! ! Century Systems NXR-230 Series ver 5.26.13 (build 1/20:51 07 06 2016) ! hostname NXR_A telnet-server enable http-server enable ! ! ! ! ! ! ipv6 forwarding fast-forwarding enable ! ! ! ipsec local policy 1 address ip ! ! ipsec isakmp policy 1 description NXR_B authentication pre-share ipseckey1 hash sha256 encryption aes128 group 5 isakmp-mode main remote address ip 10.10.20.1 local policy 1 ! ipsec isakmp policy 2 description NXR_C authentication pre-share ipseckey2 keepalive 30 3 periodic clear hash sha256 encryption aes128 group 5 isakmp-mode aggressive remote address ip any remote identity fqdn nxrc local policy 1 ! ! ipsec tunnel policy 1 description NXR_B set transform esp-aes128 esp-sha256-hmac set pfs group5 set key-exchange isakmp 1 match address NXR_B ! ipsec tunnel policy 2 description NXR_C negotiation-mode responder set transform esp-aes128 esp-sha256-hmac set pfs group5 set key-exchange isakmp 2 match address NXR_C ! ! interface tunnel 1 description NXR_B no ip address ip tcp adjust-mss auto tunnel source 192.168.10.1 tunnel destination 192.168.20.1 tunnel ttl 255 ! interface tunnel 2 description NXR_C no ip address ip tcp adjust-mss auto tunnel source 192.168.10.1 tunnel destination 192.168.30.1 tunnel ttl 255 ! interface ethernet 0 ip address 192.168.10.1/24 ! interface ethernet 1 ip address 10.10.10.1/30 ip access-group in eth1_in ip masquerade ip spi-filter ipsec policy 1 ! interface ethernet 2 no ip address ! dns service enable address 10.10.10.2 ! syslog local enable ! ! ! system led ext 0 signal-level mobile 0 ! ! ! ! ! ! ip route 192.168.20.0/24 tunnel 1 ip route 192.168.30.0/24 tunnel 2 ip route 0.0.0.0/0 10.10.10.2 ! ip access-list eth1_in permit any 10.10.10.1 udp 500 500 ip access-list eth1_in permit any 10.10.10.1 50 ! ipsec access-list NXR_B ip 192.168.10.1/32 192.168.20.1/32 ipsec access-list NXR_C ip 192.168.10.1/32 192.168.30.1/32 ! ! ! end