使用IP-VPN网络连接

正常时
↓发生故障・恢复↑
备份时

使用IP-VPN服务,建成安全的网络。
使用BGP方式的动态路由控制,能够检测出线路的故障,切换至互联网。
切换到互联网时,对通信进行加密从而防止机密信息泄漏。

RTX1200(A)的设置范例

能够只导出下述的设置部分。

ConfigDownload

LAN和DMZ的
接口的设置
(使用LAN1端口)
ip lan1 address 192.168.0.1/24
WAN(IP-VPN)的
接口的设置
(使用LAN2端口)
pp select 1
pp always-on on
pppoe use lan2
pp auth accept pap chap
pp auth myname (连接IP-VPN的ID) (连接IP-VPN的密码)
ppp lcp mru on 1454
ppp ipcp msext on
ip pp address (私有地址1)
ip pp mtu 1454
pp enable 1
WAN(ISP1)的
接口的设置
(使用LAN3端口)
pp select 2
pp always-on on
pppoe use lan3
pp auth accept pap chap
pp auth myname (连接ISP1的ID) (连接ISP1的密码)
ppp lcp mru on 1454
ppp ipcp msext on
ip pp address (全局地址1)
ip pp mtu 1454
ip pp nat descriptor 1
pp enable 2
ip route default gateway pp 2
BGP4的设置 bgp use on
bgp autonomous-system (自己的AS号码)
bgp neighbor 1 (对方的AS号码) (对方的IP地址)
bgp preference 10001 # 注释1
bgp import filter 1 include all
bgp import (对方的AS号码) static filter 1
bgp export filter 1 include all
bgp export (对方的AS号码) filter 1
NAT的设置 nat descriptor type 1 masquerade
nat descriptor masquerade static 1 1 192.168.0.1 udp 500
nat descriptor masquerade static 1 2 192.168.0.1 esp
nat descriptor masquerade static 1 3 192.168.0.2 tcp www # 注释2
VPN(IPsec)的设置 ipsec auto refresh on
ipsec ike keepalive use 1 on
ipsec ike local address 1 192.168.0.1
ipsec ike pre-shared-key 1 text (密码)
ipsec ike remote address 1 any
ipsec ike remote name 1 kyoten1
ipsec sa policy 101 1 esp 3des-cbc sha-hmac
tunnel select 1
ipsec tunnel 101
ipsec ike hash 1 sha
tunnel enable 1
ip route 192.168.1.0/24 gateway tunnel 1 # 注释3
DHCP的设置 dhcp scope 1 192.168.0.3-192.168.0.100/24
dhcp service server
DNS的设置 dns server (ISP1所指定的DNS服务器的IP地址)
dns private address spoof on
Inbound过滤的设置 ip filter source-route on
ip filter directed-broadcast on
ip inbound filter 1001 reject-nolog * * tcp,udp * 135
ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1005 reject-nolog * * tcp,udp * 445
ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
ip inbound filter 1007 reject-nolog 192.168.0.0/24 * * * *
ip inbound filter 1008 pass-nolog * * * * *
pp select 2
ip pp inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
pp enable 2
策略过滤的设置 ip policy interface group 101 name=Private local lan1
ip policy address group 101 name=Private 192.168.0.0/24
ip policy address group 102 name=Any *
ip policy service group 101 name="Open Services" www
ip policy service group 102 name=General dns
ip policy service group 103 name=Mail pop3 smtp
ip policy service group 104 name=IPsec ike esp bgp
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1124 static-pass-log * * 192.168.0.0/24 * http
ip policy filter 1130 pass-nolog * tunnel* * * *
ip policy filter 2200 reject-nolog pp* * * * *
ip policy filter 2220 pass-log * lan1 * * 101
ip policy filter 2230 static-pass-nolog * local * * 104
ip policy filter 2300 reject-nolog tunnel* * * * *
ip policy filter 2330 pass-nolog * tunnel* * * *
ip policy filter 2340 pass-nolog * local * * *
ip policy filter 2350 pass-nolog * lan1 * * *
ip policy filter 2360 reject-nolog * pp* * * *
ip policy filter 2400 pass-nolog local * * * *
ip policy filter 2410 static-pass-nolog * lan1 * * *
ip policy filter 2430 static-pass-nolog * pp* * * 104
ip policy filter 2600 pass-nolog * pp* * * *
ip policy filter 2650 reject-nolog pp* * * * *
ip policy filter 2660 static-pass-nolog * local * * 104
ip policy filter 2670 pass-nolog * lan1 * * 101
ip policy filter 3000 reject-nolog * * * * *
ip policy filter set 101 name="Internet Access" 1100 [1110 1123 1122 2600 1130] 2650 [2670 2660] 2300 [2340 2350 2360 2330] 2400 [2410 2430] 3000
ip policy filter set enable 101

