!
! Century Systems NXR-G240 Series ver 9.4.1 (build 4/12:07 02 11 2017)
!    DIP-SW : 1:off 2:off 3:off 4:off
!
hostname NXR_B
telnet-server enable
http-server enable
!
!
system power-management mode balance
!
!
!
ipv6 forwarding
fast-forwarding enable
!
!
!
!
ppp account username test2@example.jp password test2pass
!
!
l2tp udp source-port 40001
!
!
ipsec local policy 1
 address ip
 self-identity fqdn nxrb
!
!
ipsec isakmp policy 1
 description NXR_A
 authentication pre-share ipseckey
 hash sha256
 encryption aes128
 group 5
 isakmp-mode aggressive
 remote address ip 10.10.10.1
 local policy 1
!
!
ipsec tunnel policy 1
 description NXR_A
 set transform esp-aes128 esp-sha256-hmac
 set pfs group5
 set key-exchange isakmp 1
 match address ipsec_acl
!
!
interface tunnel 1
 no ip address
 ip tcp adjust-mss auto
 ip dns-intercept 0
 tunnel mode ipsec ipv4
 tunnel protection ipsec policy 1
!
interface ppp 0
 ip address negotiated
 ip send-source
 ip tcp adjust-mss auto
 ip access-group in ppp0_in
 ip access-group forward-out ppp0_forward-out
 ip dns-intercept 0
 ip masquerade
 ip spi-filter
 ppp username test2@example.jp
 ipsec policy 1
!
interface ethernet 0
 ip address 192.168.20.1/24
 ip policy route-map pbr
 classify input route-map intercept
!
interface ethernet 1
 no ip address
 pppoe-client ppp 0
!
interface ethernet 2
 no ip address
!
dns
 service enable
 address 10.10.30.1
 timeout 5
!
dns-intercept 0
 address 10.10.30.1
 match ip setname DNSI
!
!
syslog
 local enable
 exit-syslog
!
!
!
!
!
!
!
!
!
!
ip route 0.0.0.0/0 tunnel 1
ip route 0.0.0.0/0 ppp 0 10
ip route 0.0.0.0/0 null 254
!
!
ip dns-intercept setname DNSI file
!
ip access-list ppp0_forward-out deny 192.168.20.0/24 192.168.10.0/24
ip access-list ppp0_in permit 10.10.10.1 any udp 500 500
ip access-list ppp0_in permit 10.10.10.1 any 50
!
ipsec access-list ipsec_acl ip any any
!
!
class access-list dnsi_acl ip any dns-set DNSI tcp any 22
class access-list dnsi_acl ip any dns-set DNSI tcp any 80
class access-list dnsi_acl ip any dns-set DNSI tcp any 443
!
route-map intercept permit 1
 match ip address dnsi_acl
 set mark 1
!
route-map pbr permit 1
 match ip mark 1
 set interface ppp 0
!
!
end