4.2. RA 方式を使用して常時接続を行う
IPv6
網接続方式のRA
(Router Advertisement
)方式の設定例を説明します。IPv6
網から、RA
によりPrefix
を取得してIPv6
アドレスを登録します。LAN
側は、L2
トンネル機能のEtherIP
を使用して、IPv6
網を経由したL2VPN
通信の設定例として説明をします。■接続構成
■設定概要
以下の設定を行います。
・
IKE
プロポーザルの設定・
IKE
ポリシーの設定・
IPsec
プロポーザルの設定・
IPsec
ポリシーの設定・
IPsec
プロファイルの設定・
IPsec
インタフェースの設定・ ルーティングの設定
・
IPv6
フィルタの設定・
WAN
側インタフェースの設定・ ブリッジの設定
・
EtherIP
インタフェースの設定・
DNS
サーバの設定・
Dynamic DNS
の設定(
装置B)
・
Dynamic DNS
サービスの登録確認GE1
.1
端末1
172.16.1.0/24
装置A
GE0 GE0
WAN WAN
装置B
装置B GE0: 2001:db8:1:0:cafe::1/64 DNSサーバ:2001:db8:0:0:abc::1
固定IPv6 RA受信
インターネット サービスプロバイダ
暗号 : AES(256bit) 認証 : SHA2 DH-group : 1024bit EtherIP over IPsec(IPv6)
172.16.1.0/24 .2
端末2 GE1
DDNSサービス:DDNS.example.jp username:user
password:passwd FQDN:c.DDNS.example.jp EtherIP接続の対向
loopbackインタフェース 装置A:192.168.1.1/32 装置B:192.168.1.2/32
UNIVERGE WA2610-AP UNIVERGE
WA1510
■設定(コンフィグ作成バージョン:
Ver7.3.7
)[
装置A:WA1510
設定]
! no password encrypted
! hostname WA1510
! ipv6 access-list fw-lst deny ip src any dest any ipv6 access-list ndp-lst permit icmp src any dest any ipv6 access-list sec-lst permit 50 src any dest any
ipv6 access-list sec-lst permit udp src any sport eq 500 dest any dport eq 500
! bridge ieee enable
! interface GigaEthernet0.0 no ip address
ipv6 enable
ipv6 address autoconfig receive-default ipv6 tcp adjust-mss auto
ipv6 filter ndp-lst 1 in ipv6 filter sec-lst 2 in ipv6 filter fw-lst 10 in ipv6 filter ndp-lst 1 out ipv6 filter sec-lst 2 out ipv6 filter fw-lst 10 out no shutdown
! interface GigaEthernet1.0 no ip address
bridge ieee 1 no shutdown
! interface Loopback0.0 ip address 192.168.1.1/32 no shutdown
! interface IPsec0
ip address unnumbered ipsec map ipsecprof1 no shutdown
! interface EtherIP0 bridge ieee 1
bridge ip tcp adjust-mss 1330 ether-ip peer 192.168.1.2 ether-ip source 192.168.1.1 no shutdown
! ip route 192.168.1.2/32 IPsec0
! ike proposal ikeprop1
encryption-algorithm aes256-cbc
authentication-algorithm hmac-sha2-256 lifetime 28800
dh-group 1024-bit
! ike policy ikepol1 mode aggressive local-id key-id wa1500
dpd-keepalive enable ph1 20 3 proposal ikeprop1
pre-shared-key plain hogehoge
! ipsec proposal ipsecprop1
protocol esp enc-algo aes256-cbc auth-algo hmac-sha2-256 lifetime 28800
! ipsec policy ipsecpol1
local-id 2001:db8:a:0::1/128
remote-id 2001:db8:1:0:cafe::1/128 proposal ipsecprop1
! ipsec profile ipsecprof1 mode tunnel
ipsec policy ipsecpol1 ike policy ikepol1 source GigaEthernet0.0 peer c.DDNS.example.jp ipv6
! ipv6 name-server 2001:db8:0:0:abc::1
!
[
装置B:WA2610-AP
設定]
! no password encrypted
! hostname WA2600
! ipv6 access-list fw-lst deny ip src any dest any ipv6 access-list ndp-lst permit icmp src any dest any ipv6 access-list sec-lst permit 50 src any dest any
ipv6 access-list sec-lst permit udp src any sport eq 500 dest any dport eq 500
! bridge ieee enable
! interface GigaEthernet0.0 no ip address
ipv6 enable
ipv6 address 2001:db8:1:0:cafe::1/64 ipv6 tcp adjust-mss auto
ipv6 filter ndp-lst 1 in
ipv6 filter sec-lst 2 in
ipv6 filter fw-lst 10 in
ipv6 filter ndp-lst 1 out
ipv6 filter sec-lst 2 out
ipv6 filter fw-lst 10 out
no shutdown
! interface GigaEthernet1.0 no ip address
bridge ieee 1 no shutdown
! interface Loopback0.0 ip address 192.168.1.2/32 no shutdown
! interface IPsec0
ip address unnumbered ipsec map ipsecprof1 no shutdown
! interface EtherIP0 bridge ieee 1
bridge ip tcp adjust-mss 1330 ether-ip peer 192.168.1.1 ether-ip source 192.168.1.2 no shutdown
! ip route 192.168.1.1/32 IPsec0
! ike proposal ikeprop1
encryption-algorithm aes256-cbc
authentication-algorithm hmac-sha2-256 lifetime 28800
dh-group 1024-bit
! ike policy ikepol1 mode aggressive
remote-id key-id wa1500 dpd-keepalive enable ph1 20 3 proposal ikeprop1
pre-shared-key plain hogehoge
! ipsec proposal ipsecprop1
protocol esp enc-algo aes256-cbc auth-algo hmac-sha2-256 lifetime 28800
! ipsec policy ipsecpol1
local-id 2001:db8:1:0:cafe::1/128 remote-id 2001:db8:a:0::1/128 proposal ipsecprop1
! ipsec profile ipsecprof1 mode tunnel
ipsec policy ipsecpol1
ike policy ikepol1
source GigaEthernet0.0 peer any ipv6
! ipv6 name-server 2001:db8:0:0:abc::1
! ddns profile test
source GigaEthernet0.0
query dn=c.DDNS.example.jp&ipv6=<IPV6>
transport ipv6
url http://user:passwd@DDNS.example.jp/index.html
! ddns enable ddns interval 30
ddns account profile test
!
■解説