アライドルータで、IPSecを使い倒す-LAN環境下で3つの拠点をIPSecトンネルで結ぶ 応用編

ただ3か所で接続するだけでなく、IPSecで接続してきた先にあるサーバに接続できるように設定を変更していきたいと思います。

ルータA

ルータAは本社の位置づけにあるルータで、拠点間をIPSec通信で結んで本社サーバに接続します。受け側のルータというか、

!
interface eth1
  ip address 10.0.0.1/8
!
interface vlan1
 ip address 192.168.0.4/24
!
!subnet 192.168.22 のネットワークは拡張
zone private
 network lan
  ip subnet 173.16.0.0/30
  ip subnet 173.17.0.0/30
  ip subnet 173.18.0.0/30
  ip subnet 192.168.0.0/24
  ip subnet 192.168.20.0/24
  ip subnet 192.168.21.0/24
  ip subnet 192.168.22.0/24
  ip subnet 192.168.200.0/24
!
!host eth1のip addressは直接割り当てたIPアドレスを指定します
zone public
 network wan
  ip subnet 0.0.0.0/0 interface eth1
  host eth1
   ip address 10.0.0.1
!
application esp
 protocol 50
!
application isakmp
 protocol udp
 sport 500
 dport 500
!
firewall
 rule 10 permit any from private to private
 rule 20 permit any from private to public
 rule 30 permit isakmp from public.wan.eth1 to public.wan
 rule 40 permit isakmp from public.wan to public.wan.eth1
 rule 50 permit esp from public.wan.eth1 to public.wan
 rule 60 permit esp from public.wan to public.wan.eth1
 protect
!
nat
 rule 10 masq any from private to public
 enable
!
crypto isakmp key secret-ab address 10.0.0.2
crypto isakmp key secret-ac address 10.0.0.3
!
interface tunnel0
 ip address 173.16.0.1/30
 tunnel source 10.0.0.1
 tunnel destination 10.0.0.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec
 ip tcp adjust-mss 1260
 mtu 1300
!
interface tunnel1
 ip address 173.17.0.1/30
 tunnel source 10.0.0.1
 tunnel destination 10.0.0.3
 tunnel mode ipsec ipv4
 tunnel protection ipsec
 ip tcp adjust-mss 1260
 mtu 1300
!
!tunnel2は拡張
interface tunnel2
 ip address 173.18.0.1/30
 tunnel source 10.0.0.1
 tunnel destination 10.0.0.4
 tunnel mode ipsec ipv4
 tunnel protection ipsec
 ip tcp adjust-mss 1260
 mtu 1300
!
ip route 192.168.20.0/24 tunnel0
ip route 192.168.20.0/24 null 254
ip route 192.168.21.0/24 tunnel1
ip route 192.168.21.0/24 null 254
ip route 192.168.22.0/24 tunnel1
ip route 192.168.22.0/24 null 254
ip route 192.168.200.0/24 192.168.0.253
!
end

ルータB

ルータB配下のネットワークは本社ネットワークの

192.168.0.0/24

および、もっと深いところにあるサーバ

192.168.200.0/24

に接続できるようにします。

!
interface eth1
 ip address 10.0.0.2/8
!
interface vlan1
 ip address 192.168.20.253/24
!
zone private
 network lan
  ip subnet 173.16.0.0/30
  ip subnet 192.168.0.0/24
  ip subnet 192.168.20.0/24
! IPSecで直接ではないが、200のネットワークを追記しておく
  ip subnet 192.168.200.0/24
!
zone public
 network wan
  ip subnet 0.0.0.0/0 interface eth1
  host eth1
   ip address 10.0.0.2
!
application esp
 protocol 50
!
application isakmp
 protocol udp
 sport 500
 dport 500
!
firewall
 rule 10 permit any from private to private
 rule 20 permit any from private to public
 rule 30 permit isakmp from public.wan.eth1 to public.wan
 rule 40 permit isakmp from public.wan to public.wan.eth1
 rule 50 permit esp from public.wan.eth1 to public.wan
 rule 60 permit esp from public.wan to public.wan.eth1
 protect
!
nat
 rule 10 masq any from private to public
 enable
!
crypto isakmp key secret-ab address 10.0.0.1
!
interface tunnel0
 ip address 173.16.0.2/30
 tunnel source 10.0.0.2
 tunnel destination 10.0.0.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec
 ip tcp adjust-mss 1260
 mtu 1300
!
ip route 192.168.0.0/24 tunnel0
ip route 192.168.0.0/24 null 254
ip route 192.168.200.0/24 tunnel0
ip route 192.168.200.0/24 null 254
!
end

ルータC

ルータC配下のネットワークからは、

192.168.0.0/24

のみアクセスできるようにする。

ルータC

!
interface eth1
 ip address 10.0.0.3/8
!
interface vlan1
 ip address 192.168.21.253/24
!
zone private
 network lan
  ip subnet 173.17.0.0/30
  ip subnet 192.168.0.0/24
  ip subnet 192.168.21.0/24
!
zone public
 network wan
  ip subnet 0.0.0.0/0 interface eth1
  host eth1
   ip address 10.0.0.3
!
application esp
 protocol 50
!
application isakmp
 protocol udp
 sport 500
 dport 500
!
firewall
 rule 10 permit any from private to private
 rule 20 permit any from private to public
 rule 30 permit isakmp from public.wan.eth1 to public.wan
 rule 40 permit isakmp from public.wan to public.wan.eth1
 rule 50 permit esp from public.wan.eth1 to public.wan
 rule 60 permit esp from public.wan to public.wan.eth1
 protect
!
nat
 rule 10 masq any from private to public
 enable
!
crypto isakmp key secret-ac address 10.0.0.1
!
interface tunnel1
 ip address 173.17.0.2/30
 tunnel source 10.0.0.3
 tunnel destination 10.0.0.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec
 ip tcp adjust-mss 1260
 mtu 1300
!
ip route 192.168.0.0/24 tunnel1
ip route 192.168.0.0/24 null 254
!
end

関連コンテンツ