフェース設定・ ネットワークモニタ設定
ME0 モバイル
通信事業者
192.0.1.1
IKEモード : Aggressive IPsec通信モード : Tunnel 暗号 : AES(256bit)
認証 : SHA2 DH-group : 768bit 10.0.0.0/24
PPPoE 動的IP 動的IP
IPsec1
装置A 装置B
固定IP 192.168.1.0/24
IPsec2
10.0.100.0/24
192.168.100.0/24 GWG
.100 ホスト監視
192.0.1.2 ホスト監視
■設定(コンフィグ作成バージョン:
Ver7.4.1
)[
装置A:WA2611-AP
設定]
! hostname WA2611-AP
! ppp profile pppoe
authentication username [email protected] authentication password plain test
! interface GigaEthernet0.0 no ip address
encapsulation PPPoE0 no shutdown
! interface GigaEthernet1.0
vlan-type port VLAN1 port 1 2 vlan-type port VLAN2 port 3 4 no ip address
no shutdown
! interface PPPoE0 ip address ipcp ip tcp adjust-mss auto ppp profile pppoe auto-connect ip napt enable
ip napt reserve udp 500 ip napt reserve esp ip napt reserve icmp no shutdown
! interface Loopback0.0 ip address 10.0.200.1/32 no shutdown
! interface MobileEthernet0.0 ip address dhcp
ip tcp adjust-mss auto ip napt enable
ip napt reserve udp 500 ip napt reserve esp ip napt reserve icmp mobile id IP example.net mobile username test mobile password plain test auto-connect
no shutdown
! interface IPsec1
ip address unnumbered ipsec map ipsec1 no shutdown
! interface IPsec2
ip address unnumbered ipsec map ipsec2 no shutdown
! interface VLAN1
ip address 10.0.0.254/24 no shutdown
! interface VLAN2
ip address 192.168.1.254/24 no shutdown
! ip route 10.0.200.100/32 IPsec1 ip route 10.0.100.0/24 IPsec1 ip route 192.168.100.0/24 IPsec2
! network-monitor monitor1
monitor interval occurrence 10 5 monitor interval restorer 10 monitor counter occurrence 3 monitor counter restorer 5 monitor startup-delay 10
event ip unreach-host 10.0.200.100 interface IPsec1 source Loopback0.0 action 10 route-del 10.0.100.0/24 IPsec1
action 20 route-add 10.0.100.0/24 IPsec2
! monitor-group monitor1 enable
! ike proposal ipsec1
encryption-algorithm aes256-cbc
authentication-algorithm hmac-sha2-256 lifetime 28800
! ike proposal ipsec2
encryption-algorithm aes256-cbc
authentication-algorithm hmac-sha2-256 lifetime 28800
! ike policy ipsec1 mode aggressive local-id key-id test01
outgoing-interface PPPoE0 auto dpd-keepalive enable ph1 proposal ipsec1
pre-shared-key plain test1
! ike policy ipsec2 mode aggressive local-id key-id test02
outgoing-interface MobileEthernet0.0 auto dpd-keepalive enable ph1
proposal ipsec2
pre-shared-key plain test2
!
protocol esp enc-algo aes256-cbc auth-algo hmac-sha2-256 lifetime 28800
! ipsec proposal ipsec2
protocol esp enc-algo aes256-cbc auth-algo hmac-sha2-256 lifetime 28800
! ipsec policy ipsec1 local-id 10.0.0.0/24 remote-id 10.0.100.0/24 rekey enable always proposal ipsec1
! ipsec policy ipsec2 local-id 192.168.1.0/24 remote-id 192.168.100.0/24 rekey enable always
proposal ipsec2
! ipsec profile ipsec1 mode tunnel ipsec policy ipsec1 ike policy ipsec1 source PPPoE0 peer 192.0.1.1
! ipsec profile ipsec2 mode tunnel ipsec policy ipsec2 ike policy ipsec2
source MobileEthernet0.0 peer 192.0.1.1
!
[
装置B:WA2610-AP
設定]
(コンフィグ作成バージョン:Ver7.4.1
)! hostname CENTER-WA2610-AP
! interface GigaEthernet0.0 ip address 192.0.1.1/32 ip napt enable
ip napt reserve udp 500 ip napt reserve esp ip napt reserve icmp no shutdown
! interface GigaEthernet1.0
vlan-type port VLAN1 port 1 2 vlan-type port VLAN2 port 3 4 no ip address
no shutdown
! interface Loopback0.0
ip address 10.0.200.100/32 no shutdown
! interface IPsec1
ip address unnumbered ip tcp adjust-mss auto ipsec map ipsec1 no shutdown
! interface IPsec2
ip address unnumbered ip tcp adjust-mss auto ipsec map ipsec2 no shutdown
! interface VLAN1
ip address 10.0.100.254/24 no shutdown
! interface VLAN2
ip address 192.168.100.254/24 no shutdown
! ip route 192.168.1.0/24 IPsec2 ip route 10.0.0.0/24 IPsec1 ip route 10.0.200.1/32 IPsec1 ip route default 192.168.100.100
! network-monitor monitor2
monitor interval occurrence 10 5 monitor interval restorer 10 monitor counter occurrence 3 monitor counter restorer 5 monitor startup-delay 10
event ip unreach-host 10.0.200.1 interface IPsec1 source Loopback0.0 action 10 route-del 10.0.0.0/24 IPsec1
action 20 route-add 10.0.0.0/24 IPsec2
! monitor-group monitor2 enable
! ike proposal ipsec1
encryption-algorithm aes256-cbc
authentication-algorithm hmac-sha2-256 lifetime 28800
! ike proposal ipsec2
encryption-algorithm aes256-cbc
authentication-algorithm hmac-sha2-256 lifetime 28800
! ike policy ipsec1 mode aggressive remote-id key-id test01
outgoing-interface GigaEthernet0.0 192.0.1.2
proposal ipsec1
pre-shared-key plain test1
! ike policy ipsec2 mode aggressive remote-id key-id test02
outgoing-interface GigaEthernet0.0 192.0.1.2 dpd-keepalive enable ph1
proposal ipsec2
pre-shared-key plain test2
! ipsec proposal ipsec1
protocol esp enc-algo aes256-cbc auth-algo hmac-sha2-256 lifetime 28800
! ipsec proposal ipsec2
protocol esp enc-algo aes256-cbc auth-algo hmac-sha2-256 lifetime 28800
! ipsec policy ipsec1 local-id 10.0.100.0/24 remote-id 10.0.0.0/24 proposal ipsec1
! ipsec policy ipsec2
local-id 192.168.100.0/24 remote-id 192.168.1.0/24 proposal ipsec2
! ipsec profile ipsec1 mode tunnel ipsec policy ipsec1 ike policy ipsec1 peer any
! ipsec profile ipsec2 mode tunnel ipsec policy ipsec2 ike policy ipsec2 peer any
!
■解説