Copyright 2024 Fsas Technologies Inc

reference
https://www.fujitsu.com/jp/documents/products/network/router/sir/example/internet-vpn/vpn_main_gx-guide.pdf

****************************************
 Si-R GX500 config
****************************************

ip route 0.0.0.0 0.0.0.0 tunnel 1
ip route 192.168.2.0 255.255.255.0 tunnel 2
ip nat list 1 any
!
survey 192.168.2.1 survey-map SURVEY_IPsec source port-channel 3 nexthop tunnel 2 interworking
!
survey-map SURVEY_IPsec
 ttl 255
 timeout 1000
 retry 4
 frequency every 10000
 stability 5 interval 10000
exit
!
crypto ipsec policy phase2
 set pfs group14
 set security-association always-up
 set security-association lifetime seconds 28800
 set security-association transform-keysize aes 256 256 256
 set security-association transform esp-aes esp-sha256-hmac
 set mtu 1454
 set mss 1300
 set ip tos copy
 set ip df-bit 0
 set ip fragment post
exit
!
crypto ipsec selector SELECTOR
 src 1 ipv4 any
 dst 1 ipv4 any
exit
!
crypto isakmp policy phase1
 authentication pre-share
 encryption aes
 encryption-keysize aes 256 256 256
 group 14
 lifetime 86400
 hash sha-256
 initiate-mode main
exit
!
crypto isakmp profile ISAKMP_PROF_1
 local-address 203.0.113.1
 set isakmp-policy phase1
 set ipsec-policy phase2
 set peer 203.0.113.2
 ike-version 1
 local-key ascii sir-key
exit
!
crypto map IPsec_MAP_1 ipsec-isakmp
 match address SELECTOR
 set isakmp-profile ISAKMP_PROF_1
exit
!
interface GigaEthernet 1/1
 pppoe enable
exit
!
interface GigaEthernet 1/3
 channel-group 3
exit
!
interface Port-channel 3
 ip address 192.168.1.1 255.255.255.0
exit
!
interface Tunnel 1
 ip address 203.0.113.1 255.255.255.255
 ip nat inside source list 1 interface overload
 ip nat inside destination static 203.0.113.1 203.0.113.1 proto 50
 ip nat inside destination static 203.0.113.1 500 500 203.0.113.1 500 proto 17
 tunnel mode pppoe profile pppoe-profile
 pppoe interface gigaethernet 1/1
exit
!
interface Tunnel 2
 ip unnumbered Tunnel 1
 tunnel mode ipsec map IPsec_MAP_1
exit
!
pppoe profile pppoe-profile
 authentication accept chap
 account id-a@isp pass-a@isp
exit
!
end


****************************************
 Si-R config
****************************************

ether 1 1 vlan untag 1
ether 1 2 use off
ether 2 1-8 vlan untag 2
lan 1 ip address 192.168.2.1/24 3
lan 1 vlan 2
remote 0 name internet
remote 0 mtu 1454
remote 0 ap 0 name pppoe
remote 0 ap 0 datalink bind vlan 1
remote 0 ap 0 ppp auth send id-b@isp pwd-b@isp
remote 0 ap 0 keep connect
remote 0 ppp ipcp vjcomp disable
remote 0 ip address local 203.0.113.2
remote 0 ip route 0 default 1 1
remote 0 ip nat mode multi any 1 5m
remote 0 ip nat static 0 203.0.113.2 500 203.0.113.2 500 17
remote 0 ip nat static 1 203.0.113.2 any 203.0.113.2 any 50
remote 0 ip msschange 1414
remote 1 name Si-R_GX500
remote 1 ap 0 name ipsec
remote 1 ap 0 datalink type ipsec
remote 1 ap 0 ipsec type ike
remote 1 ap 0 ipsec ike protocol esp
remote 1 ap 0 ipsec ike encrypt aes-cbc-256
remote 1 ap 0 ipsec ike auth hmac-sha256
remote 1 ap 0 ipsec ike pfs modp2048
remote 1 ap 0 ike shared key text sir-key
remote 1 ap 0 ike proposal 0 encrypt aes-cbc-256
remote 1 ap 0 ike proposal 0 hash hmac-sha256
remote 1 ap 0 ike proposal 0 pfs modp2048
remote 1 ap 0 tunnel local 203.0.113.2
remote 1 ap 0 tunnel remote 203.0.113.1
remote 1 ap 0 sessionwatch address 192.168.2.1 192.168.1.1
remote 1 ip route 0 192.168.1.0/24 1 1
remote 1 ip msschange 1300
syslog facility 23
time zone 0900
consoleinfo autologout 8h
telnetinfo autologout 5m
terminal charset SJIS