!
! Century Systems NXR-530 Series ver 21.11.15 (build 4/15:09 10 09 2024)
!
hostname nxr530
no telnet-server enable
telnet-server ip forbidden-access-wan
telnet-server ipv6 forbidden-access-wan
ssh-server enable
ssh-server ip forbidden-access-wan
ssh-server ipv6 forbidden-access-wan
http-server enable
http-server ip forbidden-access-wan
http-server ipv6 forbidden-access-wan
no rest http enable
no rest https enable
!
!
!
!
!
ipv6 forwarding
fast-forwarding enable
!
!
!
!
!
ipsec priority-ignore enable
!
l2tp udp source-port 40001
!
!
ipsec local policy 1
 address ip
!
!
ipsec isakmp policy 1
 description OCI-IPsecTunnel1
 authentication pre-share IPsecKEY1
 keepalive 10 3 periodic
 hash sha384
 encryption aes256
 group 20
 lifetime 28800
 isakmp-mode main
 remote address ip 192.0.2.1
 local policy 1
!
ipsec isakmp policy 2
 description OCI-IPsecTunnel2
 authentication pre-share IPsecKEY2
 keepalive 10 3 periodic
 hash sha384
 encryption aes256
 group 20
 lifetime 28800
 isakmp-mode main
 remote address ip 192.0.2.2
 local policy 1
!
!
ipsec tunnel policy 1
 description OCI-IPsecTunnel1
 set transform esp-aes256 esp-sha256-hmac
 set pfs group5
 set key-exchange isakmp 1
 match address IPsec_ACL
!
ipsec tunnel policy 2
 description OCI-IPsecTunnel2
 set transform esp-aes256 esp-sha256-hmac
 set pfs group5
 set key-exchange isakmp 2
 match address IPsec_ACL
!
!
interface tunnel 1
 description OCI-IPsecTunnel1
 ip address 172.16.10.1/30
 ip tcp adjust-mss auto
 tunnel mode ipsec ipv4
 tunnel pre-fragment
 tunnel protection ipsec policy 1
!
interface tunnel 2
 description OCI-IPsecTunnel2
 ip address 172.16.10.5/30
 ip tcp adjust-mss auto
 tunnel mode ipsec ipv4
 tunnel pre-fragment
 tunnel protection ipsec policy 2
!
interface ethernet 0
 ip address 192.168.10.1/24
!
interface ethernet 1
 ip address 203.0.113.1/30
 ip tcp adjust-mss auto
 ip access-group in eth1_IN
 ip masquerade
 ip spi-filter
 ipsec policy 1
!
interface ethernet 2
 no ip address
!
router bgp 65000
 network 192.168.10.0/24
 neighbor 172.16.10.2 remote-as 31898
 neighbor 172.16.10.2 timers 10 30
 neighbor 172.16.10.2 route-map LOCAL-PREF200 in
 neighbor 172.16.10.2 route-map MED10 out
 neighbor 172.16.10.6 remote-as 31898
 neighbor 172.16.10.6 timers 10 30
 neighbor 172.16.10.6 route-map LOCAL-PREF150 in
 neighbor 172.16.10.6 route-map MED20 out
!
dns
 service enable
 address 203.0.113.253
 address 203.0.113.254
!
!
syslog
 local enable
 exit-syslog
!
!
!
system led ext 0 signal-level mobile 0
!
!
!
!
!
!
!
ip route 10.0.0.0/24 null 254
ip route 0.0.0.0/0 203.0.113.2
!
!
!
ip access-list eth1_IN permit 192.0.2.1 203.0.113.1 udp 500 500
ip access-list eth1_IN permit 192.0.2.1 203.0.113.1 50
ip access-list eth1_IN permit 192.0.2.2 203.0.113.1 udp 500 500
ip access-list eth1_IN permit 192.0.2.2 203.0.113.1 50
!
ipsec access-list IPsec_ACL ip any any
!
!
route-map LOCAL-PREF150 permit 1
 set local-preference 150
!
route-map LOCAL-PREF200 permit 1
 set local-preference 200
!
route-map MED10 permit 1
 set metric 10
!
route-map MED20 permit 1
 set metric 20
!
!
end