!
! Century Systems NXR-650 Series ver 21.11.2D (build 12/13:21 22 12 2022)
!
hostname NXR_A
telnet-server enable
http-server enable
no rest http enable
no rest https enable
!
!
!
!
!
ipv6 forwarding
fast-forwarding enable
!
!
!
!
!
!
l2tp udp source-port 40001
!
l2tpv3 hostname NXRA
l2tpv3 router-id 192.168.10.1
l2tpv3 path-mtu-discovery enable
l2tpv3 fast-forwarding enable
!
ipsec local policy 1
 address ip
!
!
ipsec isakmp policy 1
 description NXR_B
 authentication pre-share IPsecKEY1
 hash sha256
 encryption aes128
 group 5
 lifetime 86400
 isakmp-mode main
 remote address ip 192.0.2.1
 local policy 1
!
ipsec isakmp policy 2
 description NXR_C
 authentication pre-share IPsecKEY2
 keepalive 30 3 periodic clear
 hash sha256
 encryption aes128
 group 5
 lifetime 86400
 isakmp-mode aggressive
 remote address ip any
 remote identity fqdn NXRC
 local policy 1
!
!
ipsec tunnel policy 1
 description NXR_B
 set transform esp-aes128 esp-sha256-hmac
 set pfs group5
 set key-exchange isakmp 1
 set sa lifetime 28800
 match address IPsec_ACL1
!
ipsec tunnel policy 2
 description NXR_C
 negotiation-mode responder
 set transform esp-aes128 esp-sha256-hmac
 set pfs group5
 set key-exchange isakmp 2
 set sa lifetime 28800
 match address IPsec_ACL2
!
!
l2tpv3 tunnel 1
 description NXR_B
 tunnel address 192.0.2.1
 tunnel hostname NXRB
 tunnel router-id 192.168.10.2
!
l2tpv3 tunnel 2
 description NXR_C
 tunnel hostname NXRC
 tunnel router-id 192.168.10.3
!
l2tpv3 xconnect 1
 description NXR_B
 tunnel 1
 xconnect ethernet 0
 xconnect end-id 1
 retry-interval 30
 ip tcp adjust-mss auto
!
l2tpv3 xconnect 2
 description NXR_C
 tunnel 2
 xconnect ethernet 0
 xconnect end-id 1
 ip tcp adjust-mss auto
!
interface ethernet 0
 ip address 192.168.10.1/24
!
interface ethernet 1
 ip address 203.0.113.1/30
 ip tcp adjust-mss auto
 ip access-group in eth1_IN
 ip access-group out eth1_OUT
 ip masquerade
 ip spi-filter
 ipsec policy 1
!
interface ethernet 2
 no ip address
!
dns
 service enable
 address 203.0.113.253
 address 203.0.113.254
!
!
syslog
 local enable
 exit-syslog
!
!
!
system led ext 0 signal-level mobile 0
!
!
!
!
!
!
!
ip route 0.0.0.0/0 203.0.113.2
!
!
!
ip access-list eth1_IN permit any 203.0.113.1 udp 500 500
ip access-list eth1_IN permit any 203.0.113.1 50
ip access-list eth1_OUT deny 203.0.113.1 192.0.2.1 115
!
ipsec access-list IPsec_ACL1 ip host host
ipsec access-list IPsec_ACL2 ip host host
!
!
!
end