RTX1200(B)的设置范例

能够只导出下述的设置部分。

ConfigDownload

LAN的
接口的设置
(使用LAN1端口)
ip lan1 address 192.168.1.1/24
WAN(IP-VPN)的
接口的设置
(使用LAN2端口)
pp select 1
pp always-on on
pppoe use lan2
pp auth accept pap chap
pp auth myname (连接IP-VPN的ID) (连接IP-VPN的密码)
ppp lcp mru on 1454
ppp ipcp msext on
ip pp address (私有地址2)
ip pp mtu 1454
pp enable 1
WAN(ISP2)的
接口的设置
(使用LAN3端口)
pp select 2
pp always-on on
pppoe use lan3
pp auth accept pap chap
pp auth myname (连接ISP2的ID) (连接ISP2的密码)
ppp lcp mru on 1454
ppp ipcp msext on
ppp ipcp ipaddress on
ip pp mtu 1454
ip pp nat descriptor 1
pp enable 2
ip route default gateway pp 2
BGP4的设置 bgp use on
bgp autonomous-system (自己的AS号码)
bgp neighbor 1 (对方的AS号码) (对方的IP地址)
bgp preference 10001 # 注释1
bgp import filter 1 include all
bgp import (对方的AS号码) static filter 1
bgp export filter 1 include all
bgp export (对方的AS号码) filter 1
NAT的设置 nat descriptor type 1 masquerade
nat descriptor masquerade static 1 1 192.168.1.1 udp 500
nat descriptor masquerade static 1 2 192.168.1.1 esp
VPN(IPsec)的设置 ipsec auto refresh on
ipsec ike keepalive use 1 on
ipsec ike local address 1 192.168.1.1
ipsec ike local name 1 kyoten1
ipsec ike pre-shared-key 1 text (密码)
ipsec ike remote address 1 (全局地址1)
ipsec sa policy 101 1 esp 3des-cbc sha-hmac
tunnel select 1
ipsec tunnel 101
ipsec ike hash 1 sha
tunnel enable 1
ip route 192.168.0.0/24 gateway tunnel 1 # 注释3
DHCP的设置 dhcp scope 1 192.168.1.2-192.168.1.100/24
dhcp service server
DNS的设置 dns server (ISP2所指定的DNS服务器的IP地址)
dns private address spoof on
Inbound过滤的设置 ip filter source-route on
ip filter directed-broadcast on
ip inbound filter 1001 reject-nolog * * tcp,udp * 135
ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1005 reject-nolog * * tcp,udp * 445
ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
ip inbound filter 1007 reject-nolog 192.168.1.0/24 * * * *
ip inbound filter 1008 pass-nolog * * * * *
pp select 2
ip pp inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
pp enable 2
策略过滤的设置 ip policy interface group 101 name=Private local lan1
ip policy address group 101 name=Private 192.168.1.0/24
ip policy address group 102 name=Any *
ip policy service group 101 name="Open Services"
ip policy service group 102 name=General dns
ip policy service group 103 name=Mail pop3 smtp
ip policy service group 104 name=IPsec ike esp bgp
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1124 static-pass-log * * 192.168.1.0/24 * http
ip policy filter 1130 pass-nolog * tunnel* * * *
ip policy filter 2200 reject-nolog pp* * * * *
ip policy filter 2220 pass-log * lan1 * * 101
ip policy filter 2230 static-pass-nolog * local * * 104
ip policy filter 2300 reject-nolog tunnel* * * * *
ip policy filter 2330 pass-nolog * tunnel* * * *
ip policy filter 2340 pass-nolog * local * * *
ip policy filter 2350 pass-nolog * lan1 * * *
ip policy filter 2360 reject-nolog * pp* * * *
ip policy filter 2400 pass-nolog local * * * *
ip policy filter 2410 static-pass-nolog * lan1 * * *
ip policy filter 2430 static-pass-nolog * pp* * * 104
ip policy filter 2600 pass-nolog * pp* * * *
ip policy filter 2650 reject-nolog pp* * * * *
ip policy filter 2660 static-pass-nolog * local * * 104
ip policy filter 2670 pass-nolog * lan1 * * 101
ip policy filter 3000 reject-nolog * * * * *
ip policy filter set 101 name="Internet Access" 1100 [1110 1123 1122 2600 1130] 2650 [2670 2660] 2300 [2340 2350 2360 2330] 2400 [2410 2430] 3000
ip policy filter set enable 101
[注释的说明]

注释1:
BGP4的路由优先于静态路由的设置。接收到BGP4的路由时使用IP-VPN。发生线路的故障后不会收到BGP4的路由后,静态路由生效,使用互联网VPN。

注释2:
由于NAT的影响而无法进行来自外部的访问,因此打开个洞以能够访问WWW服务器。

注释3:
线路发生故障而不会收到BGP的路由后,本路由变为有效。

返回顶部