19. L2TP/IPsec設定例
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable
edit vpn l2tp remote-access
set authentication local-users username micho password aaabbb
set authentication mode local
set client-ip-pool start 10.103.1.200
set client-ip-pool stop 10.103.1.209
set dns-servers server-1 133.242.0.3
set dns-servers server-2 133.242.0.4
set ipsec-settings authentication mode pre-shared-secret
set ipsec-settings authentication pre-shared-secret cccddd
set mtu 1280
set outside-address 133.242.78.164
set outside-nexthop 133.242.78.161
4つのパラメータ
23. サイトA設定例
鍵の生成
$ generate openvpn key /config/auth/secret
$ sudo scp /config/auth/secret vyatta@133.242.78.164:/config/auth/
OpenVPNの設定
set interfaces openvpn vtun1 local-address 10.103.3.1 ¥
subnet-mask 255.255.255.0
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 remote-address 10.103.3.2
set interfaces openvpn vtun1 remote-host 133.242.78.164
set interfaces openvpn vtun1 shared-secret-key-file /config/auth/secret
経路の設定
set protocols static interface-route 10.103.1.0/24 ¥
next-hop-interface vtun1
24. サイトB設定例
OpenVPNの設定
set interfaces openvpn vtun1 local-address 10.103.3.2 ¥
subnet-mask 255.255.255.0
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 remote-address 10.103.3.1
set interfaces openvpn vtun1 remote-host 59.106.69.117
set interfaces openvpn vtun1 shared-secret-key-file /config/auth/secret
経路の設定
set protocols static interface-route 10.103.4.0/24 ¥
next-hop-interface vtun1
25. おまけ:経路設定をOSPFでやる
OSPFの設定
set point-to-
interfaces openvpn vtun1 ip ospf network point-to-point
set protocols ospf area 0 network 10.103.3.0/24
set protocols ospf area 0 network 10.103.4.0/24
set protocols ospf passive-interface eth1
※対向も同様に
vyatta@vc65-6rd-2# run show ip ospf route
============ OSPF network routing table ============
N 10.103.1.0/24 [20] area: 0.0.0.0
via 10.103.3.2, vtun1
N 10.103.3.2/32 [10] area: 0.0.0.0
directly attached to vtun1
N 10.103.4.0/24 [10] area: 0.0.0.0
directly attached to eth1