IPsec Settings Example 3

When one party has multiple addresses and the other does not have a fixed address

Summary

This is a setting for when one router is assigned multiple global addresses and the other is not assigned a fixed global address.

Topology

       To the Internet                                    To the Internet
              |                                                  |
              | Default gateway:172.16.101.1                     | PPPoE
              |                                                  |
              | Address:  Fixed                                  | Address:  Variable
              | 172.16.0.0/24                                    | IPCP
              |                                                  |
     +--------+--------+                                +--------+--------+
     |                 |    <######## VPN ########>     |                 |
     |    Router 1     |                                |    Router 2     |
     | Name: router1   |Encryption method: 3DES-CBC     | Name: router2   |
     |                 |Authentication method: HMAC-SHA1|                 |
     +--------+--------+                                +--------+--------+
              | 192.168.0.1/24                                   | 192.168.1.1/24
              |                                                  |
              |                                                  |
     ---------+---- 192.168.0.0/24                      ---------+---- 192.168.1.0/24

Settings Examples

[Router 1 settings example]

#
# WAN line type
#
line type pri1 leased
pri leased channel 1/1 1 24
#
# LAN1 interface
#
ip lan1 address 192.168.0.1/24
#
# PP interface
#
pp select 1
pp bind pri1/1
ip route default gateway pp 1
ppp ccp type none
pp auth accept pap chap
pp auth myname NAME PASSWORD
ip pp address 172.16.0.1
ip pp nat descriptor 1
pp enable 1
#
# IKE
#
ipsec auto refresh on
ipsec ike local address 1 172.16.0.1
ipsec ike remote address 1 any
ipsec ike remote name 1 router2
ipsec ike pre-shared-key 1 text himitsu
ipsec sa policy 101 1 esp 3des-cbc sha-hmac
#
# TUNNEL interface
#
tunnel select 1
ipsec tunnel 101
ip route 192.168.1.0/24 gateway tunnel 1
tunnel enable 1
#
# NAT descriptor
#
nat descriptor type 1 nat-masquerade
nat descriptor address outer 1 172.16.0.2-172.16.0.254
nat descriptor address inner 1 192.168.0.1-192.168.0.254

[Router 2 settings example]

#
# WAN line type
#
line type bri1 isdn
isdn local address bri LOCAL_ADDRESS
#
# LAN1 interface
#
ip lan1 address 192.168.1.1/24
#
# PP interface
#
pp select 1
pp bind bri1
isdn remote address call REMOTE_ADDRESS
ip route default gateway pp 1
ppp ccp type none
pp auth accept pap chap
pp auth myname NAME PASSWORD
ppp ipcp ipaddress on
ip pp nat descriptor 1
pp enable 1
#
# IKE
#
ipsec auto refresh on
ipsec ike local address 1 192.168.1.1/24
ipsec ike local name 1 router2
ipsec ike remote address 1 172.16.0.1
ipsec ike pre-shared-key 1 text himitsu
ipsec sa policy 101 1 esp 3des-cbc sha-hmac
#
# TUNNEL interface
#
tunnel select 1
ipsec tunnel 101
ip route 192.168.0.0/24 gateway tunnel 1
tunnel enable 1
#
# NAT descriptor
#
nat descriptor type 1 masquerade
nat descriptor address outer 1 ipcp
nat descriptor address inner 1 192.168.1.1-192.168.1.254
nat descriptor masquerade static 1 1 192.168.1.1 udp 500
nat descriptor masquerade static 1 2 192.168.1.1 esp *

Return to Top